Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

8. Glossary

  • ACM (AWS Certificate Manager): Provisions, manages, and renews SSL/TLS certificates for use with AWS services like ALB, CloudFront, and API Gateway. Public certificates are free and auto-renew with DNS validation. Cannot be exported for direct installation on EC2.
  • ACM Private CA: Paid service for issuing private TLS certificates for internal services. Unlike public ACM certificates, private CA certificates can be exported.
  • Alias Record: A Route 53 DNS record type that points directly to an AWS resource (ALB, CloudFront, S3 static website) without using a CNAME. Works at the zone apex and incurs no extra query charges.
  • ALB (Application Load Balancer): Layer 7 (HTTP/HTTPS) load balancer supporting path-based, host-based, header, query string, and source IP routing rules. Does not preserve client source IP (uses X-Forwarded-For header).
  • AMI (Amazon Machine Image): A snapshot of an EC2 instance's root volume plus metadata. Two types: EBS-backed (can be stopped/restarted) and instance store-backed (ephemeral, cannot be stopped).
  • Amazon Aurora: A MySQL/PostgreSQL-compatible relational database storing 6 copies of data across 3 AZs. Supports up to 15 read replicas with sub-30-second failover. Aurora Serverless v2 scales compute in fine-grained increments.
  • Amazon Aurora Global Database: Provides low-latency read replicas across regions with disaster recovery in under 1 minute.
  • AppSpec File: YAML configuration file used by CodeDeploy to define deployment lifecycle hooks (BeforeInstall, AfterInstall, ApplicationStart, ValidateService).
  • Auto Scaling Group (ASG): Maintains a fleet of EC2 instances between minimum and maximum counts. Supports five scaling policy types: Target Tracking, Step Scaling, Simple Scaling, Scheduled Scaling, and Predictive Scaling.
  • AWS Backup: Centralized backup service providing a single control plane for policy, scheduling, retention, and compliance reporting across EC2, RDS, EFS, DynamoDB, S3, and FSx.
  • AWS Backup Audit Manager: Generates compliance reports showing which resources are backed up, backup frequency, and retention periods.
  • AWS Backup Vault Lock: WORM protection on backup vaults. In compliance mode, no one (not even root) can delete recovery points before retention period expires.
  • AWS CDK (Cloud Development Kit): Defines infrastructure using programming languages (TypeScript, Python, Java) that synthesize into CloudFormation templates. Three construct levels: L1 (Cfn, low abstraction), L2 (AWS, medium), L3 (Patterns, high).
  • AWS Client VPN: Managed client-to-site VPN service for individual users. Supports mutual certificate, Active Directory, and SAML authentication. Configurable as split tunnel or full tunnel.
  • AWS CloudFormation: Infrastructure-as-code service that provisions AWS resources declaratively from templates. Key features: Change Sets, DeletionPolicy, helper scripts (cfn-init, cfn-signal, cfn-hup), CreationPolicy/WaitCondition, drift detection, nested stacks, and cross-stack references.
  • AWS CloudFormation StackSets: Deploy the same CloudFormation template to multiple accounts and/or regions simultaneously. Service-managed mode with automatic deployment deploys to new accounts added to targeted OUs.
  • AWS CloudTrail: Records every AWS API call (management events by default, data events optionally). Delivers log files to S3 with up to 15-minute delay. Supports multi-region trails, organization trails, and log file validation (SHA-256).
  • AWS CloudTrail Insights Events: Detects unusual API activity patterns (anomaly detection) beyond normal management and data events.
  • AWS CloudTrail Lake: Managed data lake for CloudTrail events enabling SQL-based querying without exporting to S3 and using Athena.
  • AWS CodeDeploy: Deployment service supporting in-place, blue/green, canary, linear, and all-at-once deployment types across EC2, Lambda, and ECS compute platforms.
  • AWS Compute Optimizer: Analyzes CloudWatch metrics using ML to recommend right-sizing for EC2 instances, Lambda functions, ECS/Fargate services, and Auto Scaling groups.
  • AWS Config: Continuous compliance monitoring service that records resource configurations, evaluates them against rules, and can auto-remediate violations via SSM Automation documents.
  • AWS Config Aggregator: Collects Config data from multiple accounts and regions into a single compliance view.
  • AWS Control Tower: Builds on AWS Organizations to provide a pre-configured multi-account landing zone with SCPs (preventive guardrails), Config rules (detective guardrails), and Account Factory.
  • AWS Data Lifecycle Manager (DLM): Automates EBS snapshot creation and retention through lifecycle policies based on tags, schedules, and cross-region copy rules.
  • AWS DataSync: Managed service for large-scale data transfer between on-premises storage and S3, EFS, or FSx with parallelization and checksumming.
  • AWS Direct Connect: Dedicated physical circuit from a data center to an AWS Direct Connect location, providing guaranteed bandwidth and consistent latency (unlike VPN which traverses the public internet).
  • AWS Elastic Disaster Recovery (DRS): Managed service for continuous server replication to a staging area in a target region. Enables near-RPO-0 recovery by launching full-size instances within minutes during failover.
  • AWS IAM (Identity and Access Management): The security perimeter of AWS. Evaluates every API call against identity-based policies, resource-based policies, permission boundaries, SCPs, and session policies.
  • AWS IAM Access Advisor: Shows the last time each AWS service was accessed by an IAM user or role, used to identify over-permissive policies for least-privilege refinement.
  • AWS IAM Access Analyzer: Analyzes resource-based policies to identify resources accessible from outside your account or organization. Also validates IAM policies for syntax errors and over-permissions.
  • AWS IAM Credential Report: Downloadable CSV listing all IAM users and credential status (password last used, access key activity, MFA status) for compliance audits.
  • AWS IAM Identity Center (SSO): Recommended approach for multi-account human access using SAML 2.0/OIDC federation with corporate identity providers. Manages permission sets that create IAM roles automatically in target accounts.
  • AWS IAM Permission Boundary: A managed policy that sets the maximum permissions an IAM user or role can have. Restricts but does NOT grant permissions.
  • AWS IAM Policy Simulator: Evaluates all relevant policies for a principal/action/resource combination and reports allowed/denied with the causing policy.
  • AWS KMS (Key Management Service): Manages encryption keys inside HSMs. Three key types: AWS Owned (free, default), AWS Managed (free, per-service), Customer Managed Keys (full control). Uses envelope encryption.
  • AWS Lambda: Serverless compute for custom remediation logic, event-driven automation, and lightweight processing. 15-minute max execution timeout. Functions should be idempotent.
  • AWS Lambda@Edge: Runs Lambda functions at CloudFront regional edge caches with four hook points: Viewer Request, Origin Request, Origin Response, Viewer Response. Supports Node.js and Python with network access.
  • AWS Network Firewall: Managed stateful network firewall for VPCs supporting Suricata-compatible IPS rules, deep packet inspection, domain-based filtering, and TLS inspection.
  • AWS Organizations: Multi-account management with organizational units (OUs), consolidated billing, and Service Control Policies (SCPs).
  • AWS RAM (Resource Access Manager): Shares resources (VPC subnets, Transit Gateway, Route 53 Resolver Rules, AMIs) across accounts within an organization without duplicating them.
  • AWS Secrets Manager: Manages secrets with automatic credential rotation using Lambda functions. Native integration with RDS, Redshift, and DocumentDB. Uses version stages (AWSCURRENT, AWSPENDING, AWSPREVIOUS) for zero-downtime rotation.
  • AWS Security Hub: Aggregates security findings from GuardDuty, Inspector, Macie, Config, and IAM Access Analyzer into a single normalized view. Runs security standard checks (CIS, AWS Best Practices, PCI DSS, NIST).
  • AWS Shield: DDoS protection service. Standard tier (free, automatic L3/L4 protection). Advanced tier (enhanced L3/4/7 protection, DDoS cost protection, 24/7 DRT access).
  • AWS Step Functions: Orchestrates multi-step workflows with state tracking, human approval steps, retry logic, and error handling. Used when Lambda's 15-minute timeout is insufficient.
  • AWS STS (Security Token Service): Issues temporary credentials when roles are assumed. Key APIs: AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity, GetSessionToken.
  • AWS Systems Manager: Operations platform replacing SSH-based management. Includes Run Command, Session Manager, Patch Manager, State Manager, Automation, Parameter Store, Inventory, OpsCenter, and Fleet Manager.
  • AWS Systems Manager Automation: Multi-step workflow engine executing operational procedures as code. Triggered by alarms, EventBridge rules, Config remediation, or maintenance windows.
  • AWS Systems Manager Inventory: Collects instance metadata including installed software, network configuration, and OS details across the fleet.
  • AWS Systems Manager Maintenance Window: Scheduled time windows during which operational tasks like patching run.
  • AWS Systems Manager OpsCenter: Centralized view of operational issues (OpsItems) for tracking and resolving incidents.
  • AWS Systems Manager Parameter Store: Secure storage for configuration values and secrets. Free standard tier (4KB), advanced tier (8KB). Supports versioning and hierarchical namespacing. No automatic rotation.
  • AWS Systems Manager Patch Manager: Automates OS patching using patch baselines, patch groups (tag-based), and maintenance windows. Generates compliance reports.
  • AWS Systems Manager Run Command: Executes scripts and commands on instances without SSH. Operates immediately on targeted instances.
  • AWS Systems Manager Session Manager: Browser/CLI-based shell access without port 22, bastion hosts, or key pairs. Access controlled via IAM policies. Full session logging to CloudWatch Logs or S3.
  • AWS Systems Manager State Manager: Continuously enforces a desired configuration state on managed instances.
  • AWS Transit Gateway: Hub-and-spoke network model connecting multiple VPCs, VPN connections, and Direct Connect gateways. Supports route tables for isolating traffic between attachments.
  • AWS Trusted Advisor: Automated best-practice auditor checking accounts across cost optimization, performance, security, fault tolerance, service limits, and operational excellence. Full checks require Business/Enterprise support.
  • AWS User Notifications: Unified notification service aggregating alerts from multiple AWS services and delivering to email, console, Slack, and Chime.
  • AWS WAF (Web Application Firewall): Layer 7 firewall inspecting HTTP/HTTPS requests. Components: Web ACL, rule groups, AWS Managed Rule Groups, rate-based rules, custom rules. Attaches to ALB, CloudFront, API Gateway, AppSync, and Cognito.
  • AWS X-Ray: Distributed tracing service injecting unique trace IDs into requests across service boundaries. Concepts: Trace, Segment, Subsegment, Service Map, Annotation (indexed/searchable), Metadata (not indexed).
  • Backup and Restore (DR Strategy): Lowest-cost DR strategy keeping only backups in the DR region. RTO: hours. RPO: hours. Pay only for storage.
  • BGP (Border Gateway Protocol): Dynamic routing protocol used with Site-to-Site VPN and Direct Connect for route exchange between on-premises and AWS networks.
  • Blue/Green Deployment: Deployment strategy running new environment alongside old, then switching traffic. Implementation: Route 53 weighted routing, ALB target group swap, or ASG swap via CodeDeploy. Provides instant rollback.
  • Burstable Instances (T-family): T3/T3a/T4g instances earning CPU credits during idle and spending during bursts. Unlimited mode bursts beyond credit balance at extra cost; standard mode throttles when credits exhausted.
  • Cache-Aside (Lazy Loading): Caching strategy where the application checks cache first; on miss, reads from database and populates cache. Only caches what is actually requested.
  • Canary Deployment: Routes a small percentage of real traffic to new version, monitors for errors, then gradually increases. Lowest risk of all deployment strategies.
  • CIDR Block: IP address range notation (e.g., /16, /28) used for VPC and subnet sizing. AWS reserves 5 IPs per subnet.
  • CloudFront: CDN that caches content at 400+ edge locations globally. Key configurations: Cache Policy, Origin Request Policy, Cache Behaviors, OAC, Signed URLs/Cookies, Price Classes.
  • CloudFront Functions: Lightweight alternative to Lambda@Edge running at all 400+ edge locations. JavaScript only, sub-millisecond execution, no network access. For simple URL rewrites, header manipulation, and JWT validation.
  • CloudWatch: The central observability service for AWS. Collects metrics from virtually every AWS service and enables alarms, dashboards, and automated actions.
  • CloudWatch Agent: A unified agent installed inside EC2 instances or containers that publishes OS-level metrics (memory, disk, swap) and logs that the hypervisor cannot see.
  • CloudWatch Internet Monitor: Monitors internet connectivity between AWS infrastructure and end users, measuring performance at city-level granularity using passive traffic pattern analysis.
