Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

7.2. High-Yield Topics by Domain Weight

Not all topics are equally likely to appear, and without understanding which areas carry the most weight, you risk spending final review time on low-frequency topics while high-frequency ones go under-rehearsed. Think of this section like a study triage guide: imagine you have four hours before your exam — where do you put them? Unlike a uniform review of all 60 subsections, this prioritisation helps you maximise expected score per hour invested. Consider that misreading the difference between Latency routing and Geolocation routing could cost you two or three questions clustered around the same misconception.

Use exam domain weights plus historical question patterns to prioritize your final review.

Domain 1 — Monitoring, Logging, Remediation, Performance (22% = ~11 questions):

Focus areas ranked by frequency:

  • CloudWatch alarms configuration (period, evaluation periods, datapoints-to-alarm, composite alarms)
  • CloudWatch agent for memory/disk metrics (missing by default — agent required)
  • EventBridge rule patterns for automated remediation
  • CloudTrail vs. CloudWatch Logs — which records what
  • X-Ray for distributed tracing (annotations vs. metadata)
  • EBS gp2 vs. gp3 selection and IOPS configuration
  • RDS Proxy for Lambda connection exhaustion
Domain 2 — Reliability and Business Continuity (22% = ~11 questions):

Focus areas:

  • EC2 Auto Scaling policy types and lifecycle hooks
  • ELB health check types (EC2 vs. ELB health checks for ASG)
  • RDS Multi-AZ vs. read replicas — HA vs. scaling
  • Route 53 routing policies (Latency vs. Geolocation is a common trap)
  • DR strategy selection by RTO/RPO
  • AWS Backup with cross-account and Vault Lock
  • DynamoDB PITR (not enabled by default)
Domain 3 — Deployment, Provisioning, Automation (22% = ~11 questions):

Focus areas:

  • CloudFormation: DeletionPolicy, WaitCondition/CreationPolicy, drift detection, StackSets
  • CDK relationship to CloudFormation (cdk synth → CF template)
  • Deployment strategies: blue/green vs. canary vs. rolling
  • Systems Manager: Session Manager vs. Run Command vs. Patch Manager
  • AWS Config: detective vs. preventive controls; Config vs. IAM/SCP for prevention
  • RAM for resource sharing vs. StackSets for template deployment
Domain 4 — Security and Compliance (16% = ~8 questions):

Focus areas:

  • IAM policy evaluation order (explicit deny → SCP → permission boundary → identity → resource)
  • Permission boundaries: restrict but don't grant
  • SCPs: apply to member accounts, not management account
  • KMS: encryption at rest, key rotation, RDS encryption at creation time
  • GuardDuty vs. Inspector vs. Macie — which detects what
  • Secrets Manager rotation mechanics (AWSCURRENT/AWSPENDING/AWSPREVIOUS)
  • ACM: can't export public certs, CloudFront needs us-east-1 cert
Domain 5 — Networking and Content Delivery (18% = ~9 questions):

Focus areas:

  • Security groups (stateful, no explicit deny) vs. NACLs (stateless, explicit deny, ephemeral ports)
  • VPC endpoints: gateway (S3/DynamoDB, free) vs. interface (PrivateLink, cost)
  • VPN tunnel redundancy (one UP, one DOWN is normal)
  • Route 53: health checks required for failover; Latency ≠ Geolocation
  • CloudFront: OAC for S3, Lambda@Edge vs. CloudFront Functions
  • Global Accelerator for non-HTTP / static IP requirements
  • Flow logs: no entries = routing problem, not filtering
Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications