Step 5 โ Security, Monitoring & Architecture
This final step covers the layers that protect, observe, and govern your AWS workloads โ plus the architectural patterns that tie everything together. Security and the Well-Architected Framework appear throughout the entire exam, not just in their dedicated domains.
AWS Security Services
KMS โ Key Management Service
KMS manages encryption keys used to protect data across AWS services. Itโs the answer to almost every โhow do you encrypt data at rest?โ exam question.
Customer Managed Keys (CMK) โโโ You create and manage the key โโโ Full audit trail in CloudTrail โโโ Rotate automatically once per year โโโ ~$1/month per key + $0.03/10,000 API calls
AWS Managed Keys โโโ Created by AWS on your behalf (e.g., "aws/s3", "aws/rds") โโโ Cannot use directly โ only via integrated services โโโ Free, rotated every year automatically
AWS Owned Keys โโโ Fully controlled by AWS. You have no visibility. Free.Envelope Encryption โ The pattern KMS uses:
1. Generate a Data Encryption Key (DEK) from KMS2. Use DEK to encrypt your data (fast, local)3. KMS encrypts the DEK with your CMK (key-encrypting-key)4. Store encrypted DEK alongside encrypted data5. To decrypt: KMS decrypts the DEK, then DEK decrypts the dataThis way KMS never sees your raw data. Only the small DEK passes through KMS.
KMS Multi-Region Keys โ Replicate a key to secondary regions. Decryption in region B works with ciphertext encrypted in region A. Used for global Aurora databases and cross-region data compliance.
Secrets Manager vs SSM Parameter Store
Secrets Manager โ SSM Parameter StoreโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโSpecifically for secrets โ General config + secretsAuto-rotation built-in (RDS, Redshift)โ Rotation via Lambda (manual setup)~$0.40/secret/month โ Free (Standard); $0.05/advancedCross-account access via resource โ Limited cross-accountBetter for database credentials โ Better for non-secret configExam pattern: โRDS credentials need to rotate automaticallyโ โ Secrets Manager. โStore EC2 configuration valuesโ โ SSM Parameter Store.
WAF, Shield, and GuardDuty
AWS WAF (Web Application Firewall) โ Filters HTTP/HTTPS traffic based on rules: block SQL injection, XSS, specific IPs, geo locations, rate limits. Deploys in front of ALB, API Gateway, or CloudFront.
AWS Shield
- Standard (free, automatic) โ Protects against most common Layer 3/4 DDoS attacks
- Advanced ($3,000/month) โ 24/7 DRT support, cost protection, enhanced detection, protects ALB/EC2/CloudFront/Route 53
Amazon GuardDuty โ Threat detection service. Analyzes CloudTrail logs, VPC Flow Logs, DNS logs for suspicious patterns (crypto mining, credential theft, unusual API calls). No agents required. Findings sent to EventBridge.
Amazon Inspector โ Automated vulnerability scanning for EC2 instances and container images (ECR). Scans for CVEs, network reachability issues. Integrates with Security Hub.
Amazon Macie โ Uses ML to discover and protect sensitive data in S3 (PII, financial data, credentials). Sends findings to Security Hub and EventBridge.
IAM Advanced Concepts
Permission Boundaries โ Maximum permissions a user or role can have, regardless of what their policies allow. Use to delegate administration: โAllow a developer to create IAM roles, but only with permissions that donโt exceed X.โ
Service Control Policies (SCPs) โ Applied at the AWS Organizations account or OU level. Cap maximum permissions for all principals in that account. Even the root user is subject to SCPs.
IAM Access Analyzer โ Identifies resources (S3 buckets, IAM roles, KMS keys) that are accessible from outside your account or organization. Run before every production deployment.
ABAC (Attribute-Based Access Control) โ Tag-based permissions: โAllow EC2 actions if the resource tag Project matches the userโs tag Project.โ Scales better than RBAC for large teams.
CloudWatch โ Observability
CloudWatch is the unified monitoring platform for AWS. It covers metrics, logs, alarms, dashboards, and synthetic monitoring.
CloudWatch Metrics
Every AWS service publishes metrics automatically (EC2 CPU, RDS connections, Lambda errors). Key details:
- Default EC2 metrics: every 5 minutes
- Detailed Monitoring (opt-in): every 1 minute, adds to cost
- Custom Metrics โ Push your own application metrics via SDK. Standard resolution (1 min) or High Resolution (1 second, extra cost)
CloudWatch Alarms
Metric โโโบ Alarm Threshold โโโบ State Change โโโบ Action โ โโโ OK (metric within threshold) โโโ ALARM (metric breached threshold) โโโ INSUFFICIENT_DATA (not enough data)
Actions: โโโ SNS notification (email, SMS, Lambda trigger) โโโ Auto Scaling action (add/remove instances) โโโ EC2 action (stop, terminate, reboot)Composite Alarms โ Combine multiple alarms with AND/OR logic. Suppress alarm noise: โonly alert if CPU > 80% AND disk > 90%.โ
CloudWatch Logs
Collect, store, and search log data from any source:
Log Group (e.g., /aws/lambda/my-function) โโโ Log Streams (one per function instance or EC2 instance) โโโ Log Events (individual log lines with timestamp)Log Insights โ SQL-like query language to analyze logs. Search across multiple log groups in a single query.
Subscription Filters โ Stream log data in real-time to Kinesis Data Streams, Kinesis Firehose, or Lambda for processing/archiving.
Metric Filters โ Extract numeric values from log lines and turn them into CloudWatch metrics. Example: count โERRORโ occurrences per minute โ alarm when > 5.
Log Retention โ Default: never expires. Set explicit retention (7 days to 10 years) to control cost. Logs that expire are automatically deleted.
CloudTrail โ Audit and Compliance
CloudTrail records every API call made in your AWS account โ who did what, from where, and when.
API Call: "alice@company.com deleted S3 bucket my-bucket at 14:32:07 UTC from IP 203.0.113.5" โ โ CloudTrail Management Event Recorded in CloudTrail Event History (90-day free retention) CloudTrail Trail โ S3 bucket (unlimited, you pay for S3)Trail Types
Management Events โ Control plane operations (create/delete/modify resources). Logged by default. Free for first copy.
Data Events โ Data plane operations (S3 object-level: GetObject, PutObject; Lambda invocations). Must be explicitly enabled. Additional cost.
Insights Events โ Automatically detects unusual write API activity. Alerts when call rates deviate from baseline.
CloudTrail Lake โ Managed audit log storage with SQL query capability. Retention up to 7 years. Replaces the old pattern of CloudTrail โ S3 โ Athena.
Multi-Region Trail โ A single trail that captures events from all regions. Best practice for compliance. Enable โInclude global service eventsโ to capture IAM, STS, CloudFront events (which always log to us-east-1).
Cost Optimization Deep Dive
EC2 Cost Strategies
On-Demand Best for: unpredictable, short-term workloads. No discount.Reserved Instances Best for: steady-state 24/7 workloads. 30โ60% savings.Savings Plans Best for: flexible compute across EC2/Fargate/Lambda. 20โ66% savings.Spot Instances Best for: fault-tolerant batch/ML. Up to 90% savings.Rightsizing โ Use Compute Optimizer (free) to identify oversized instances. A t3.large running at 5% CPU average is burning money. Rightsizing alone typically saves 20โ30% of EC2 costs.
Cost Allocation Tags โ Tag resources with Project, Team, Environment. Enable cost allocation tags in the Billing console. Then filter Cost Explorer by tag to see which team is spending what.
AWS Budgets โ Set budgets for cost, usage, reservations, or Savings Plans. Alert via email or SNS when forecasted spend exceeds threshold.
Trusted Advisor โ Automated checks across cost optimization, security, fault tolerance, performance, service limits. Free tier has 7 checks; Business/Enterprise support unlocks all 115+.
Data Transfer Costs (Often Overlooked)
Inbound to AWS: FREEWithin same AZ (same region): FREE (between EC2 and other services)Between AZs (same region): $0.01/GB each directionBetween Regions: $0.02โ0.09/GBTo the internet: $0.09/GB (first 10 TB/month)Design implication: If your application has high cross-AZ data transfer, consolidating hot data access within one AZ can save meaningfully. EFS, S3, and managed services are regional by design and donโt incur AZ-crossing costs.
Well-Architected Framework โ Design Patterns
The Well-Architected Framework provides architectural best practices across six pillars. The exam maps many questions directly to these principles.
Reliability Design Patterns
Multi-AZ Everything โ RDS Multi-AZ, ALB spanning AZs, ASG across subnets in multiple AZs. Single-AZ is a single point of failure.
Circuit Breaker โ If downstream service fails, stop calling it temporarily. Prevents cascading failures. Implemented via Application Load Balancer health checks or service mesh.
Bulkhead โ Isolate resources to prevent one failing component from consuming all capacity. Separate thread pools, separate queues, separate Lambda concurrency reservations per function.
Performance Efficiency Patterns
Caching Architecture:
User โโโบ CloudFront โโโบ API Gateway โโโบ Lambda โโโบ ElastiCache โโโบ RDS (CDN cache) (API cache) (data cache) (source of truth)Each cache layer reduces calls to the next, expensive layer.
Serverless First โ Lambda + DynamoDB scales from 0 to millions of requests automatically. No idle EC2 costs. Default choice for event-driven, API, and scheduled workloads.
Security Design Patterns
Defence in Depth:
Internet โโโบ WAF โโโบ CloudFront โโโบ ALB (Security Group) โโโบ EC2 (Security Group) โโโ Private Subnet (NACL, No IGW) โโโ RDS (Security Group)Zero Trust Networking โ Never trust, always verify. Use IAM roles for service-to-service auth. Use VPC endpoints to keep traffic off the public internet. Enable PrivateLink for SaaS integrations.
Operational Excellence Patterns
Infrastructure as Code โ CloudFormation or CDK. Every resource created in console manually is a risk. Reproducible, version-controlled infrastructure is a first-class exam answer for โhow to manage environments consistently.โ
Runbooks as Lambda Functions โ Automate operational tasks (rotate keys, restart failed services, clear cache) via Lambda triggered by CloudWatch alarms. Reduces mean time to resolution (MTTR).
Cost Optimization Patterns
Serverless for Bursty Workloads โ Lambda is free at zero load; EC2 isnโt. Match billing model to workload shape.
S3 Intelligent-Tiering + Lifecycle โ Let AWS manage storage class transitions instead of manually predicting access patterns.
Spot + On-Demand Hybrid ASG โ Base capacity on On-Demand Reserved Instances, overflow on Spot. This architecture achieves 50โ70% cost reduction vs all-on-demand at high scale.
SAA-C03 Exam Summary: The Pattern Library
The SAA-C03 exam is a pattern recognition test. Here are the most frequently tested mappings:
| Requirement | Solution |
|---|---|
| High availability for web app | ALB + ASG across 2+ AZs |
| Relational DB failover | RDS Multi-AZ |
| Read-heavy relational workload | RDS Read Replica |
| Cross-region relational DR | Aurora Global Database |
| Millions of small items, single-digit ms | DynamoDB |
| Serverless API | API Gateway + Lambda |
| Decouple and retry | SQS with DLQ |
| Fan-out to multiple services | SNS + SQS |
| React to AWS events | EventBridge |
| Serve static site globally | S3 + CloudFront |
| Block DDoS attacks | AWS Shield + WAF |
| Detect threats automatically | GuardDuty |
| Audit API calls | CloudTrail |
| Monitor metrics + alerts | CloudWatch |
| Encrypt data at rest | KMS + SSE |
| Rotate database credentials | Secrets Manager |
| Private EC2 downloads from internet | NAT Gateway |
| Connect two VPCs | VPC Peering |
| Connect many VPCs and on-premises | Transit Gateway |
| Block specific IP at subnet level | NACL Deny rule |
Study these patterns until you can answer in under 10 seconds. Thatโs the pace the exam requires.