  • CloudWatch Network Monitor: Creates synthetic network probes (ICMP or TCP) from VPC to external destinations to continuously measure latency and packet loss on specific network paths.
  • Cluster Placement Group: EC2 placement strategy putting all instances in the same rack in one AZ for lowest latency and highest throughput. Used for HPC and ML training.
  • Composite Alarm: Combines multiple CloudWatch alarms using AND/OR logic to reduce alert storms. Can only reference other alarms, not metrics directly.
  • Conformance Pack: Collection of AWS Config rules and remediation actions packaged together for compliance standards like CIS, PCI DSS, or HIPAA.
  • Connection Draining (Deregistration Delay): ELB feature allowing in-flight requests to complete (default: 300 seconds) when a target is being deregistered during scale-in or deployment.
  • Container Insights: CloudWatch feature providing CPU, memory, and network metrics for ECS and EKS at cluster, service, task/pod, and node levels. Must be explicitly enabled.
  • Cooldown Period: Time after a scaling action during which Auto Scaling does not evaluate further scaling. Target tracking and step scaling use warm-up times instead.
  • Cross-Zone Load Balancing: Distributes traffic equally across all targets in all AZs. Enabled by default for ALB, disabled by default for NLB.
  • Customer Gateway (CGW): AWS representation of an on-premises VPN device configured with the device's public IP for Site-to-Site VPN.
  • DeletionPolicy (CloudFormation): Controls resource behavior when stack is deleted: Delete (default), Retain (orphan), or Snapshot (final snapshot before deletion for RDS, EBS, ElastiCache).
  • Detailed Monitoring: EC2 metric publication at 1-minute intervals (vs. default 5-minute basic monitoring). Required for faster Auto Scaling reactions.
  • Drift Detection (CloudFormation): Identifies resource configuration changes made outside CloudFormation. Shows which resources have drifted and what changed, but does not auto-remediate.
  • DynamoDB: A fully managed NoSQL database that automatically replicates data across 3 AZs. Supports On-Demand and Provisioned capacity modes with Auto Scaling.
  • DynamoDB Accelerator (DAX): An in-memory cache for DynamoDB that reduces read latency from single-digit milliseconds to microseconds.
  • DynamoDB PITR (Point-in-Time Recovery): Continuously backs up DynamoDB tables, allowing restore to any point in the past 35 days with second-level granularity. Not enabled by default.
  • DynamoDB Streams: Captures item-level changes in DynamoDB tables as an ordered stream, used as a trigger for event-driven automation.
  • EBS (Elastic Block Store): Block storage volumes for EC2 instances. Key volume types: gp3 (general purpose, recommended), gp2 (legacy), io2 Block Express (highest performance), st1 (throughput), sc1 (cold data).
  • EBS Multi-Attach: Allows io1/io2 volumes to be attached to up to 16 Nitro-based instances in the same AZ simultaneously; requires a cluster-aware file system.
  • EBS-Optimized Instances: EC2 instances with dedicated network path to EBS volumes, preventing EBS I/O from competing with instance network traffic.
  • EC2 (Elastic Compute Cloud): Virtual server instances in the cloud. Publishes CPU, network, and disk I/O metrics by default but NOT memory or disk space utilization (requires CloudWatch Agent).
  • EC2 Image Builder: Automates the creation, testing, and distribution of golden AMIs through image pipelines with recipes, components, and distribution configurations.
  • ECR (Elastic Container Registry): Private container image registry that stores, versions, and secures container images. Supports image scanning, lifecycle policies, cross-region replication, and tag immutability.
  • ECS (Elastic Container Service): Container orchestration service. Container Insights (must be explicitly enabled at cluster level) provides CPU, memory, and network metrics per task and container.
  • EFS (Elastic File System): Managed NFS file system for Linux that scales automatically. Performance modes: General Purpose and Max I/O. Throughput modes: Elastic, Bursting, and Provisioned.
  • Egress-Only Internet Gateway: IPv6 equivalent of a NAT gateway allowing outbound connections from private subnets without receiving inbound IPv6 traffic.
  • ElastiCache: Managed in-memory caching service supporting Redis and Memcached engines. Redis supports data structures, persistence, replication, and Multi-AZ failover. Memcached supports simple strings and multi-threaded scaling only.
  • Elastic IP: Static public IP address associated with NAT gateways and EC2 instances.
  • Encryption at Rest: Converting stored data into ciphertext requiring a key to read. Implemented via KMS for S3, EBS, RDS, and DynamoDB.
  • Encryption in Transit: Protecting data as it moves between systems using TLS. Implemented via ACM certificates on ALB, CloudFront, and API Gateway.
  • Enhanced Monitoring (RDS): OS-level metrics at up to 1-second granularity published to CloudWatch Logs. Separate from Performance Insights.
  • Envelope Encryption: KMS encryption pattern where a data key encrypts data, and the CMK encrypts the data key. The CMK never leaves KMS.
  • Ephemeral Ports: Dynamic ports (typically 1024-65535) chosen by the client OS for server responses. Must be explicitly allowed in NACLs due to their stateless nature.
  • EventBridge: Serverless event bus that routes events from AWS services, custom applications, and SaaS partners to targets based on pattern-matching rules. Supports cross-account and cross-region routing.
  • EventBridge Pipes: Connects a source (SQS, DynamoDB Stream, Kinesis) to a target with optional filtering and enrichment, simplifying point-to-point event pipelines.
  • Failover Routing (Route 53): Active-passive DNS pattern routing to secondary record when primary health check fails. Health check on primary record is required.
  • Firehose (Amazon Data Firehose): Delivers streaming data from CloudWatch Logs subscription filters to destinations like S3, Redshift, and OpenSearch.
  • FSx for Lustre: High-performance file system for HPC, ML training, and financial modeling. Integrates natively with S3 for lazy loading and write-back.
  • FSx for NetApp ONTAP: Shared storage supporting NFS, SMB, and iSCSI protocols for hybrid cloud and existing NetApp workloads.
  • FSx for OpenZFS: NFS-based shared storage with ZFS features including data compression and deduplication.
  • FSx for Windows File Server: SMB protocol file storage with Active Directory integration and NTFS support for Windows applications.
  • Geolocation Routing (Route 53): Routes DNS based on client geographic location for compliance and content localization. Not based on network latency.
  • Geoproximity Routing (Route 53): Routes based on geographic proximity with optional bias for fine-grained traffic shifting between regions.
  • Global Accelerator: Provides two static Anycast IP addresses routing traffic through AWS's private network to endpoints. For non-HTTP traffic, static IP whitelisting, or sub-second regional failover. Does not cache content.
  • Golden AMI: A pre-built, patched, tested AMI produced by an automated pipeline to ensure fleet consistency and security.
  • GuardDuty: Regional threat detection service using machine learning to identify malicious activity by analyzing CloudTrail management events, VPC Flow Logs, DNS logs, and S3 data events.
  • GWLB (Gateway Load Balancer): Layer 3 (IP packets) load balancer for routing traffic through third-party security appliances.
  • Health Checks (ELB): Independent per-target-group configuration checking protocol, port, and path. Default: 5 consecutive successes for healthy, 2 failures for unhealthy, 30-second interval.
  • Health Checks (Route 53): Endpoint, Calculated (AND/OR logic), and CloudWatch Alarm-based health monitoring from multiple global locations for DNS-layer failover.
  • IAM Condition Keys: Policy conditions restricting access further (e.g., aws:RequestedRegion, aws:PrincipalTag, aws:MultiFactorAuthPresent).
  • IAM Roles: AWS identities with temporary credentials (via STS) for services, cross-account access, and federation. Always use instance roles for EC2/Lambda instead of access keys.
  • Idempotency: Property where running an operation twice produces the same result as running it once. Critical for event-driven systems that may deliver duplicate events.
  • Immutable Deployment: Launches entirely new instances with new version; only swaps traffic when healthy. Old instances terminated after swap. Safest EC2 deployment pattern.
  • Inspector: Identifies software vulnerabilities and unintended network exposure in EC2 instances (via SSM Agent), ECR container images, and Lambda function code.
  • Internet Gateway (IGW): VPC component enabling internet access. A subnet becomes "public" when its route table has a route to the IGW.
  • IP-based Routing (Route 53): Routes DNS based on client IP CIDR ranges for ISP-specific routing or network segmentation.
