Ultimate AWS Certified Solutions Architect Professional 2026

Explain IAM essentials, including users, roles, cross-account access, policy types, and resource-based policies; cover policy structure, conditions, variables, and best practices like least privilege with Access Advisor and Access Analyzer.

Discover how IAM access analyzer flags externally shared resources across S3 buckets, IAM roles, KMS keys, Lambda functions, SQS queues, and Secrets Manager secrets by defining a zone of trust.

Discover how STS enables cross-account access and identity federation through temporary credentials, external IDs, and session tags for secure access and auditing with CloudTrail.

Master identity federation in AWS by linking a corporate identity provider to grant external users temporary credentials via SAML 2.0, custom brokers, or web identity federation with Cognito.

Explore AWS directory services, including managed Microsoft AD, AD Connector, and Simple AD, with on-premises integration, two-way forest trusts, and SSO across AWS and third-party apps.

Explore how AWS Organizations manages multiple accounts with a root OU and management account, including SCPs, consolidated billing, member accounts, and the Organization Account Access Role.

Learn how AWS organizations policies use service control policies to restrict actions, require explicit allows, enforce tag policies, opt out of AI services, and implement backups across OUs and accounts.

Use AWS IAM Identity Center to enable single sign-on across AWS accounts and business apps with a central login and flexible permission sets.

Set up and govern a secure multi account AWS environment with Control Tower, guardrails, and automatic remediation. Integrate IAM Identity Center with AWS Organizations and account factory for streamlined provisioning.

Leverage AWS Resource Access Manager (RAM) to share VPC subnets and other resources across accounts within an AWS Organization, enabling central management while preserving isolation.

Explore AWS identity and federation options, from multi-account management with Organizations and Control Tower to SAML 2.0, Cognito, IAM Identity Center, and RAM for sharing resources.

Understand how CloudTrail audits AWS activity across accounts and regions, storing management, data, and insights events in S3 or CloudWatch, with Athena for long-term analysis.

Explore how CloudTrail and Amazon EventBridge integrate to intercept API calls and trigger SNS alerts for events like DeleteTable, AssumeRole, and AuthorizeSecurityGroupIngress.

Explore CloudTrail architectures with S3 delivery, encryption, and lifecycle policies, and enable cross-account, multi-region logging with event-driven alerts via CloudWatch, EventBridge, SNS, SQS, or Lambda.

Discover AWS KMS, the key management service for centralized encryption control. Use symmetric and asymmetric keys for envelope encryption across AWS services with IAM integration.

Discover AWS SSM Parameter Store as a secure, serverless configuration and secrets service with optional KMS encryption, versioning, IAM access, EventBridge notifications, and CloudFormation integration.

Explore AWS Secrets Manager for storing and auto-rotating secrets, securely linking them to RDS and other databases via secret attachments, environment-variable injection in ECS tasks, and Lambda-driven rotation.

Explore RDS security options, including KMS encryption at rest for EBS and snapshots, in-flight SSL, and TDE for Oracle or SQL Server; IAM authentication for MySQL, PostgreSQL, and MariaDB.

Learn how SSL/TLS encrypts connections, perform handshakes with asymmetric and symmetric keys, and use SNI to serve certificates on ALB; explore MITM prevention with HTTPS and DNSSEC on Route 53.

Learn how AWS certificate manager provisions or accepts public and private SSL certificates for ALB, CloudFront, and API Gateway. ACM renews certs automatically when provisioning them and is regional.

Learn how CloudHSM provides dedicated hardware for key management, requiring you to control keys, security, and backups, with AWS unable to recover lost keys, and contrast with KMS multi-tenant options.

Learn classic SSL architectures for load balancers, including ACM-secured HTTPS to users and HTTP from the load balancer to EC2, plus SSL offloading to CloudHSM for backend TLS.

Explore s3 encryption options (sse-s3, sse-kms, sse-c, client-side) and encryption in transit via https. Learn to use bucket and iam policies, vpc/vpce conditions, and pre-signed URLs, plus object locks.

Learn how S3 access points simplify security and access control by tying dedicated policies to finance, sales, and analytics prefixes for scalable read/write and read-only access.

Master S3 multi-region access points, a global endpoint that redirects to the nearest replicated bucket across regions for lowest latency, with bidirectional replication and failover options.

Set up and configure a two-bucket multi-region access point for global data with replication, failover, and versioning across us-east-1 and eu-central-1, including permissions and replication rules.

Learn how S3 Object Lambda access points use Lambda to modify objects on retrieval, enabling redaction of PII and enrichment from loyalty data within a single S3 bucket.

Understand how DDoS attacks threaten availability and how AWS Shield, WAF, CloudFront, and Route 53 defend at the edge, with auto scaling to absorb surges.

Protect your web applications at layer seven with AWS WAF across CloudFront, API Gateway, ALB, and AppSync, using Web ACLs, managed rule groups, and SQL injection and XSS protections.

Learn to use AWS Firewall Manager to manage firewall rules across accounts with region-level policies, applying WAF and Shield Advanced rules, standardizing security groups, and DNS and network firewall rules.

Master network security in AWS by layering network ACL and security groups, optionally using EC2 firewall, and applying IP filtering at ALB, NLB, WAF, or CloudFront with geo restriction.

Amazon Inspector runs automated security assessments on EC2 instances, container images in ECR, and Lambda functions, auditing network exposure and vulnerabilities and reporting findings to AWS Security Hub and EventBridge.

Explore how AWS config audits and records resource configurations over time, using rules to evaluate compliance and notify admins via SNS, with per-region setup and centralized cross-account aggregation.

Explore AWS managed logs, including ALB/NLB/CLB access logs exported to S3, CloudTrail, VPC Flow Logs to S3/CloudWatch/Kinesis, and CloudFront, Route 53, S3 access logs and config exports.

Protect your AWS accounts with Amazon GuardDuty, which uses machine learning, anomaly detection, and third-party data to detect threats from CloudTrail, VPC flow logs, and DNS logs.

Apply IAM conditions to enforce access controls, using aws:SourceIP to restrict calls, aws:RequestedRegion to limit regions, and ec2:ResourceTag and aws:PrincipalTag with aws:MultiFactorAuthPresent to govern EC2 actions and S3 bucket policies.

Explain how EC2 Instance Connect uses SendSSHPublicKey to upload a one-time SSH public key for 60 seconds, enabling ephemeral SSH access with CloudTrail auditing and port 22 source IP ranges.

AWS security hub provides a central dashboard aggregating alerts from GuardDuty, Macie, Inspector, Config, and more across multiple accounts, with automatic checks, EventBridge findings, and Amazon Detective investigations.

Learn how Amazon Detective analyzes data from VPC flow logs, CloudTrail, and GuardDuty with machine learning and graphs to quickly identify the root cause and provide unified visualizations.

Map users to Route 53 and a CDN, delivering static content from S3 or Glacier. Connect dynamic content to compute options like EC2, Lambda, and ECS.

Explore EC2 fundamentals, including instance families for RAM, CPU, I/O, GPU, placement groups (cluster, spread, partition), launch options, Graviton, monitoring, and recovery with CloudWatch.

Explore high-performance computing on AWS, covering data transfer options, scalable EC2 compute and inter-node networking, HPC storage, and Batch and ParallelCluster tools.

Scale with auto scaling groups using dynamic policies, target tracking, step and predictive scaling, guided by CPU utilization and request count per target.

Examine auto scaling update strategies for updating applications with minimal downtime. Compare using a launch template in the same ASG, or separate ASGs and ALBs with Route 53 weighted routing.

Learn how EC2 spot instances and spot fleets cut costs up to 90% by bidding a max price, with strategies like lowest price and diversified pools for resilient workloads.

Explore how amazon ecs orchestrates docker containers on ec2 or fargate, using task definitions, clusters, and services, with load balancing, auto scaling, and iam roles for security.

Explore Amazon ECR to store and manage Docker images on AWS, using private and public repositories, cross-region replication, and image scanning with basic or enhanced scans.

Learn how Amazon EKS runs Kubernetes containers on aws with ec2 and Fargate launch modes. Understand managed and self-managed node options, storage classes, and vpc-aware networking.

Discover how ECS Anywhere runs ECS tasks on on-prem infrastructure with the ECS and SSM agents and an external launch type. Explore EKS Distro, installer, and connector options.

Explore how AWS Lambda integrates with API gateway, S3, DynamoDB, and EventBridge to build serverless workflows, manage concurrency, CodeDeploy deployments, and observability via CloudWatch and X-Ray.

Explore how AWS Lambda operates inside a VPC, accessing private RDS and DynamoDB via NAT gateway or VPC endpoint, and compare synchronous vs asynchronous invocations, idempotency, and DLQ strategies.

Compare and contrast AWS load balancers — classic, application, network, and gateway — highlighting capabilities, protocols, health checks, and target types, including integration with ECS, Lambda, and IP targets.

Explore cross-zone balancing across availability zones with application and network load balancers, and examine sticky sessions and routing algorithms like least outstanding requests, round robin, and flow hash.

Explore how Amazon API Gateway exposes rest APIs, proxies to Lambda, supports authentication and caching, and uses OpenAPI specs with deployment stages and edge, regional, or private endpoints.

Explore api gateway usage plans with api keys, throttling, and quotas, and discover WebSocket API for real-time two-way communication, private access via vpc endpoints, and resource policies.

Explore AppSync, a managed GraphQL service that aggregates data from DynamoDB, Aurora, Elasticsearch, and Lambda. Enable real-time updates via WebSockets and secure access with Cognito groups in resolvers.

Discover Route 53 record types like A, AAAA, CNAME, and NS, and how alias records enable root-domain mapping; learn routing policies including simple, weighted, latency, failover, geolocation, and geoproximity.

Explore Route 53 hosted zones, public and private, and learn how health checks, calculated health checks, and CloudWatch alarms enable automated failover with SNS, Lambda, and CloudWatch integration.

Explore hybrid DNS with Route 53 Resolver, inbound and outbound endpoints, and resolver rules to enable cross-network queries between VPCs, on-prem, and private hosted zones.

Leverage AWS Global Accelerator to route traffic via anycast edge locations over the internal network. Gain fast regional failover, health checks, and DDoS protection for HTTP, TCP, and UDP endpoints.

Compare AWS architectures from EC2 with elastic IP to API gateway with HTTP, focusing on scaling, failover, and cost across ALB, ASG, ECS, Fargate, Lambda, and Route 53.

Explore AWS Outposts within a hybrid cloud model, extending AWS services to on-premises racks for low latency and data residency, with a fully managed, cloud-like experience on EC2 and S3.

Discover AWS WaveLength zones that deploy EC2, EBS, and VPC at the edge within 5G networks via carrier gateway to deliver ultra-low latency, with secure access to RDS or DynamoDB.

Learn how AWS local zones extend a region to bring compute and storage closer to end users for low-latency applications, enabling Boston in US-East-1 and launching EC2 into local zone.

Compare EBS volumes and EC2 instance store, covering multi-attach, snapshots, and cross-AZ transfer, plus encryption, Data Lifecycle Manager, and fast snapshot restore for performance.

Amazon elastic file system (efs) provides scalable, posix-compliant nfs storage for ec2 instances across multiple azs and on-premises, with access points, encryption, and cross-region replication.

Leverage Amazon S3 as serverless, pay-as-you-go object storage for static content with lifecycle and replication policies.

Analyze S3 analytics to determine when to transition objects to the Standard or Standard IA storage classes. Visualize the data in Amazon QuickSight and inform lifecycle rules to optimize storage.

Explore S3 storage lens to analyze and optimize storage across your organization, identify anomalies, boost cost efficiency, and enforce data protection with a configurable dashboard and exports.

Compare CloudFront in front of S3, EC2-EBS options, and EFS for shared data, index S3 with DynamoDB and Lambda, and use presigned URLs for access.

Explore Amazon FSx offerings for Windows File Server, Lustre, NetApp ONTAP, and OpenZFS; learn deployment options, performance, integration with S3, and use cases from on-premises to HPC.

Explore Amazon FSx solution architectures, migrating from single to multi-AZ with DataSync or backup restores, and use data lazy loading in FSx for Lustre to start processing S3 data efficiently.

Explore AWS data sync, moving data between on-premises and AWS services like S3, EFS, or FSx, using on-premises agents over NFS, SMB, or HDFS with scheduled transfers preserving metadata.

Design and implement private access to AWS DataSync over Direct Connect by using a VPC interface endpoint and private link, enabling a private virtual interface and secure data transfer.

Explore how AWS Data Exchange lets you find, subscribe to, and load third-party datasets into Amazon S3 and Redshift, license data, and run analytics or machine learning with SageMaker.

Learn how AWS Transfer Family offers FTP, FTPS, and SFTP interfaces to move data to S3 or EFS with a fully managed, scalable service.

Learn to compare AWS storage prices across EBS, EFS, and S3, rank io1/io2 highest to sc1 lowest, and match use cases with cost.

Utilize Amazon CloudFront, a global cdn, to cache content at edge locations, reduce latency, and protect against DDoS, while integrating with S3, VPC origins, and API Gateway for secure delivery.

Explore CloudFront geo restriction with allow and block lists using a geo-ip database and the CloudFront-Viewer-Country header, along with price classes, signed URLs, and custom error pages.

Learn how CloudFront functions and Lambda@Edge run code at the edge to normalize cache keys, modify requests and responses, and enable edge authentication with minimal latency.

Use Lambda@Edge to route CloudFront requests to the nearest origin by cross-region replication between S3 buckets, reducing first-hit latency for edge users.

Learn how Amazon ElastiCache delivers managed cache with Redis or Memcached, enabling stateless apps and reduced database load, and compare their high availability, persistence, and caching strategies.

Explore handling extremely high request rates on AWS by leveraging edge caching with CloudFront and Route 53, and caching across compute and database layers.

DynamoDB is a fully managed, serverless NoSQL database that scales to one million requests per second, supports provisioned or on-demand capacity, and stores large objects via S3 references.

Explore OpenSearch, the open source fork of Elasticsearch, with OpenSearch Dashboards, Logstash, and serverless or managed clusters for log analytics, real-time monitoring, security analytics, and full-text search.

Explore Amazon RDS as a managed database service with engines like PostgreSQL, MySQL, MariaDB, Oracle, SQL Server, plus VPC isolation, backups, Multi-AZ, read replicas, and cross-region recovery.

Learn aurora’s architecture with auto expanding storage, six data copies across three azs, writer and reader endpoints, up to 15 read replicas, cross-region replication, and performance insights with cloudwatch logs.

Aurora serverless with autoscaling and per-second pricing, the Data API, and secure access via Secrets Manager, then leverage RDS Proxy and read replicas for scalable, disaster-resilient database architectures.

Orchestrate AWS Step Functions and other AWS services with visual state machines, choosing standard or express workflows for scalable, error-handled orchestration.

Explore serverless SQS, an IAM-secured queue that decouples services for asynchronous workloads, handles large messages via S3 keys, supports standard and fifo modes, and uses dead-letter queues with idempotent consumers.

Discover Amazon MQ, a managed broker for RabbitMQ and ActiveMQ that supports open protocols like MQTT and AMQP, enabling cloud migrations and providing queue and topic features with multi-AZ failover.

Publish messages to an Amazon SNS topic and reach many subscribers via email, SMS, HTTP endpoints, or AWS services like Lambda, SQS, and Kinesis Data Firehose, using the pub/sub pattern.

Learn the SNS to SQS fan-out pattern: publish once to an SNS topic and fan out to multiple SQS queues, including FIFO, with cross-region delivery, persistence, retries, and filtering.

Explore how amazon sns uses a delivery policy with retries for endpoint issues, supports custom policies for http endpoints, and uses dead letter queues attached to subscriptions.

Ingest real-time data with Amazon Kinesis Data Streams using producers, read via consumers or Lambda, and manage shards, capacity modes, retention, and security for scalable analytics.

Explore how Kinesis Data Firehose reads from Kinesis Data Streams or other sources, transforms data with Lambda, and batches writes to Amazon S3, Redshift, OpenSearch, or Splunk with automatic scaling.

Explore the Amazon managed service for Apache Flink to run real-time stream processing on AWS, reading from Kinesis Data Streams or Amazon MSK, with managed compute and checkpoint-based backups.

Explore real-time streaming architectures for data engineering with Amazon Kinesis data streams, Kinesis Data Firehose, DynamoDB, and S3, comparing cost, latency, and retention across architectures.

Explore Amazon MSK, a fully managed Apache Kafka service on AWS, compare it with Kinesis, and learn to deploy, scale, use the serverless option, and consume from Kafka topics.

Run AWS Batch jobs using Docker images, choosing managed or unmanaged compute environments (EC2, spot, VPC, or Fargate). Schedule with EventBridge or Step Functions and process S3 images.

Explore Elastic MapReduce (EMR) to migrate on-prem Hadoop clusters to AWS, using auto-scaling with EC2, EMRFS and S3 for storage, and cost options like on-demand, reserved, and spot instances.

Explore approaches to run and monitor jobs on AWS, from EC2 cron jobs to serverless event driven patterns with EventBridge and Lambda, Batch, Fargate, and EMR for big data workloads.

Discover AWS Glue, a serverless ETL service that extracts data from S3 or RDS, transforms it, and loads it to Redshift, using Glue Data Catalog and crawlers for data discovery.

Explore Amazon Redshift for data warehousing and OLAP with columnar storage and mass parallel processing, including provisioned or serverless clusters, loading from S3, Redshift Spectrum, and advanced recovery.

Explore DocumentDB, a fully managed, MongoDB-compatible AWS service with 3-AZ replication and auto-scaling storage. Learn its pricing model—instances, IO, storage, and backups—with no upfront costs and no on-demand tier.

Explore Amazon Timestream, a fully managed time series database that is fast, scalable, and serverless, with SQL compatibility and in-memory recent data and cost-optimized historical storage.

Amazon Athena is a serverless, presto-based SQL query service that analyzes data stored in S3 without moving it. It supports parquet, ORC, Avro, CSV, and JSON.

Explore Amazon QuickSight, a serverless BI service for building interactive dashboards from owned data sources, with per-session pricing, Spice engine for fast analytics, and sharing analyses with users.

Explore how to build a scalable AWS big data architecture from real-time ingestion with Kinesis and S3 to analytics and visualization using EMR, Redshift, Athena, and QuickSight.