  • Kinesis Data Streams: High-volume streaming analytics destination for CloudWatch Logs subscription filters.
  • Latency Routing (Route 53): Routes DNS to the region with lowest measured network latency for the requesting client. For speed optimization, not geographic compliance.
  • Launch Template: Defines EC2 instance configuration for Auto Scaling Groups. Supports versioning, multiple instance types, and Spot+On-Demand mix.
  • Lifecycle Hooks (Auto Scaling): Intercept instance launches (Pending:Wait) and terminations (Terminating:Wait) to run custom actions before state transition.
  • Log Groups (CloudWatch): Containers for logs from the same source with configurable retention (1 day to 10 years, or never expire).
  • Log Streams (CloudWatch): Sequences of events from the same source within a log group.
  • Logs Insights (CloudWatch): On-demand SQL-like query engine for CloudWatch Logs using fields, filter, stats, sort, parse, and limit commands.
  • Macie: Uses machine learning to discover and protect sensitive data (PII, financial data, credentials) stored in S3 buckets.
  • Metric Filters (CloudWatch): Transform log content into CloudWatch metrics by scanning for patterns, enabling alarms on log-level events.
  • MFA (Multi-Factor Authentication): Types: Virtual MFA (authenticator apps), Hardware MFA (YubiKey), TOTP, WebAuthn/FIDO2. Enforced via aws:MultiFactorAuthPresent condition key.
  • MTTR (Mean Time to Resolution): Average time to resolve incidents. Automated remediation reduces MTTR by eliminating human response time.
  • Multi-Site Active-Active (DR Strategy): Full production capacity in 2+ regions with traffic split in normal operation. Near-zero RTO and RPO. Highest cost.
  • Multipart Upload: Required for S3 objects >5GB, recommended >100MB. Enables parallel part uploads. Incomplete uploads accumulate cost without lifecycle policy cleanup.
  • Multivalue Answer Routing (Route 53): Returns up to 8 healthy IP addresses for client-side load balancing with optional health checking.
  • NACL (Network Access Control List): Stateless subnet-level firewall with rules evaluated in number order (first match wins). Supports explicit deny. Return traffic must be explicitly allowed.
  • NAT Gateway: AWS-managed service allowing private subnet instances to initiate outbound internet connections. Lives in a public subnet with Elastic IP. Deploy one per AZ for HA.
  • NAT Instance: Self-managed EC2 instance performing NAT. Legacy approach; limited by instance type; single point of failure.
  • NLB (Network Load Balancer): Layer 4 (TCP/UDP/TLS) load balancer with ultra-low latency and static IP per AZ. Preserves client source IP address.
  • OAC (Origin Access Control): Current/recommended CloudFront mechanism for restricting S3 bucket access to CloudFront only. Replaces legacy OAI.
  • Observability (Three Pillars): Metrics (CloudWatch), Logs (CloudWatch Logs, CloudTrail), and Traces (X-Ray). Each answers a different question: what is wrong, what happened, and where it broke.
  • Operations Loop: Five-step cycle: Collect (CloudWatch) → Detect (Alarm) → Alert (SNS) → Remediate (Lambda/SSM) → Verify (Alarm returns OK).
  • Partition Placement Group: EC2 placement strategy spreading instances across logical partitions (separate racks) with up to 7 partitions per AZ. For large distributed systems like Cassandra, Kafka, HDFS.
  • Percentile Statistics (p99, p95, p50): CloudWatch metric statistics for latency monitoring. Average is misleading for SLAs; percentiles reveal tail latency.
  • Pilot Light (DR Strategy): Minimal core architecture running in DR region (replicated database, key config). Application servers not running. RTO: 10-60 minutes. RPO: minutes.
  • Predictive Scaling: Auto Scaling policy using ML forecasting based on historical patterns to launch capacity ahead of predicted load.
  • PrivateLink: AWS technology powering interface VPC endpoints, providing private connectivity to AWS services via ENIs in customer subnets.
  • RDS (Relational Database Service): Managed relational database service. Encryption must be set at creation time. Supports automated backups (1-35 day retention with PITR), manual snapshots, read replicas, and Multi-AZ.
  • RDS Multi-AZ: Creates a synchronous standby replica in a different AZ for high availability. Failover takes 60-120 seconds. The standby is NOT readable.
  • RDS Performance Insights: Database-specific monitoring tool that measures DB Load broken down by wait states: CPU, I/O, Lock, Net, Concurrency. Shows top SQL statements consuming load.
  • RDS Proxy: Connection pooling proxy that multiplexes many application connections over fewer database connections. Primary solution for Lambda + RDS connection exhaustion.
  • RDS Read Replicas: Asynchronous read-only copies for read scaling. Up to 15 for Aurora, 5 for MySQL/PostgreSQL/MariaDB. Can be cross-region. Not for failover.
  • RDS Storage Auto Scaling: Automatically increases RDS storage when free space falls below a threshold, up to a configured maximum.
  • Read-Through Cache: Caching strategy where the cache library automatically fetches from the database on a cache miss, simplifying application code.
  • Rolling Deployment: Replaces instances in batches (e.g., 25% at a time). No downtime. Medium rollback speed.
  • Route 53: DNS service with routing policies: Simple, Weighted, Latency, Failover, Geolocation, Geoproximity, Multivalue Answer, and IP-based. Health checks monitor endpoints from multiple global locations.
  • Route 53 Resolver: Default DNS resolver in every VPC (at CIDR base + 2). Supports inbound and outbound endpoints for hybrid DNS resolution between VPC and on-premises networks.
  • Route 53 Resolver DNS Firewall: Blocks outbound DNS queries to malicious or unauthorized domains from within a VPC.
  • RPO (Recovery Point Objective): Maximum acceptable data loss measured in time. Lower RPO requires more frequent backups at higher cost.
  • RTO (Recovery Time Objective): Maximum acceptable time to restore service after failure. Lower RTO requires more pre-deployed resources at higher cost.
  • S3 (Simple Storage Service): Object storage with 99.999999999% (11 9s) durability. Storage classes: Standard, Standard-IA, One Zone-IA, Glacier Instant Retrieval, Glacier Flexible Retrieval, Glacier Deep Archive, and Intelligent-Tiering.
  • S3 Event Notifications: Publishes events when objects are created, deleted, tagged, restored, or replicated. Destinations: SNS, SQS, Lambda, or EventBridge.
  • S3 Glacier Deep Archive: Lowest-cost S3 storage class for long-term archive with 12-hour retrieval time and 180-day minimum storage duration.
  • S3 Glacier Flexible Retrieval: Archive storage class with minutes-to-hours retrieval and 90-day minimum storage duration.
  • S3 Glacier Instant Retrieval: Archive storage class with millisecond retrieval and 90-day minimum storage duration.
  • S3 Intelligent-Tiering: Storage class that automatically moves objects between access tiers based on usage patterns, with no retrieval fees but a per-object monitoring fee.
  • S3 Lifecycle Policies: Automate transitions between storage classes and expiration of objects based on age. Also used to abort incomplete multipart uploads.
  • S3 MFA Delete: Requires MFA authentication from the root account for changing bucket versioning state or permanently deleting object versions.
  • S3 Object Lock: WORM protection at the object level. Three modes: Governance (overridable), Compliance (nobody can override), and Legal Hold.
  • S3 Object Versioning: Preserves every version of every object in a bucket. Deletes add a delete marker. Cannot be disabled once enabled, only suspended.
  • S3 SSE-C: Server-side encryption where the customer provides the encryption key with each request. AWS does not store the key.
  • S3 SSE-KMS: Server-side encryption using KMS. Every decrypt is auditable via CloudTrail.
  • S3 SSE-S3: Server-side encryption using AWS-managed keys at no additional cost. Default S3 encryption option.
  • S3 Transfer Acceleration: Routes uploads through CloudFront edge locations using optimized network paths.
  • SAML 2.0: Federation protocol for connecting corporate identity providers to AWS. Used by IAM Identity Center and direct IAM SAML federation.
  • SCP (Service Control Policy): Organization-level policy restricting maximum permissions for all principals in member accounts. Does not affect the management account. Does not grant permissions.
  • Security Group: Stateful instance-level (ENI) firewall. Default: all inbound denied, all outbound allowed. No explicit deny capability. Supports referencing other security groups.
  • Signed URLs/Signed Cookies (CloudFront): Time-limited, user-specific access mechanisms for protected CloudFront content.
  • Site-to-Site VPN: Encrypted IPsec tunnel over the public internet between on-premises (Customer Gateway) and AWS (Virtual Private Gateway or Transit Gateway). Two tunnels per connection for redundancy.
  • SNS (Simple Notification Service): Notification service that delivers messages to subscribers (email, SMS, Lambda, SQS, HTTP/S) via topics. Supports message filtering with subscription filter policies.
  • Spread Placement Group: EC2 placement strategy placing each instance on a distinct rack. Max 7 instances per AZ. For small critical workloads avoiding simultaneous hardware failure.
  • SQS (Simple Queue Service): Message queuing service used as a destination for S3 event notifications and EventBridge dead-letter queues.
  • SSM Agent: Agent installed on EC2 instances (pre-installed on Amazon Linux 2 and Windows) required for Systems Manager capabilities. Needs IAM instance profile with AmazonSSMManagedInstanceCore policy.
  • Sticky Sessions: ELB feature using cookies to bind a user session to a specific target. Best practice is to use ElastiCache for session storage instead.
  • Subscription Filters (CloudWatch): Stream log data in near real-time to Lambda, Kinesis Data Streams, or Data Firehose for processing.
  • Target Group (ELB): Set of registered targets (EC2 instances, IPs, Lambda functions) receiving traffic from load balancer rules with independent health check configuration.
  • Target Tracking Scaling: Recommended Auto Scaling policy maintaining a target metric value (e.g., CPU at 50%). Handles scale-out and scale-in automatically.
  • Terraform: Vendor-neutral IaC tool using HCL language for multi-cloud provisioning. State stored in S3, locking via DynamoDB. Key commands: init, plan, apply, destroy.
  • TLS (Transport Layer Security): Protocol for encrypting data in transit. Certificates prove identity and establish encrypted channels. Managed by ACM in AWS.
  • TTL (Time to Live): Maximum time a cached item stays before expiring (ElastiCache) or maximum DNS record cache time (Route 53).
  • Virtual Private Gateway (VGW): AWS-side VPN endpoint attached to a VPC for Site-to-Site VPN connections.
  • VPC (Virtual Private Cloud): Logically isolated private network in AWS with controlled IP addressing, routing, and traffic flow. Default deny model requires explicitly opening connectivity.
  • VPC Endpoint (Gateway): Free route-table-based endpoint for S3 and DynamoDB only. Eliminates NAT gateway data processing fees for traffic to these services.
  • VPC Endpoint (Interface): PrivateLink-based ENI in your subnet providing private connectivity to 100+ AWS services. Costs per hour plus data processing.
  • VPC Flow Logs: Capture metadata about network traffic (source/dest IP, port, protocol, ACCEPT/REJECT action) at VPC, subnet, or ENI level. Does not capture packet contents.
  • VPC Network Access Analyzer: Finds unintended network access paths for security audits of network topology.
  • VPC Peering: Creates routing relationship between two separate VPCs.
  • VPC Reachability Analyzer: Network path analysis tool that models VPC configuration to determine if a path exists between source and destination without sending actual packets.
  • Warm Pools (Auto Scaling): Pre-initialized pool of stopped instances ready to enter service quickly, avoiding long initialization times.
  • Warm Standby (DR Strategy): Scaled-down but fully functional production environment running continuously in DR region. RTO: minutes. RPO: seconds to minutes. Medium cost.
  • Weighted Routing (Route 53): Distributes DNS traffic by configurable weight percentages. Used for A/B testing, gradual migrations, and blue/green deployments.
  • Well-Architected Framework (Operational Excellence Pillar): AWS methodology with five design principles: perform operations as code, make frequent small reversible changes, refine operations procedures, anticipate failure, learn from failures.
  • WORM (Write Once Read Many): Data protection model preventing modification or deletion. Implemented by AWS Backup Vault Lock and S3 Object Lock in compliance mode.
  • Write-Behind (Write-Back) Cache: Caching strategy writing to cache immediately with asynchronous flush to database. High write throughput with risk of data loss if cache fails.
  • Write-Through Cache: Caching strategy writing to both cache and database on every write. Ensures cache freshness at higher write cost.
  • X-Forwarded-For: HTTP header containing the original client IP address when traffic passes through ALB.
Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications