AWS DVA-C02 — Visual Study Guide v2

Enhanced with ASCII diagrams & visual mnemonics for every confusing topic Built from comprehensive practice exam analysis — March 2026

---

    ╔══════════════════════════════════════════════════════════╗
    ║       AWS DEVELOPER ASSOCIATE (DVA-C02) EXAM MAP         ║
    ╠══════════════════════════════════════════════════════════╣
    ║                                                          ║
    ║   ┌─────────┐  ┌──────────┐  ┌─────────┐  ┌─────────┐    ║
    ║   │COMPUTE  │  │ STORAGE  │  │  API &   │  │SECURITY │   ║
    ║   │         │  │          │  │INTEGRATE │  │         │   ║
    ║   │ Lambda  │  │ S3       │  │ API GW   │  │ IAM     │   ║
    ║   │ ECS     │  │ DynamoDB │  │ SQS/SNS  │  │ Cognito │   ║
    ║   │ StepFn  │  │          │  │ Kinesis  │  │ KMS     │   ║
    ║   └────┬────┘  └────┬─────┘  └────┬─────┘  └────┬────┘   ║
    ║        │            │             │              │       ║
    ║        └────────────┴──────┬──────┴──────────────┘       ║
    ║                            │                             ║
    ║                    ┌───────┴───────┐                     ║
    ║                    │  DEPLOY/CICD  │                     ║
    ║                    │  CodeDeploy   │                     ║
    ║                    │  CloudForm.   │                     ║
    ║                    │  SAM / CDK    │                     ║
    ║                    │  Beanstalk    │                     ║
    ║                    └───────┬───────┘                     ║
    ║                            │                             ║
    ║                    ┌───────┴───────┐                     ║
    ║                    │  MONITORING   │                     ║
    ║                    │  CloudWatch   │                     ║
    ║                    │  X-Ray        │                     ║
    ║                    └───────────────┘                     ║
    ╚══════════════════════════════════════════════════════════╝

---

PART 1 — COMPUTE

---

1. AWS Lambda

1.1 Lambda Concurrency Model

                    ┌─────────────────────────────────────────┐
                    │       ACCOUNT CONCURRENCY POOL          │
                    │            (Default: 1000)              │
                    ├─────────────────────────────────────────┤
                    │                                         │
                    │  ┌──────────────┐  ┌──────────────┐     │
                    │  │  RESERVED    │  │  RESERVED    │     │
                    │  │  Fn-A: 400   │  │  Fn-B: 200   │     │
                    │  │  (guaranteed)│  │  (guaranteed)│     │
                    │  └──────────────┘  └──────────────┘     │
                    │                                         │
                    │  ┌──────────────────────────────────┐   │
                    │  │     UNRESERVED POOL: 400         │   │
                    │  │  (shared by ALL other functions) │   │
                    │  │  AWS keeps min 100 unreserved!   │   │
                    │  └──────────────────────────────────┘   │
                    └─────────────────────────────────────────┘

    Formula:  concurrent_executions = (invocations/sec) x (avg_duration_sec)

    Example:  50 req/s x 100s = 5,000 concurrent executions → EXCEEDS 1000!
              ➜ Throttle (HTTP 429)

    Fix Throttling:
    ┌──────────────────────────────────────────────────┐
    │ 1. Request service quota increase                │
    │ 2. Configure reserved concurrency per function   │
    │ 3. Use exponential backoff in client             │
    │ 4. Configure DLQ for async invocations           │
    └──────────────────────────────────────────────────┘

1.2 Lambda Invocation Types — Visual

    ╔══════════════════════════════════════════════════════════════════╗
    ║                   LAMBDA INVOCATION TYPES                        ║
    ╠══════════════════════════════════════════════════════════════════╣
    ║                                                                  ║
    ║  ┌─ SYNCHRONOUS (RequestResponse) ─────────────────────────┐     ║
    ║  │                                                         │     ║
    ║  │   Client ──req──▶ Lambda ──────▶ Response ──▶ Client │     ║
    ║  │                   (blocks)       (waits)                │     ║
    ║  │   Used by: API Gateway, ALB, SDK invoke()               │     ║
    ║  └─────────────────────────────────────────────────────────┘     ║
    ║                                                                  ║
    ║  ┌─ ASYNCHRONOUS (Event) ──────────────────────────────────┐     ║
    ║  │                                                         │     ║
    ║  │   Client ──req──▶ [Queue] ──▶ Lambda                  │     ║
    ║  │          ◀──202──┘            (retries 2x on failure)  │     ║
    ║  │                                                         │     ║
    ║  │   ┌──── On final failure ────┐                          │     ║
    ║  │   │  ▼ DLQ (SQS or SNS)     │                           │     ║
    ║  │   └──────────────────────────┘                          │     ║
    ║  │   Used by: S3, SNS, EventBridge, CloudFormation         │     ║
    ║  └─────────────────────────────────────────────────────────┘     ║
    ║                                                                  ║
    ║  ┌─ POLL-BASED (Event Source Mapping) ─────────────────────┐     ║
    ║  │                                                         │     ║
    ║  │   [SQS/Kinesis/DynamoDB] ◀──poll── Lambda Service      │     ║
    ║  │                                      │                  │     ║
    ║  │                              invokes Lambda sync        │     ║
    ║  │   DLQ goes on SOURCE QUEUE (not Lambda)                 │     ║
    ║  └─────────────────────────────────────────────────────────┘     ║
    ║                                                                  ║
    ║  ┌─ DRY RUN ───────────────────────────────────────────────┐     ║
    ║  │   Validates params & permissions WITHOUT executing      │     ║
    ║  └─────────────────────────────────────────────────────────┘     ║
    ╚══════════════════════════════════════════════════════════════════╝

1.3 Lambda Execution Lifecycle

    COLD START (new container)
    ┌─────────────────────────────────────────────────────────┐
    │                                                         │
    │   ┌──────────────┐   ┌─────────────────────────────┐   │
    │   │  INIT PHASE  │   │      INVOKE PHASE           │   │
    │   │              │   │                              │   │
    │   │ • Download   │   │  handler(event, context) {   │   │
    │   │   code       │──▶│    // your logic here       │   │
    │   │ • Start      │   │  }                          │   │
    │   │   runtime    │   │                              │   │
    │   │ • Run init   │   │  ▲ context.log_stream_name  │   │
    │   │   code ★     │   │  ▲ context.aws_request_id   │   │
    │   └──────────────┘   └─────────────────────────────┘   │
    │         ★ = DB connections, SDK clients, cached data    │
    │           These PERSIST across warm invocations!        │
    └─────────────────────────────────────────────────────────┘

    WARM START (reuses container)
    ┌─────────────────────────────────────────────────────────┐
    │   INIT PHASE: SKIPPED!     INVOKE PHASE: Runs handler  │
    │                                                         │
    │   /tmp still has cached files (512 MB free, max 10 GB)  │
    │   DB connections from INIT still alive                  │
    └─────────────────────────────────────────────────────────┘

    ★ OPTIMIZATION: Put expensive setup OUTSIDE the handler!

1.4 Lambda Memory = CPU Scaling

    Memory (MB)    CPU Power        Network
    ─────────────────────────────────────────
    128   ░░                        Low
    512   ░░░░░                     Medium
    1769  ░░░░░░░░░░░░░ = 1 vCPU   High
    3538  ░░░░░░░░░░░░░░░░░ 2 vCPU Very High
    10240 ░░░░░░░░░░░░░░░░░░░░░░░░ Max

    ⚡ You CANNOT set CPU directly — only memory!
    ⚡ Increase memory → more CPU → faster execution
    ⚡ Max timeout: 15 minutes (900 seconds)

1.5 Lambda Layers & Deployment

    ┌──────────────────────────────────────┐
    │          Lambda Function             │
    │  ┌─────────────────────────────┐     │
    │  │ Your Code (handler)         │     │   Deployment Limits:
    │  ├─────────────────────────────┤     │   • Zip: 50 MB (compressed)
    │  │ Layer 1: numpy              │     │   • Unzipped: 250 MB total
    │  ├─────────────────────────────┤     │     (function + all layers)
    │  │ Layer 2: pandas             │     │   • Max 5 layers per function
    │  ├─────────────────────────────┤     │
    │  │ Layer 3: custom-utils       │     │   Layers extract to /opt/
    │  └─────────────────────────────┘     │
    └──────────────────────────────────────┘

    CloudFormation Inline Code (ZipFile):
    ┌──────────────────────────────────────┐
    │  ZipFile: |                          │
    │    def handler(event, context):      │  Only Node.js & Python!
    │      return "hello"                  │  Auto-names file "index"
    │                                      │  Accepts SOURCE CODE,
    │  ❌ NOT a zip file path              │  not a zip file path!
    │  ❌ NOT for Java, Go, C#             │
    └──────────────────────────────────────┘

1.6 Lambda + VPC

    DEFAULT (no VPC config):
    ┌────────────────────────────────────────────┐
    │  Lambda ──────▶ Internet ──▶ AWS APIs ✅   │
    │               ──▶ Private RDS ❌           │
    └────────────────────────────────────────────┘

    WITH VPC CONFIG:
    ┌────────────────────────────────────────────────────────┐
    │                        VPC                             │
    │  ┌─────────────┐                                      │
    │  │   Lambda    │──ENI──▶ Private Subnet ──▶ RDS ✅    │
    │  │             │                                      │
    │  │  ❌ Creates │  Need NAT Gateway for internet:      │
    │  │    ENIs     │  Lambda ──▶ NAT GW ──▶ Internet     │
    │  │  ❌ NOT     │                                      │
    │  │  Elastic IPs│  ⚠ Adds cold start latency!         │
    │  └─────────────┘  Only use when needed!               │
    └────────────────────────────────────────────────────────┘

Lambda — Pitfall Cheat Sheet

    ┌─────────────────────────────────────────────────────────────┐
    │                 LAMBDA PITFALL BUSTER                        │
    ├─────────────────────────────────────────────────────────────┤
    │ ❌ "Install X-Ray daemon on Lambda"                         │
    │    ✅ Just enable the checkbox / set TracingConfig: Active   │
    │                                                             │
    │ ❌ "Lambda creates Elastic IPs in VPC"                      │
    │    ✅ Creates ENIs (Elastic Network Interfaces)             │
    │                                                             │
    │ ❌ "Set concurrency to false"                               │
    │    ✅ Set to 0 (number) to throttle all invocations         │
    │                                                             │
    │ ❌ "Use InvokeAsync API"                                    │
    │    ✅ Use Invoke with InvocationType: "Event"               │
    │                                                             │
    │ ❌ "Timeout error = throttling"                             │
    │    ✅ Timeout = runs too long; Throttle = too many running  │
    │                                                             │
    │ ❌ "log_stream_name from Event object"                      │
    │    ✅ It's from the Context object                          │
    │                                                             │
    │ ❌ "AWSLambdaBasicExecutionRole" via resource-based policy  │
    │    ✅ Attach to the execution role, not resource policy     │
    └─────────────────────────────────────────────────────────────┘

1.7 Lambda Function URLs

    ╔══════════════════════════════════════════════════════════════════╗
    ║                  LAMBDA FUNCTION URLs                            ║
    ╠══════════════════════════════════════════════════════════════════╣
    ║                                                                  ║
    ║  Dedicated HTTPS endpoint — NO API Gateway needed!               ║
    ║  Format: https://<url-id>.lambda-url.<region>.on.aws             ║
    ║                                                                  ║
    ║  AUTH TYPES:                                                     ║
    ║  ┌────────────────────────────────────────────────────────┐      ║
    ║  │                                                        │      ║
    ║  │  AWS_IAM          │  NONE                              │      ║
    ║  │  ─────────────────│──────────────────────────────      │      ║
    ║  │  Only IAM-signed  │  Anyone on internet can invoke     │      ║
    ║  │  requests (SigV4) │  (publicly accessible)             │      ║
    ║  │                   │                                    │      ║
    ║  │  Use for:         │  Use for:                          │      ║
    ║  │  • Internal svc   │  • Third-party WEBHOOKS ★          │      ║
    ║  │  • Cross-account  │  • Public callbacks                │      ║
    ║  │                   │  • Simple public APIs              │      ║
    ║  └────────────────────────────────────────────────────────┘      ║
    ║                                                                  ║
    ║  WEBHOOK PATTERN (exam favorite!):                               ║
    ║  ┌──────────────┐  HTTPS + signature   ┌──────────────────┐     ║
    ║  │  Third-Party │  in headers           │ Lambda Function  │     ║
    ║  │  Platform    │─────────────────────▶│ URL (NONE)       │     ║
    ║  │ (Stripe,     │                       │                  │     ║
    ║  │  GitHub...)  │                       │ 1. Read header   │     ║
    ║  └──────────────┘                       │ 2. Verify sig    │     ║
    ║                                         │ 3. Execute logic │     ║
    ║     ❌ Platform CANNOT sign AWS SigV4   └──────────────────┘     ║
    ║     ❌ So AWS_IAM auth WILL NOT work                             ║
    ║     ✅ Use NONE + validate signature IN Lambda code              ║
    ║                                                                  ║
    ╠══════════════════════════════════════════════════════════════════╣
    ║                                                                  ║
    ║  Function URL vs API Gateway:                                    ║
    ║  ┌──────────────────────────┬─────────────────────────────┐     ║
    ║  │  Lambda Function URL     │  API Gateway                │     ║
    ║  ├──────────────────────────┼─────────────────────────────┤     ║
    ║  │  Free (Lambda cost only) │  Per-request charges        │     ║
    ║  │  Minimal setup           │  More setup (stages, etc.)  │     ║
    ║  │  Auth: IAM or NONE only  │  IAM, Cognito, Lambda Auth, │     ║
    ║  │                          │  API Keys                   │     ║
    ║  │  No caching              │  Built-in caching ✅        │     ║
    ║  │  No throttling/quotas    │  Usage plans + throttle ✅  │     ║
    ║  │  No WAF                  │  WAF integration ✅         │     ║
    ║  │  No request transforms   │  Mapping templates ✅       │     ║
    ║  │  No custom domain        │  Custom domains ✅          │     ║
    ║  └──────────────────────────┴─────────────────────────────┘     ║
    ║                                                                  ║
    ║  ★ "Webhook + public HTTPS + least effort" = Function URL       ║
    ║  ★ "Caching, throttling, WAF, transforms" = API Gateway         ║
    ║                                                                  ║
    ╠══════════════════════════════════════════════════════════════════╣
    ║                                                                  ║
    ║  EXAM TRAP — Don't confuse these:                                ║
    ║  ┌────────────────────────────────────────────────────────┐      ║
    ║  │ FunctionUrlAuthType   = WHO can call the URL           │      ║
    ║  │                         (NONE = public, IAM = signed)  │      ║
    ║  │                                                        │      ║
    ║  │ CodeSigningConfig     = Trust check on DEPLOYMENT      │      ║
    ║  │                         packages (NOT HTTP requests!)  │      ║
    ║  │                                                        │      ║
    ║  │ Lambda Authorizer     = API Gateway ONLY feature       │      ║
    ║  │                         (NOT available on Function URLs)│      ║
    ║  │                                                        │      ║
    ║  │ Cognito Authorizer    = API Gateway ONLY feature       │      ║
    ║  │                         (NOT available on Function URLs)│      ║
    ║  └────────────────────────────────────────────────────────┘      ║
    ║                                                                  ║
    ║  ❌ "Function URL + AWS_IAM for third-party webhook"             ║
    ║     ✅ Third-party can't sign SigV4 → use NONE + custom check   ║
    ║                                                                  ║
    ║  ❌ "Function URL + CodeSigningConfigArn condition"               ║
    ║     ✅ CodeSigning = code packages, NOT request validation       ║
    ║                                                                  ║
    ║  ❌ "API Gateway + Lambda Authorizer for webhook"                ║
    ║     ✅ Works but NOT least effort (2 components vs 1)            ║
    ╚══════════════════════════════════════════════════════════════════╝

---

2. Amazon ECS

2.1 Task Placement Strategies — Visual

    ╔═══════════════════════════════════════════════════════════════╗
    ║                 ECS TASK PLACEMENT STRATEGIES                 ║
    ╠═══════════════════════════════════════════════════════════════╣
    ║                                                               ║
    ║  BINPACK (Cost Optimization — pack tightly)                  ║
    ║  ┌────────────────────────────────────────┐                  ║
    ║  │ Instance A        Instance B           │                  ║
    ║  │ ┌──┐┌──┐┌──┐     ┌──┐                 │                  ║
    ║  │ │T1││T2││T3│     │T4│   Instance C: ∅  │                  ║
    ║  │ └──┘└──┘└──┘     └──┘   (empty=save $) │                  ║
    ║  └────────────────────────────────────────┘                  ║
    ║  {"type":"binpack","field":"memory"}                          ║
    ║                                                               ║
    ║  SPREAD (High Availability — distribute evenly)              ║
    ║  ┌────────────────────────────────────────┐                  ║
    ║  │  AZ-a          AZ-b          AZ-c      │                  ║
    ║  │  ┌──┐┌──┐     ┌──┐┌──┐     ┌──┐┌──┐   │                  ║
    ║  │  │T1││T4│     │T2││T5│     │T3││T6│   │                  ║
    ║  │  └──┘└──┘     └──┘└──┘     └──┘└──┘   │                  ║
    ║  └────────────────────────────────────────┘                  ║
    ║  {"type":"spread","field":"attribute:ecs.availability-zone"} ║
    ║                                                               ║
    ║  ⚠ spread by instanceId = per instance (NOT per AZ!)        ║
    ║                                                               ║
    ║  RANDOM (Least Config — still honors constraints)            ║
    ║  ┌────────────────────────────────────────┐                  ║
    ║  │ Instance A  Instance B  Instance C     │                  ║
    ║  │   ┌──┐       ┌──┐┌──┐    ┌──┐         │                  ║
    ║  │   │T3│       │T1││T4│    │T2│  ¯\_(ツ) │                  ║
    ║  │   └──┘       └──┘└──┘    └──┘          │                  ║
    ║  └────────────────────────────────────────┘                  ║
    ║  {"type":"random"}                                           ║
    ╚═══════════════════════════════════════════════════════════════╝

2.2 Task Role vs Execution Role

    ┌──────────────────────────────────────────────────────────┐
    │                    ECS TASK                               │
    │                                                          │
    │  ┌──────────────────┐    ┌──────────────────────┐       │
    │  │  EXECUTION ROLE   │    │    TASK ROLE          │       │
    │  │  (infrastructure) │    │  (application logic)  │       │
    │  │                   │    │                       │       │
    │  │ • Pull images     │    │ • Call S3 APIs        │       │
    │  │   from ECR        │    │ • Write to DynamoDB   │       │
    │  │ • Push logs to    │    │ • Publish to SNS      │       │
    │  │   CloudWatch      │    │ • Any AWS service     │       │
    │  │ • Access secrets  │    │   your app needs      │       │
    │  │                   │    │                       │       │
    │  │ WHO: ECS agent    │    │ WHO: Your container   │       │
    │  └──────────────────┘    └──────────────────────┘       │
    └──────────────────────────────────────────────────────────┘

    X-Ray on ECS:
    ┌─────────────────────────────────────────┐
    │  Task Definition                        │
    │  ┌──────────┐  ┌───────────────────┐    │
    │  │ App      │  │ X-Ray Daemon      │    │
    │  │ Container│  │ (sidecar)         │    │
    │  │          │──│ UDP port 2000 !!  │    │
    │  │          │  │ NOT TCP           │    │
    │  └──────────┘  └───────────────────┘    │
    │  IAM: AWSXRayDaemonWriteAccess          │
    └─────────────────────────────────────────┘

2.3 Container Instance Lifecycle Gotcha

    Terminate in RUNNING state:
    ┌───────────────────┐     ┌────────────┐
    │ Container Instance│────▶│ AUTO       │  ✅ No action needed
    │  (RUNNING)        │     │ deregistered│
    └───────────────────┘     └────────────┘

    Terminate in STOPPED state:
    ┌───────────────────┐     ┌────────────────────────┐
    │ Container Instance│────▶│ STILL IN CLUSTER!      │  ❌ Ghost instance
    │  (STOPPED)        │     │ Must MANUALLY deregister│
    └───────────────────┘     │ via ECS Console/CLI    │
                              └────────────────────────┘

---

3. AWS Step Functions

3.1 State Types — Visual Map

    ┌─────────────────────────────────────────────────────────────┐
    │                  STEP FUNCTIONS STATE TYPES                  │
    ├─────────────────────────────────────────────────────────────┤
    │                                                             │
    │   ┌──────────┐                                              │
    │   │  START   │                                              │
    │   └────┬─────┘                                              │
    │        ▼                                                    │
    │   ┌──────────┐    Do work (Lambda, ECS, Batch, etc.)        │
    │   │   TASK   │◄── The ONLY state that runs processes        │
    │   └────┬─────┘    synchronously (one after another)         │
    │        ▼                                                    │
    │   ┌──────────┐    Branch based on input conditions          │
    │   │  CHOICE  │──▶ if/else routing                          │
    │   └──┬───┬───┘                                              │
    │      ▼   ▼                                                  │
    │   ┌──────────┐    Delay for seconds or until timestamp      │
    │   │   WAIT   │                                              │
    │   └────┬─────┘                                              │
    │        ▼                                                    │
    │   ┌──────────┐    Run branches concurrently (async)         │
    │   │ PARALLEL │──▶ Each branch independent                  │
    │   └────┬─────┘                                              │
    │        ▼                                                    │
    │   ┌──────────┐    Iterate over array items                  │
    │   │   MAP    │──▶ Dynamic parallel processing              │
    │   └────┬─────┘    ItemsPath selects the array              │
    │        ▼                                                    │
    │   ┌──────────┐    Pass-through (inject data / debug)        │
    │   │   PASS   │    Cannot do work!                          │
    │   └────┬─────┘                                              │
    │        ▼                                                    │
    │   ┌──────────┐  ┌──────────┐                                │
    │   │ SUCCEED  │  │   FAIL   │    Terminal states             │
    │   └──────────┘  └──────────┘    (no retries from Fail!)    │
    └─────────────────────────────────────────────────────────────┘

3.2 Input/Output Processing Pipeline

    This is the #1 most confusing Step Functions topic!

    Raw Input
        │
        ▼
    ┌──────────┐   Filters what part of input the state sees
    │InputPath │   e.g., "$.order" → state only sees the order object
    └────┬─────┘
         ▼
    ┌──────────┐   Reshapes input, adds static values
    │Parameters│   e.g., {"orderId.$": "$.id", "source": "web"}
    └────┬─────┘
         ▼
    ╔══════════╗
    ║  STATE   ║   Does work → produces a RESULT
    ╚════╤═════╝
         ▼
    ┌───────────┐   Filters/transforms the raw result
    │ResultSelector│
    └────┬──────┘
         ▼
    ┌──────────┐   ★ WHERE to put the result relative to input
    │ResultPath│
    └────┬─────┘   "$.taskResult" → input.taskResult = result
         │         "$"            → result REPLACES entire input
         ▼         null           → result DISCARDED, input passes through
    ┌──────────┐
    │OutputPath│   Final filter on what goes to next state
    └────┬─────┘
         ▼
    Output to Next State


    ★★★ EXAM KEY: ResultPath is the one that COMBINES input + result ★★★

3.3 Error Handling: Retry + Catch

    ┌──────────────────────────────────────────────────────────┐
    │                     TASK STATE                            │
    │                                                          │
    │  "Retry": [                         Retry FIRST          │
    │    {                                                     │
    │      "ErrorEquals": ["States.Timeout"],                  │
    │      "IntervalSeconds": 3,     ◄── wait before 1st retry │
    │      "MaxAttempts": 2,         ◄── try 2 more times      │
    │      "BackoffRate": 2.0        ◄── 3s, 6s, 12s...       │
    │    }                                                     │
    │  ]                                                       │
    │                                                          │
    │  "Catch": [                         Then CATCH           │
    │    {                                                     │
    │      "ErrorEquals": ["States.ALL"],                      │
    │      "Next": "HandleError",    ◄── fallback state        │
    │      "ResultPath": "$.error"   ◄── preserve input +      │
    │    }                                error info           │
    │  ]                                                       │
    └──────────────────────────────────────────────────────────┘

    Flow:  Error → Retry (up to MaxAttempts) → still failing → Catch → Next state
           Retry + Catch are in state machine definition, NOT application code!

---

PART 2 — STORAGE

---

4. Amazon S3

4.1 Server-Side Encryption Decision Tree

    "How should I encrypt objects in S3?"

                    ┌───────────────────────┐
                    │ Who manages the keys? │
                    └───────────┬───────────┘
                                │
              ┌─────────────────┼──────────────────┐
              ▼                 ▼                   ▼
         ┌─────────┐     ┌──────────┐        ┌──────────┐
         │  AWS S3  │     │ AWS KMS  │        │ CUSTOMER │
         │ manages  │     │ manages  │        │ provides │
         └────┬────┘     └────┬─────┘        └────┬─────┘
              ▼               ▼                    ▼
         ┌─────────┐     ┌──────────┐        ┌──────────┐
         │ SSE-S3  │     │ SSE-KMS  │        │  SSE-C   │
         └─────────┘     └──────────┘        └──────────┘

    Header:              Header:               Headers (ALL 3 required):
    x-amz-server-side-   x-amz-server-side-    x-amz-server-side-encryption-
    encryption: AES256   encryption: aws:kms      customer-algorithm: AES256
                                                x-amz-server-side-encryption-
                         Optional:                customer-key: <base64-key>
                         x-amz-server-side-     x-amz-server-side-encryption-
                         encryption-aws-kms-      customer-key-MD5: <md5>
                         key-id: <ARN>
                         (omit = default key)

    ┌─────────────────────────────────────────────────────────────┐
    │  ENFORCE encryption via bucket policy:                      │
    │  Deny s3:PutObject unless header present                    │
    │  ⚠ Action is s3:PutObject, NOT s3:PostObject               │
    └─────────────────────────────────────────────────────────────┘

4.2 SSE-KMS Throttling — Why Performance Drops

    Normal S3 uploads (SSE-S3):
    Client ──PutObject──▶ S3 ──(encrypts internally)──▶ Stored ✅ Fast!

    S3 with SSE-KMS:
    Client ──PutObject──▶ S3 ──GenerateDataKey──▶ KMS ──key──▶ S3 ──▶ Stored
                                    │
                         Counts against KMS quota!
                         (5,500 - 30,000 API ops/sec per region)

    100,000+ objects/sec uploads ──▶ EXCEEDS KMS quota ──▶ THROTTLED!

    ⚡ This is the #1 cause of SSE-KMS performance degradation
    ⚡ S3 itself does NOT throttle — it's the KMS API quota
    ⚡ Fix: Request KMS quota increase, or use SSE-S3 if KMS not required

4.3 CORS — When You Need It

    SAME ORIGIN (no CORS needed):
    ┌──────────────────┐         ┌──────────────────┐
    │ Website:         │────────▶│ Same S3 Bucket   │ ✅
    │ bucket-a.s3...   │         │ bucket-a.s3...   │
    └──────────────────┘         └──────────────────┘

    CROSS ORIGIN (CORS required!):
    ┌──────────────────┐         ┌──────────────────┐
    │ Website:         │───JS───▶│ Different S3     │ ❌ Blocked!
    │ bucket-a.s3...   │  fetch  │ bucket-b.s3...   │
    └──────────────────┘         └──────────────────┘

    Fix: Configure CORS on bucket-b:
    {
      "AllowedOrigins": ["https://bucket-a.s3..."],
      "AllowedMethods": ["GET"],
      "AllowedHeaders": ["*"]
    }

    S3 website ──JS──▶ API Gateway (non-proxy Lambda)?
    Fix: Enable CORS on API Gateway (not S3!)

    S3 website ──JS──▶ API Gateway (Lambda proxy)?
    Fix: Return CORS headers FROM the Lambda function itself!

---

5. Amazon DynamoDB

5.1 RCU/WCU Calculation — Visual Formula

    ╔══════════════════════════════════════════════════════════════════╗
    ║                   DynamoDB CAPACITY CALCULATOR                   ║
    ╠══════════════════════════════════════════════════════════════════╣
    ║                                                                  ║
    ║  READ CAPACITY UNITS (RCU):                                     ║
    ║  ─────────────────────────                                      ║
    ║                                                                  ║
    ║  1 RCU = 1 strongly consistent read/sec for items ≤ 4 KB       ║
    ║        = 2 eventually consistent reads/sec for items ≤ 4 KB     ║
    ║                                                                  ║
    ║  Formula:                                                        ║
    ║  ┌─────────────────────────────────────────────────────────┐    ║
    ║  │                                                         │    ║
    ║  │         reads/sec  ×  ceil(item_size / 4 KB)           │    ║
    ║  │  RCU = ──────────────────────────────────────          │    ║
    ║  │                  consistency_factor                     │    ║
    ║  │                                                         │    ║
    ║  │  Strongly Consistent:    factor = 1                    │    ║
    ║  │  Eventually Consistent:  factor = 2   ◄── HALF cost   │    ║
    ║  │  Transactional:          factor = 0.5 ◄── DOUBLE cost │    ║
    ║  └─────────────────────────────────────────────────────────┘    ║
    ║                                                                  ║
    ║  EXAMPLE: 150 eventually consistent reads/sec, item = 3.5 KB   ║
    ║  ────────                                                        ║
    ║  Item rounds up: ceil(3.5/4) = 1                                ║
    ║  RCU = 150 × 1 / 2 = 75 RCU ✅                                 ║
    ║                                                                  ║
    ║  EXAMPLE: 10 strongly consistent reads/sec, item = 6 KB        ║
    ║  ────────                                                        ║
    ║  Item rounds up: ceil(6/4) = 2                                  ║
    ║  RCU = 10 × 2 / 1 = 20 RCU ✅                                  ║
    ║                                                                  ║
    ║  WRITE CAPACITY UNITS (WCU):                                    ║
    ║  ──────────────────────────                                      ║
    ║  1 WCU = 1 write/sec for items ≤ 1 KB                          ║
    ║                                                                  ║
    ║  ┌─────────────────────────────────────────────────────────┐    ║
    ║  │  WCU = writes/sec  ×  ceil(item_size / 1 KB)          │    ║
    ║  │  Transactional: multiply by 2                          │    ║
    ║  └─────────────────────────────────────────────────────────┘    ║
    ╚══════════════════════════════════════════════════════════════════╝

5.2 GSI vs LSI — Side by Side

    ┌───────────────────────────┬─────────────────────────────┐
    │     LOCAL SECONDARY       │     GLOBAL SECONDARY        │
    │     INDEX (LSI)           │     INDEX (GSI)             │
    ├───────────────────────────┼─────────────────────────────┤
    │                           │                             │
    │  SAME partition key       │  DIFFERENT partition key    │
    │  DIFFERENT sort key       │  DIFFERENT sort key         │
    │                           │                             │
    │  Created at TABLE         │  Created ANYTIME            │
    │  CREATION only ⚠         │                             │
    │                           │                             │
    │  Shares TABLE's           │  Has OWN provisioned        │
    │  read/write capacity      │  read/write capacity        │
    │                           │  ⚠ GSI WCU must be ≥       │
    │                           │    base table WCU!          │
    │                           │                             │
    │  Strong OR Eventually     │  EVENTUALLY consistent      │
    │  consistent               │  ONLY                       │
    │                           │                             │
    │  Max: 5 per table         │  Max: 20 per table          │
    │  10 GB per partition key  │  No size limit              │
    │                           │                             │
    │  Use when you need a      │  Use when you need to       │
    │  different sort order on  │  query by a completely      │
    │  same partition key       │  different attribute        │
    └───────────────────────────┴─────────────────────────────┘

    ⚡ ProvisionedThroughputExceededException on writes?
       → Check if GSI write capacity < base table write capacity!

5.3 DynamoDB Streams + Lambda Architecture

    ┌──────────────┐     ┌──────────────────────┐     ┌───────────────┐
    │  DynamoDB    │     │   DynamoDB Stream     │     │    Lambda     │
    │  Table       │────▶│                       │◀────│   Function    │
    │              │     │  ┌──┐┌──┐┌──┐┌──┐    │poll │               │
    │  INSERT ─────│────▶│  │R1││R2││R3││R4│    │────▶│  Process      │
    │  UPDATE ─────│────▶│  └──┘└──┘└──┘└──┘    │     │  changes      │
    │  DELETE ─────│────▶│                       │     │               │
    │              │     │  24-hour retention ⚠  │     │  IAM Role:    │
    └──────────────┘     │                       │     │  AWSLambda    │
                         │  StreamViewType:      │     │  DynamoDB     │
                         │  • KEYS_ONLY          │     │  ExecutionRole│
                         │  • NEW_IMAGE          │     └───────────────┘
                         │  • OLD_IMAGE          │
                         │  • NEW_AND_OLD_IMAGES  │
                         └──────────────────────┘

    ⚠ If Lambda runs less than once per 24h → DATA LOSS (records expire!)
    ⚠ Lambda polls synchronously (event source mapping)
    ⚠ Create event source mapping, not SNS subscription

5.4 Query vs Scan — Visual

    TABLE: Users
    ┌──────────┬──────────┬────────┬──────────┐
    │  PK      │  SK      │ Name   │ Status   │
    │ (userId) │ (date)   │        │          │
    ├──────────┼──────────┼────────┼──────────┤
    │ U001     │ 2026-01  │ Alice  │ active   │  ◄── QUERY finds this
    │ U001     │ 2026-02  │ Alice  │ active   │  ◄── instantly with PK
    │ U002     │ 2026-01  │ Bob    │ inactive │
    │ U003     │ 2026-01  │ Carol  │ active   │
    │ U003     │ 2026-02  │ Carol  │ active   │
    │ ...      │ ...      │ ...    │ ...      │  ◄── 1 million rows
    └──────────┴──────────┴────────┴──────────┘

    QUERY (PK = "U001"):           SCAN (no filter):
    • Reads 2 items ✅             • Reads ALL 1M items ❌
    • Fast, efficient              • Slow, expensive
    • Uses partition key           • Full table read
    • Returns matching items       • Filter applied AFTER read

    ⚡ ALWAYS use Query when you know the partition key
    ⚡ To optimize Scan: use parallel scan with rate limiting
    ⚡ Reduce page size (Limit parameter) to lower impact

5.5 DAX vs ElastiCache

    ┌───────────────────────────────────────────────────────────────┐
    │            When to use DAX vs ElastiCache?                    │
    ├───────────────────────────────────────────────────────────────┤
    │                                                               │
    │  DAX (DynamoDB Accelerator)                                  │
    │  ┌──────────────────────────────────────┐                    │
    │  │ • Sits IN FRONT of DynamoDB          │                    │
    │  │ • Drop-in replacement (same API)     │                    │
    │  │ • Microsecond reads                  │                    │
    │  │ • Eventually consistent ONLY         │                    │
    │  │ • Best for: read-heavy DynamoDB      │                    │
    │  │   workloads with hot keys            │                    │
    │  └──────────────────────────────────────┘                    │
    │     App ──▶ DAX ──(cache miss)──▶ DynamoDB                   │
    │                                                               │
    │  ElastiCache (Redis/Memcached)                               │
    │  ┌──────────────────────────────────────┐                    │
    │  │ • General-purpose cache              │                    │
    │  │ • Your app manages cache logic       │                    │
    │  │ • Supports complex data types        │                    │
    │  │ • Can cache aggregated/computed data  │                    │
    │  │ • Best for: computed results,        │                    │
    │  │   session data, multi-source caching │                    │
    │  └──────────────────────────────────────┘                    │
    │     App ──▶ ElastiCache ──(cache miss)──▶ compute/query      │
    └───────────────────────────────────────────────────────────────┘

5.6 Transactions vs Batch Operations

    TransactWriteItems (all-or-nothing):
    ┌─────────────────────────────────────────┐
    │  Put item A  ─┐                         │
    │  Update B     ├──▶ ALL succeed or NONE  │  ATOMIC ✅
    │  Delete C     │                          │  Supports UpdateItem ✅
    │  Check D     ─┘    (up to 25 actions)   │  2x WCU cost
    └─────────────────────────────────────────┘

    BatchWriteItem (best-effort):
    ┌─────────────────────────────────────────┐
    │  Put item A  ──▶ Success               │
    │  Put item B  ──▶ FAIL (in Unprocessed) │  NOT atomic ❌
    │  Delete C    ──▶ Success               │  NO UpdateItem ❌
    │                  (up to 25 items)       │  Lower cost
    └─────────────────────────────────────────┘

    ╔═══════════════════════════════════════════════════════════════╗
    ║  BATCH OPERATIONS — UnprocessedKeys/Items (exam favorite!)   ║
    ╠═══════════════════════════════════════════════════════════════╣
    ║                                                               ║
    ║  BatchGetItem returns PARTIAL results when:                  ║
    ║  • Response exceeds 16 MB limit                              ║
    ║  • Provisioned throughput exceeded                           ║
    ║  • > 1 MB per partition requested                            ║
    ║  • Internal processing failure                               ║
    ║                                                               ║
    ║  Unread items returned in: UnprocessedKeys                   ║
    ║  (BatchWriteItem uses: UnprocessedItems)                     ║
    ║                                                               ║
    ║  HOW TO HANDLE:                                              ║
    ║  ┌──────────────────────────────────────────────────┐        ║
    ║  │  ✅ Exponential backoff + jitter (random delay)  │        ║
    ║  │     wait = base * 2^attempt + random(0, base)    │        ║
    ║  │     Reduces call frequency, avoids thundering    │        ║
    ║  │     herd, gives server time to recover           │        ║
    ║  │                                                  │        ║
    ║  │  ✅ Use AWS SDK (has built-in retry logic!)      │        ║
    ║  │     SDK automatically retries with backoff       │        ║
    ║  │     No custom retry code needed                  │        ║
    ║  └──────────────────────────────────────────────────┘        ║
    ║                                                               ║
    ║  WRONG APPROACHES:                                           ║
    ║  ┌──────────────────────────────────────────────────┐        ║
    ║  │  ❌ Immediately retry → still throttled, fails   │        ║
    ║  │  ❌ Increase RCUs → partial results still happen │        ║
    ║  │     due to 16 MB size limit (not just throughput)│        ║
    ║  │  ❌ Create GSI → doesn't change batch behavior   │        ║
    ║  └──────────────────────────────────────────────────┘        ║
    ║                                                               ║
    ║  LIMITS:                                                     ║
    ║  BatchGetItem:   100 items, 16 MB max                        ║
    ║  BatchWriteItem: 25 items,  16 MB max                        ║
    ║  Transactions:   100 items, 4 MB max (all-or-nothing)        ║
    ╚═══════════════════════════════════════════════════════════════╝

---

PART 3 — API & INTEGRATION

---

6. Amazon API Gateway

6.1 Integration Types

    ┌─────────────────────────────────────────────────────────────────┐
    │             API GATEWAY INTEGRATION TYPES                       │
    ├─────────────────────────────────────────────────────────────────┤
    │                                                                 │
    │  LAMBDA PROXY (most common)                                    │
    │  ┌──────────────────────────────────────────────┐              │
    │  │  Client ──▶ API GW ──raw request──▶ Lambda   │              │
    │  │                                      │        │              │
    │  │  Lambda MUST return:                 ▼        │              │
    │  │  {                                            │              │
    │  │    "statusCode": 200,                         │              │
    │  │    "headers": {...},       ◄── wrong format   │              │
    │  │    "body": "..."               = 502 error!   │              │
    │  │  }                                            │              │
    │  └──────────────────────────────────────────────┘              │
    │                                                                 │
    │  LAMBDA CUSTOM (mapping templates)                             │
    │  ┌──────────────────────────────────────────────┐              │
    │  │  Client ──▶ API GW ──transformed──▶ Lambda   │              │
    │  │               │                               │              │
    │  │        Mapping Template               Mapping │              │
    │  │        (request transform)           Template │              │
    │  │                                (response)     │              │
    │  │  ★ Use for SOAP→REST, XML→JSON transforms    │              │
    │  │  ★ CORS configured in API GW console          │              │
    │  └──────────────────────────────────────────────┘              │
    └─────────────────────────────────────────────────────────────────┘

6.2 Error Codes — What They Mean

    ┌──────────────────────────────────────────────────────────────┐
    │                API GATEWAY ERROR DECODER                     │
    ├──────────────────────────────────────────────────────────────┤
    │                                                              │
    │  Client ──request──▶ API Gateway ──▶ Lambda / Backend       │
    │                          │                                   │
    │    4xx = CLIENT error    │    5xx = SERVER error             │
    │                          │                                   │
    │  ┌────────────────────────────────────────────────────────┐  │
    │  │  400  Bad Request    │ Malformed request               │  │
    │  │  403  Forbidden      │ WAF filtered / IAM denied       │  │
    │  │  429  Too Many Reqs  │ Throttled (usage plan/account)  │  │
    │  ├──────────────────────┼─────────────────────────────────┤  │
    │  │  502  Bad Gateway    │ Lambda returned WRONG format    │  │
    │  │                      │ (not JSON proxy response)       │  │
    │  │  503  Unavailable    │ Service temporarily unavailable │  │
    │  │  504  Gateway Timeout│ Backend > 29 second timeout     │  │
    │  └──────────────────────┴─────────────────────────────────┘  │
    │                                                              │
    │  ★ 502 = fix Lambda response format                         │
    │  ★ 504 = reduce Lambda execution time or increase timeout   │
    │  ★ All endpoints are HTTPS ONLY (no HTTP support!)          │
    └──────────────────────────────────────────────────────────────┘

6.3 Caching & Invalidation

    ┌─────────────────────────────────────────────────────────────┐
    │               API GATEWAY CACHING                           │
    │                                                             │
    │  Client ──GET /items──▶ [CACHE] ──HIT──▶ Cached Response   │
    │                            │                                │
    │                          MISS                               │
    │                            │                                │
    │                            ▼                                │
    │                     Lambda/Backend                          │
    │                            │                                │
    │                       Response stored in cache              │
    │                       (TTL: 300s default, max 3600s)        │
    │                                                             │
    │  INVALIDATE CACHE:                                          │
    │  ┌──────────────────────────────────────────────────────┐   │
    │  │  Header: Cache-Control: max-age=0                    │   │
    │  │  ⚠ NOT "Cache-Control: no-cache"                     │   │
    │  │                                                      │   │
    │  │  Requires IAM permission:                            │   │
    │  │    execute-api:InvalidateCache                       │   │
    │  └──────────────────────────────────────────────────────┘   │
    │                                                             │
    │  Metrics (only visible when caching ENABLED):              │
    │  • CacheHitCount                                           │
    │  • CacheMissCount                                          │
    └─────────────────────────────────────────────────────────────┘

6.4 Authentication Decision Tree

    "How should I authenticate API Gateway?"

    ┌──────────────────────────────────┐
    │ What kind of caller?             │
    └──────────────┬───────────────────┘
                   │
       ┌───────────┼────────────┬────────────────┐
       ▼           ▼            ▼                ▼
    IAM user/   Bearer       Headers +        Cognito
    role?       token?       query params?     users?
       │           │            │                │
       ▼           ▼            ▼                ▼
    AWS_IAM     Lambda       Lambda           Cognito
    + Resource  Authorizer   Authorizer       User Pool
    Policy      (TOKEN)      (REQUEST)        Authorizer
    (for cross-
    account)

    ⚠ API Keys = IDENTIFICATION only, NOT authorization!
    ⚠ Usage Plans + API Keys = throttling + quotas + monetization

6.5 Stages & Stage Variables

    ┌─────────────────────────────────────────────────────────────┐
    │                   API GATEWAY STAGES                        │
    │                                                             │
    │  Same API, different stages:                                │
    │                                                             │
    │  /prod ──stage var: fn=AccountService:v1──▶ Lambda v1      │
    │                                                             │
    │  /beta ──stage var: fn=AccountService:v2──▶ Lambda v2      │
    │                                                             │
    │  ★ Internal team tests on /beta                             │
    │  ★ Users continue on /prod                                  │
    │  ★ Promote by updating stage variable                       │
    │                                                             │
    │  URLs:                                                      │
    │  https://{id}.execute-api.{region}.amazonaws.com/prod/      │
    │  https://{id}.execute-api.{region}.amazonaws.com/beta/      │
    └─────────────────────────────────────────────────────────────┘

---

7. Amazon SQS

7.1 Message Lifecycle — Visual

    ┌─────────────────────────────────────────────────────────────────┐
    │                   SQS MESSAGE LIFECYCLE                         │
    │                                                                 │
    │  Producer                Queue               Consumer           │
    │  ────────                ─────               ────────           │
    │                                                                 │
    │  SendMessage ──▶  [msg visible in queue]                       │
    │                        │                                        │
    │                   ReceiveMessage ────────────▶ Consumer gets msg │
    │                        │                           │            │
    │                   ┌────┴──────────────┐            │            │
    │                   │ VISIBILITY TIMEOUT │      Processing...     │
    │                   │ (default: 30s)     │            │            │
    │                   │ msg INVISIBLE      │            │            │
    │                   │ to other consumers │            │            │
    │                   └────┬──────────────┘            │            │
    │                        │                           │            │
    │              ┌─────────┴──────────┐    ┌──────────┴───────┐    │
    │              │ Timeout EXPIRES    │    │ DeleteMessage     │    │
    │              │ before delete?     │    │ (success!)        │    │
    │              │                    │    │ msg removed ✅    │    │
    │              │ msg becomes        │    └──────────────────┘    │
    │              │ VISIBLE AGAIN ⚠   │                             │
    │              │ = duplicate!       │                             │
    │              └────────────────────┘                             │
    │                                                                 │
    │  ★ Set visibility timeout ≥ max processing time                │
    │  ★ For Lambda: visibility timeout ≥ 6x Lambda timeout          │
    │                                                                 │
    │  After N failed attempts ──▶ Dead Letter Queue (DLQ)           │
    └─────────────────────────────────────────────────────────────────┘

7.2 Standard vs FIFO

    ┌─────────────────────────┬─────────────────────────────┐
    │   STANDARD              │   FIFO                      │
    ├─────────────────────────┼─────────────────────────────┤
    │  Unlimited throughput   │  300 TPS (3,000 w/ batch)   │
    │  At-least-once          │  Exactly-once               │
    │  Best-effort ordering   │  Strict FIFO ordering       │
    │  No deduplication       │  Content-based OR           │
    │                         │  MessageDeduplicationId     │
    │                         │  (5-min dedup interval)     │
    │  Queue name: anything   │  Queue name MUST end        │
    │                         │  with .fifo                 │
    ├─────────────────────────┼─────────────────────────────┤
    │  Use for:               │  Use for:                   │
    │  • High throughput      │  • Financial transactions   │
    │  • Duplicates OK        │  • Order matters            │
    │  • Simple decoupling    │  • No duplicates            │
    └─────────────────────────┴─────────────────────────────┘

---

8. Amazon Kinesis Data Streams

8.1 Resharding — Visual

    SPLIT SHARD (increase capacity → costs more)
    ┌────────────────┐        ┌────────────┐
    │   Hot Shard    │ ──────▶│  Child A   │  More throughput
    │  (overloaded)  │        ├────────────┤
    │                │ ──────▶│  Child B   │
    └────────────────┘        └────────────┘

    MERGE SHARDS (decrease capacity → save money)
    ┌────────────────┐
    │  Cold Shard A  │ ──┐    ┌────────────┐
    │ (underused)    │   ├───▶│  Merged    │  Less cost
    ├────────────────┤   │    │  Shard     │
    │  Cold Shard B  │ ──┘    └────────────┘
    │ (underused)    │
    └────────────────┘

    ⚡ Split HOT shards, Merge COLD shards
    ⚡ Default retention: 24 hours (max 365 days)
    ⚡ PutRecord + SequenceNumberForOrdering = strict order
    ⚡ PutRecords (batch) does NOT guarantee order

---

PART 4 — SECURITY & IDENTITY

---

9. AWS KMS — Envelope Encryption

9.1 The Full Flow (Most Tested Topic!)

    ╔═══════════════════════════════════════════════════════════════════╗
    ║                    ENVELOPE ENCRYPTION                            ║
    ╠═══════════════════════════════════════════════════════════════════╣
    ║                                                                   ║
    ║  ENCRYPT:                                                        ║
    ║  ────────                                                        ║
    ║                                                                   ║
    ║  Step 1: Call GenerateDataKey API                                ║
    ║  ┌──────────┐                    ┌──────────────────────────┐    ║
    ║  │  Your    │──GenerateDataKey──▶│       AWS KMS            │    ║
    ║  │  App     │                    │                          │    ║
    ║  │          │◀─────────────────  │  Returns TWO things:     │    ║
    ║  │          │  ┌──────────────┐  │  1. Plaintext data key   │    ║
    ║  │          │  │ Plaintext    │  │  2. Encrypted data key   │    ║
    ║  │          │  │ Data Key  🔑 │  │     (encrypted with CMK) │    ║
    ║  │          │  ├──────────────┤  └──────────────────────────┘    ║
    ║  │          │  │ Encrypted   │                                   ║
    ║  │          │  │ Data Key 🔒 │                                   ║
    ║  │          │  └──────────────┘                                   ║
    ║  └──────────┘                                                     ║
    ║                                                                   ║
    ║  Step 2: Encrypt your data with PLAINTEXT key                    ║
    ║  ┌─────────────┐    🔑     ┌──────────────────┐                 ║
    ║  │ Your Data   │──encrypt──▶│ Encrypted Data   │                 ║
    ║  │ (plaintext) │           │ (ciphertext)      │                 ║
    ║  └─────────────┘           └──────────────────┘                 ║
    ║                                                                   ║
    ║  Step 3: ★★★ ERASE plaintext key from memory! ★★★              ║
    ║          (This is the critical security step)                    ║
    ║                                                                   ║
    ║  Step 4: Store together:                                         ║
    ║  ┌──────────────────────────────────────┐                       ║
    ║  │  Encrypted Data  +  Encrypted Key 🔒 │  → S3, disk, etc.    ║
    ║  └──────────────────────────────────────┘                       ║
    ║                                                                   ║
    ║                                                                   ║
    ║  DECRYPT:                                                        ║
    ║  ────────                                                        ║
    ║                                                                   ║
    ║  Step 1: Send encrypted data key to KMS                         ║
    ║  ┌──────────┐                    ┌──────────────────────────┐    ║
    ║  │  Your    │──Decrypt API──────▶│       AWS KMS            │    ║
    ║  │  App     │  (encrypted key🔒) │                          │    ║
    ║  │          │◀─────────────────  │  Returns:                │    ║
    ║  │          │  Plaintext key 🔑  │  Plaintext data key      │    ║
    ║  └──────────┘                    └──────────────────────────┘    ║
    ║                                                                   ║
    ║  Step 2: Decrypt your data with plaintext key                    ║
    ║  ┌──────────────────┐   🔑    ┌─────────────┐                   ║
    ║  │ Encrypted Data   │──decrypt─▶│ Your Data   │                  ║
    ║  └──────────────────┘          └─────────────┘                   ║
    ║                                                                   ║
    ║  Step 3: ★★★ ERASE plaintext key from memory! ★★★              ║
    ║                                                                   ║
    ╠═══════════════════════════════════════════════════════════════════╣
    ║  ⚠ KMS can only directly encrypt ≤ 4 KB                        ║
    ║  ⚠ For larger data → MUST use envelope encryption               ║
    ║  ⚠ NEVER encrypt with the ciphertext key                        ║
    ║  ⚠ ERASE the plaintext key, NOT the encrypted key               ║
    ╚═══════════════════════════════════════════════════════════════════╝

9.2 KMS vs CloudHSM

    ┌──────────────────────────┬──────────────────────────┐
    │       AWS KMS            │     AWS CloudHSM         │
    ├──────────────────────────┼──────────────────────────┤
    │ Multi-tenant HSMs        │ Single-tenant HSMs       │
    │ AWS manages HSMs         │ YOU manage HSMs          │
    │ Symmetric + Asymmetric   │ Full control of keys     │
    │ FIPS 140-2 Level 2      │ FIPS 140-2 Level 3 ★    │
    │ Integrated with 100+    │ Custom key store for KMS │
    │ AWS services             │                          │
    │                          │ Use for:                 │
    │ Use for: most cases     │ • Regulatory compliance  │
    │                          │ • RSA key generation     │
    │                          │ • Exclusive HSM control  │
    └──────────────────────────┴──────────────────────────┘

---

10. Amazon Cognito

10.1 User Pools vs Identity Pools — The Big Picture

    ╔══════════════════════════════════════════════════════════════════╗
    ║                    COGNITO ARCHITECTURE                          ║
    ╠══════════════════════════════════════════════════════════════════╣
    ║                                                                  ║
    ║   ┌─────────────────────────────────────────────────────────┐   ║
    ║   │                  USER POOL                               │   ║
    ║   │              (Authentication)                            │   ║
    ║   │                                                          │   ║
    ║   │   User ──sign up/sign in──▶ User Pool                   │   ║
    ║   │                               │                          │   ║
    ║   │                          Returns:                        │   ║
    ║   │                          • ID Token (user identity)      │   ║
    ║   │                          • Access Token (API access)     │   ║
    ║   │                          • Refresh Token                 │   ║
    ║   │                                                          │   ║
    ║   │   Features:                                              │   ║
    ║   │   • User directory (username/password)                   │   ║
    ║   │   • Social login (Google, Facebook, Apple)               │   ║
    ║   │   • MFA, adaptive authentication                         │   ║
    ║   │   • Hosted UI (customizable with logo)                   │   ║
    ║   │   • ❌ Cannot grant AWS service credentials              │   ║
    ║   └───────────────────────────┬─────────────────────────────┘   ║
    ║                               │                                  ║
    ║                          Token passed to                         ║
    ║                               │                                  ║
    ║                               ▼                                  ║
    ║   ┌─────────────────────────────────────────────────────────┐   ║
    ║   │              IDENTITY POOL                               │   ║
    ║   │            (Authorization)                               │   ║
    ║   │                                                          │   ║
    ║   │   Token ──▶ Identity Pool ──▶ STS ──▶ Temp AWS Creds   │   ║
    ║   │                                                          │   ║
    ║   │   Features:                                              │   ║
    ║   │   • Exchanges tokens for AWS credentials                 │   ║
    ║   │   • ✅ Unauthenticated (guest) access                   │   ║
    ║   │   • ✅ Federated (Google, Facebook, SAML, OIDC)         │   ║
    ║   │   • ✅ Developer-authenticated identities                │   ║
    ║   │   • Maps to IAM roles (auth vs unauth)                  │   ║
    ║   │   • Returns Cognito ID for unique user identification   │   ║
    ║   └─────────────────────────────────────────────────────────┘   ║
    ║                                                                  ║
    ║   EXTERNAL IdP + IDENTITY POOL (mobile app federation):         ║
    ║   ┌───────────┐ OAuth/OIDC  ┌──────────────┐  returns          ║
    ║   │  Identity │   token     │   Identity   │  COGNITO ID       ║
    ║   │  Provider │────────────▶│   Pool       │───────────▶       ║
    ║   │ (Google,  │             │              │  (unique user ID)  ║
    ║   │  Facebook │             └──────────────┘       │            ║
    ║   │  SAML...) │                                    ▼            ║
    ║   └───────────┘                        GetCredentialsForIdentity║
    ║                                                    │            ║
    ║                                        Temp AWS Credentials     ║
    ║                                        (S3, DynamoDB, SNS...)   ║
    ║                                                                  ║
    ║   ★ "What is returned?" → COGNITO ID (not key pair/SDK/API)    ║
    ║   ★ Cognito ID = unique identifier across all IdPs             ║
    ║   ★ Cognito Key Pair, Cognito SDK, Cognito API = distractors!  ║
    ║                                                                  ║
    ║   COGNITO SYNC: Cross-device data sync (key-value)              ║
    ║   • Max 1 MB/dataset, 20 datasets/identity                      ║
    ║   • Push sync for notifications                                  ║
    ║   • ≠ AppSync (multi-user real-time collaboration)              ║
    ╚══════════════════════════════════════════════════════════════════╝

    EXAM CHEAT:
    ┌────────────────────────────────────────────────────────────┐
    │  "User sign-up / sign-in"          → User Pool            │
    │  "Temporary AWS credentials"       → Identity Pool        │
    │  "Guest / unauthenticated access"  → Identity Pool        │
    │  "Social login + access S3"        → User Pool + Id Pool  │
    │  "API Gateway authorizer"          → User Pool (NOT IdP!) │
    │  "Cross-device sync (single user)" → Cognito Sync         │
    │  "Multi-user real-time shared"     → AppSync              │
    └────────────────────────────────────────────────────────────┘

10.2 User Pool vs Identity Pool for API Gateway — Deep Dive

    ╔══════════════════════════════════════════════════════════════════╗
    ║     ★★★ #1 EXAM TRAP: User Pool vs Identity Pool ★★★          ║
    ╠══════════════════════════════════════════════════════════════════╣
    ║                                                                  ║
    ║  FLOW 1: User Pool + API Gateway  (MOST COMMON EXAM PATTERN)   ║
    ║  ────────────────────────────────────────────────────────────    ║
    ║                                                                  ║
    ║   User ──sign in──▶ User Pool ──JWT──▶ Browser/App             ║
    ║                                           │                      ║
    ║                                    stores JWT in                 ║
    ║                                    localStorage                  ║
    ║                                           │                      ║
    ║                               Authorization: <JWT>               ║
    ║                                           │                      ║
    ║                                           ▼                      ║
    ║                    ┌──────────────────────────────────┐          ║
    ║                    │        API GATEWAY               │          ║
    ║                    │  ┌────────────────────────────┐  │          ║
    ║                    │  │ COGNITO USER POOL          │  │          ║
    ║                    │  │ AUTHORIZER                 │  │          ║
    ║                    │  │                            │  │          ║
    ║                    │  │ • Validates JWT natively   │  │          ║
    ║                    │  │ • NO Lambda needed!        │  │          ║
    ║                    │  │ • Token source: header name│  │          ║
    ║                    │  │   (e.g., "Authorization")  │  │          ║
    ║                    │  │ • Uses User Pool ID        │  │          ║
    ║                    │  └────────────────────────────┘  │          ║
    ║                    └──────────────────────────────────┘          ║
    ║                                                                  ║
    ║  Steps:                                                          ║
    ║  1. Create Cognito User Pool                                     ║
    ║  2. Create authorizer in API GW using User Pool ID               ║
    ║  3. Set header name (token source) pointing to User Pool         ║
    ║  ❌ Identity Pool is NOT needed for this flow!                   ║
    ║                                                                  ║
    ║  ────────────────────────────────────────────────────────────    ║
    ║                                                                  ║
    ║  FLOW 2: Identity Pool + Direct AWS Access (DIFFERENT USE CASE) ║
    ║  ────────────────────────────────────────────────────────────    ║
    ║                                                                  ║
    ║   User ──sign in──▶ User Pool ──JWT──▶ Identity Pool            ║
    ║                                           │                      ║
    ║                                    exchanges JWT for             ║
    ║                                    temp AWS credentials          ║
    ║                                    (via STS AssumeRole)          ║
    ║                                           │                      ║
    ║                                           ▼                      ║
    ║                              ┌──────────────────────┐            ║
    ║                              │ AWS Services DIRECTLY │            ║
    ║                              │ • S3.putObject()      │            ║
    ║                              │ • DynamoDB.getItem()  │            ║
    ║                              │ • SNS.publish()       │            ║
    ║                              └──────────────────────┘            ║
    ║                                                                  ║
    ║  ⚠ Identity Pool does NOT have a native API GW authorizer!      ║
    ║  ⚠ If you MUST use Identity Pool tokens with API GW:            ║
    ║    → Use a Lambda Authorizer (not Cognito Authorizer)            ║
    ║    → But this is rarely the correct exam answer                  ║
    ║                                                                  ║
    ╠══════════════════════════════════════════════════════════════════╣
    ║                                                                  ║
    ║  EXAM DECISION MATRIX:                                           ║
    ║  ┌──────────────────────────────────┬────────────────────────┐   ║
    ║  │  Question Pattern                │  Answer                │   ║
    ║  ├──────────────────────────────────┼────────────────────────┤   ║
    ║  │  JWT authorizer for API Gateway  │  User Pool             │   ║
    ║  │  React/JS app + JWT + API GW     │  User Pool             │   ║
    ║  │  Token source header for API GW  │  User Pool authorizer  │   ║
    ║  │  Cognito authorizer in API GW    │  Uses User Pool ID     │   ║
    ║  │  App calls S3/DDB from browser   │  Identity Pool         │   ║
    ║  │  Guest access to AWS resources   │  Identity Pool         │   ║
    ║  │  Federated access to AWS APIs    │  Identity Pool         │   ║
    ║  │  Identity Pool + API Gateway?    │  Lambda Authorizer     │   ║
    ║  └──────────────────────────────────┴────────────────────────┘   ║
    ║                                                                  ║
    ║  ★ "Header token source" + "API Gateway" = ALWAYS User Pool     ║
    ║  ★ "Temporary AWS credentials" = ALWAYS Identity Pool            ║
    ║  ★ Identity Pool has NO native API Gateway integration           ║
    ╚══════════════════════════════════════════════════════════════════╝

---

11. IAM — Key Patterns

11.1 STS API Quick Reference

    ┌────────────────────────────────┬──────────────────────────────┐
    │  STS API                       │  When to Use                 │
    ├────────────────────────────────┼──────────────────────────────┤
    │  AssumeRole                    │  Cross-account, role switch  │
    │  AssumeRoleWithWebIdentity     │  OIDC federation (Google..)  │
    │  AssumeRoleWithSAML            │  SAML 2.0 (Active Directory) │
    │  GetSessionToken               │  MFA-protected API calls ★  │
    │  GetFederationToken            │  Proxy apps for temp creds   │
    │  DecodeAuthorizationMessage    │  Decode UnauthorizedOp error │
    └────────────────────────────────┴──────────────────────────────┘

    ★ GetSessionToken is the ONLY one that supports MFA!

    Custom Identity Broker (non-SAML LDAP):
    ┌──────────┐       ┌───────────┐       ┌──────┐
    │  User    │──────▶│  Broker   │──────▶│ STS  │──▶ Temp Creds
    │ (LDAP)   │ auth  │ (your app)│ assume│      │
    └──────────┘       └───────────┘  role └──────┘

11.2 Cross-Account Access Pattern

    ┌──────────────────────┐           ┌──────────────────────┐
    │  PRODUCTION ACCOUNT  │           │ DEVELOPMENT ACCOUNT  │
    │                      │           │                      │
    │  1. Create IAM Role  │           │  3. Create IAM Policy│
    │     Trust: Dev Acct  │           │     Allow: sts:      │
    │                      │           │     AssumeRole       │
    │  2. Attach S3 access │           │     on Prod Role ARN │
    │     policy to Role   │           │                      │
    │                      │           │  4. Attach to Dev    │
    │  S3 Bucket ──────────│◀──────────│     IAM Users        │
    └──────────────────────┘  assumes  └──────────────────────┘
                               role
    ⚠ Role created in account WITH the resource (Production)
    ⚠ STS policy created in account NEEDING access (Development)

---

PART 5 — DEPLOYMENT & CI/CD

---

12. AWS CodeDeploy

12.1 Deployment Types by Platform

    ┌──────────────────────────────────────────────────────────────────┐
    │                  CODEDEPLOY DEPLOYMENT MATRIX                    │
    ├──────────────┬──────────────┬──────────────┬────────────────────┤
    │  Platform    │  In-Place    │  Blue/Green  │  Agent Required?   │
    ├──────────────┼──────────────┼──────────────┼────────────────────┤
    │  EC2         │     ✅       │     ✅       │  ✅ YES (required) │
    │  On-Premises │     ✅       │     ❌       │  ✅ YES (required) │
    │  Lambda      │     ❌       │  ✅ (always) │  ❌ NO             │
    │  ECS         │     ❌       │  ✅ (always) │  ❌ NO             │
    └──────────────┴──────────────┴──────────────┴────────────────────┘

    ★ CodeDeploy Agent:
    ┌──────────────────────────────────────────────────────────────────┐
    │  • Must be installed & running on EC2 / On-Premises instances   │
    │  • Agent polls CodeDeploy for deployment instructions           │
    │  • Can be installed via SSM Run Command (at scale)              │
    │  • NOT needed for Lambda or ECS (managed by AWS)                │
    │  • DownloadBundle error? → Check agent is running +             │
    │    instance role has S3 permissions                             │
    └──────────────────────────────────────────────────────────────────┘

    EC2/On-Prem Lifecycle Hooks:
    ┌──────────────────────────────────────────────────────────────────┐
    │  #  Hook              │  Managed By     │  Scriptable in AppSpec │
    │  ────────────────────────────────────────────────────────────── │
    │  1  ApplicationStop   │  User (AppSpec)  │  ✅ YES               │
    │  2  DownloadBundle    │  AGENT ONLY ★    │  ❌ NO — never!       │
    │  3  BeforeInstall     │  User (AppSpec)  │  ✅ YES               │
    │  4  Install           │  AGENT ONLY ★    │  ❌ NO — never!       │
    │  5  AfterInstall      │  User (AppSpec)  │  ✅ YES               │
    │  6  ApplicationStart  │  User (AppSpec)  │  ✅ YES               │
    │  7  ValidateService   │  User (AppSpec)  │  ✅ YES               │
    │                                                                  │
    │  ★ DownloadBundle + Install are AGENT-MANAGED:                  │
    │    You CANNOT configure or write scripts for them in AppSpec!   │
    │    Any answer saying "configure DownloadBundle in AppSpec" = ❌ │
    └──────────────────────────────────────────────────────────────────┘

    DownloadBundle Failures:
    ┌──────────────────────────────────────────────────────────────────┐
    │  "UnknownError: not opened for reading"                         │
    │  ────────────────────────────────────────                        │
    │  Root cause: EC2 instance IAM profile lacks S3 read permissions │
    │  Fix: Add s3:Get*, s3:List* to the instance profile/role       │
    │                                                                  │
    │  Exam traps (all WRONG answers for this error):                 │
    │  ❌ "S3 versioning not enabled" → NOT required for CodeDeploy  │
    │  ❌ "Not supported in this region" → Works in ALL regions      │
    │  ❌ "Wrong AppSpec config for DownloadBundle"                    │
    │     → DownloadBundle is AGENT-MANAGED, not in AppSpec!         │
    │                                                                  │
    │  ✅ CORRECT: Instance IAM profile missing S3 permissions        │
    └──────────────────────────────────────────────────────────────────┘

12.2 Traffic Shifting (Lambda / ECS)

    CANARY (two increments):
    ────────────────────────────────────────
    Time 0:    ██░░░░░░░░  10% → new version
    Time +5m:  ██████████  100% → new version (if healthy)

    LINEAR (equal increments):
    ────────────────────────────────────────
    Time 0:    ██░░░░░░░░  10%
    Time +10m: ████░░░░░░  20%
    Time +20m: ██████░░░░  30%
    ...gradually until 100%

    ALL-AT-ONCE:
    ────────────────────────────────────────
    Time 0:    ██████████  100% immediately

    Automatic Rollback:
    ┌───────────────────────────────────────────┐
    │ Deployment fails → CodeDeploy redeploys   │
    │ last known good version with NEW          │
    │ deployment ID (not restored old one)      │
    └───────────────────────────────────────────┘

12.3 Manual Approval (CodePipeline)

    ┌──────────────────────────────────────────────────────────────────┐
    │               CODEPIPELINE MANUAL APPROVAL                      │
    │                                                                  │
    │  Source ──▶ Build ──▶ ┌──────────────┐ ──▶ Deploy               │
    │                       │   MANUAL     │                           │
    │                       │  APPROVAL ⏸  │                           │
    │                       └──────────────┘                           │
    │                                                                  │
    │  ★ Add a Manual Approval action between stages                  │
    │  ★ Pipeline PAUSES until approved or rejected (or times out)    │
    │  ★ Configurable timeout (default: 7 days)                       │
    │  ★ Can send SNS notification to approvers                       │
    │  ★ IAM permission needed: codepipeline:PutApprovalResult        │
    │                                                                  │
    │  Use cases:                                                      │
    │  • Gate production deployments for human review                  │
    │  • Require sign-off before deploying to sensitive environments   │
    │  • Compliance / change-management approvals                      │
    └──────────────────────────────────────────────────────────────────┘

---

13. CloudFormation & SAM

13.1 SAM CLI Workflow

    ┌──────────────────────────────────────────────────────────────┐
    │                   SAM DEPLOYMENT FLOW                        │
    │                                                              │
    │  sam init          sam build          sam deploy             │
    │  ┌────────┐       ┌────────┐       ┌──────────────────┐    │
    │  │Scaffold│──────▶│Install │──────▶│Package (zip+S3)  │    │
    │  │project │       │deps &  │       │+ Deploy via      │    │
    │  │template│       │artifacts│      │  CloudFormation   │    │
    │  └────────┘       └────────┘       └──────────────────┘    │
    │                                                              │
    │  ⚠ sam deploy = package + deploy (combined!)                │
    │  ⚠ sam init NOT needed if project already exists            │
    │                                                              │
    │  CloudFormation CLI equivalent:                              │
    │  aws cloudformation package → aws cloudformation deploy     │
    │  (two separate commands needed!)                            │
    └──────────────────────────────────────────────────────────────┘

    ⚡ SAM requires: Transform: AWS::Serverless-2016-10-31
    ⚡ Cross-stack refs: Export in Outputs + Fn::ImportValue
    ⚡ Dynamic SSM refs: {{resolve:ssm-secure:paramName:version}}

13.2 CloudFormation Helper Scripts

    EC2 Instance Bootstrap:
    ┌──────────────────────────────────────────────────────────────┐
    │                                                              │
    │  cfn-init ──────▶ Install packages, create files,           │
    │                    start services (from metadata)            │
    │                           │                                  │
    │  cfn-signal ────▶ "Hey CloudFormation, I'm ready!"         │
    │                    (signals WaitCondition/CreationPolicy)    │
    │                           │                                  │
    │  cfn-hup ───────▶ Daemon that detects metadata changes     │
    │                    and re-runs cfn-init                      │
    │                           │                                  │
    │  cfn-get-metadata ▶ Retrieve metadata from template         │
    │                                                              │
    │  ★ Use cfn-init for repeatable setup (not user-data alone)  │
    │  ★ cfn-signal confirms instance provisioned successfully    │
    └──────────────────────────────────────────────────────────────┘

13.3 AWS CDK

    ┌───────────────────────────────────────────────────────┐
    │  CDK: Infrastructure as CODE (Python, TypeScript...)  │
    │  CloudFormation: Infrastructure as TEMPLATE (YAML/JSON)│
    │                                                       │
    │  CDK Workflow:                                        │
    │  Write code ──▶ cdk synth ──▶ CloudFormation template│
    │                 (compile)      ──▶ cdk deploy         │
    │                                                       │
    │  ★ cdk bootstrap: FIRST command in new account/region│
    │    (creates S3 bucket for assets)                    │
    │    NoSuchBucket error? → Run cdk bootstrap!          │
    │                                                       │
    │  Local testing with SAM:                             │
    │  cdk synth ──▶ sam local invoke (specify template)   │
    │                                                       │
    │  ★★★ CDK + SAM LOCAL TESTING (exam favorite!) ★★★   │
    │                                                       │
    │  Step 1: cdk synth --stack MyStack                   │
    │          └──▶ cdk.out/MyStack.template.json          │
    │                                                       │
    │  Step 2: sam local invoke \                           │
    │            -t cdk.out/MyStack.template.json \         │
    │            MyFunctionLogicalId                        │
    │          └──▶ Spins Docker, invokes Lambda locally   │
    │                                                       │
    │  ★ NEEDED:     cdk synth + sam local invoke          │
    │  ❌ NOT needed: cdk bootstrap (deployment infra!)    │
    │  ❌ NOT needed: sam package (S3 upload, not local!)   │
    │  ❌ NOT needed: sam deploy / cdk deploy (deploys!)    │
    └───────────────────────────────────────────────────────┘

---

14. Elastic Beanstalk

14.1 Deployment Strategies Comparison

    ┌───────────────────────────────────────────────────────────────────┐
    │              BEANSTALK DEPLOYMENT STRATEGIES                      │
    ├──────────────┬──────────┬─────────┬───────────┬─────────────────┤
    │              │ Downtime │ Speed   │ Capacity  │ Rollback        │
    ├──────────────┼──────────┼─────────┼───────────┼─────────────────┤
    │ All-at-once  │   YES ⚠ │ Fastest │ Reduced   │ Manual redeploy │
    │ Rolling      │   No     │ Medium  │ Reduced ⚠│ Manual redeploy │
    │ Rolling+Batch│   No     │ Medium  │ Full ✅   │ Manual redeploy │
    │ Immutable    │   No     │ Slower  │ Full ✅   │ Terminate new ✅│
    │ Blue/Green   │   No     │ Variable│ Full ✅   │ CNAME swap ✅   │
    └──────────────┴──────────┴─────────┴───────────┴─────────────────┘

    Blue/Green: Best for major platform upgrades (Java 7→8)
    Immutable: Best for quick rollback without CNAME complexity

    Config files:
    ┌────────────────────────────────────────────────────┐
    │  .ebextensions/*.config  → Custom AWS resources    │
    │  env.yaml                → Environment manifest    │
    │  Dockerrun.aws.json      → Multi-container Docker  │
    │  cron.yaml               → Periodic worker tasks   │
    │  .ebextensions/xray.config → Enable X-Ray daemon   │
    └────────────────────────────────────────────────────┘

---

PART 6 — MONITORING & OBSERVABILITY

---

15. AWS X-Ray — Deep Dive

15.1 X-Ray Anatomy (Most Confusing Topic!)

    ╔══════════════════════════════════════════════════════════════════╗
    ║                        X-RAY TRACE                              ║
    ║                                                                  ║
    ║  A TRACE = end-to-end journey of a single request               ║
    ║                                                                  ║
    ║  ┌──────────────────── TRACE ────────────────────────────┐      ║
    ║  │                                                        │      ║
    ║  │  ┌──────── SEGMENT (API Gateway) ──────────────┐      │      ║
    ║  │  │  Service: API Gateway                        │      │      ║
    ║  │  │  Duration: 1.2s                              │      │      ║
    ║  │  │  Status: 200                                 │      │      ║
    ║  │  └──────────────────────────────────────────────┘      │      ║
    ║  │       │                                                │      ║
    ║  │       ▼                                                │      ║
    ║  │  ┌──────── SEGMENT (Lambda) ───────────────────┐      │      ║
    ║  │  │  Service: MyFunction                         │      │      ║
    ║  │  │  Duration: 0.8s                              │      │      ║
    ║  │  │                                              │      │      ║
    ║  │  │  ┌─── SUBSEGMENT (DynamoDB call) ────┐      │      │      ║
    ║  │  │  │  Namespace: aws                    │      │      ║
    ║  │  │  │  Operation: PutItem                │      │      ║
    ║  │  │  │  Duration: 0.05s                   │      │      ║
    ║  │  │  │  Table: Orders                     │      │      ║
    ║  │  │  └────────────────────────────────────┘      │      ║
    ║  │  │                                              │      ║
    ║  │  │  ┌─── SUBSEGMENT (HTTP call) ────────┐      │      ║
    ║  │  │  │  Namespace: remote                 │      │      ║
    ║  │  │  │  URL: https://api.stripe.com       │      │      ║
    ║  │  │  │  Duration: 0.3s                    │      │      ║
    ║  │  │  └────────────────────────────────────┘      │      ║
    ║  │  │                                              │      ║
    ║  │  │  ┌─── SUBSEGMENT (custom) ───────────┐      │      ║
    ║  │  │  │  Name: "sendRequest"   ◄── YOUR   │      │      ║
    ║  │  │  │  Duration: 0.4s         arbitrary  │      │      ║
    ║  │  │  │                        subsegment  │      │      ║
    ║  │  │  └────────────────────────────────────┘      │      ║
    ║  │  │                                              │      ║
    ║  │  └──────────────────────────────────────────────┘      │      ║
    ║  └────────────────────────────────────────────────────────┘      ║
    ║                                                                  ║
    ╠══════════════════════════════════════════════════════════════════╣
    ║  NAMESPACE tells you the type of downstream call:               ║
    ║  • "aws"    → AWS SDK call (DynamoDB, S3, SQS)                 ║
    ║  • "remote" → External HTTP API call                            ║
    ║  • (none)   → Custom subsegment (your own code)                ║
    ╚══════════════════════════════════════════════════════════════════╝

15.2 Annotations vs Metadata

    ┌─────────────────────────────────────────────────────────────────┐
    │                ANNOTATIONS vs METADATA                          │
    ├─────────────────────────────┬───────────────────────────────────┤
    │       ANNOTATIONS           │         METADATA                  │
    ├─────────────────────────────┼───────────────────────────────────┤
    │  Key-value pairs            │  Key-value pairs                  │
    │  Values: strings/numbers    │  Values: ANY type (objects, lists)│
    │                             │                                   │
    │  ★ INDEXED for search ★    │  ❌ NOT indexed                   │
    │                             │                                   │
    │  Can filter traces in       │  Cannot filter or search          │
    │  console & GetTraceSummaries│  Just stored with trace           │
    │                             │                                   │
    │  Use for: grouping traces,  │  Use for: storing debug data      │
    │  searching by customer_id,  │  you DON'T need to search by     │
    │  environment, version       │                                   │
    ├─────────────────────────────┼───────────────────────────────────┤
    │  xray.putAnnotation(        │  xray.putMetadata(                │
    │    "userId", "U123")        │    "response", {...})             │
    └─────────────────────────────┴───────────────────────────────────┘

    Trace Analysis APIs:
    ┌──────────────────────────────────────────────────────┐
    │  GetTraceSummaries → Filter by annotations           │
    │                      Returns trace IDs               │
    │                                                      │
    │  BatchGetTraces    → Get FULL traces by ID           │
    │                      No filtering capability         │
    │                                                      │
    │  Flow: GetTraceSummaries (filter) → BatchGetTraces   │
    └──────────────────────────────────────────────────────┘

15.3 X-Ray Service Map

    ┌──────────────────────────────────────────────────────────────┐
    │                    X-RAY SERVICE MAP                          │
    │                                                              │
    │    ┌────────┐      ┌─────────┐      ┌──────────┐            │
    │    │ Client │─────▶│ API GW  │─────▶│ Lambda   │            │
    │    │        │ 1.2s │  200 OK │ 0.8s │ Function │            │
    │    └────────┘      └─────────┘      └────┬─────┘            │
    │                                          │                   │
    │                               ┌──────────┼────────┐         │
    │                               ▼          ▼        ▼         │
    │                          ┌────────┐ ┌────────┐ ┌───────┐   │
    │                          │DynamoDB│ │ S3     │ │Stripe │   │
    │                          │ 50ms   │ │ 120ms  │ │ 300ms │   │
    │                          │  ✅    │ │  ✅    │ │ ⚠ slow│   │
    │                          └────────┘ └────────┘ └───────┘   │
    │                                                              │
    │  ★ Visual representation of your distributed application    │
    │  ★ Shows latency, error rates, request counts per service   │
    │  ★ Helps identify which downstream service is the bottleneck│
    └──────────────────────────────────────────────────────────────┘

15.4 X-Ray IAM Policies

    WHO needs WHAT policy?

    ┌────────────────────────┬────────────────────────────────────┐
    │  Role                  │  Policy Needed                     │
    ├────────────────────────┼────────────────────────────────────┤
    │  X-Ray daemon on EC2   │  AWSXRayDaemonWriteAccess          │
    │  X-Ray on ECS sidecar  │  AWSXRayDaemonWriteAccess          │
    │  X-Ray on Beanstalk    │  AWSXRayDaemonWriteAccess          │
    │  Lambda with X-Ray     │  Just enable! (auto-configured)    │
    │  View service map/     │  AWSXrayReadOnlyAccess             │
    │    traces in console   │                                    │
    │  Custom debug tool     │  GetTraceSummaries + BatchGetTraces│
    │  Full access           │  AWSXrayFullAccess                 │
    └────────────────────────┴────────────────────────────────────┘

---

16. CloudWatch

16.1 Embedded Metric Format (EMF)

    Traditional approach (complex):
    Lambda ──PutMetricData API──▶ CloudWatch Metrics  (extra code!)

    EMF approach (simple):
    Lambda ──structured log──▶ CloudWatch Logs ──auto-extract──▶ Metrics!

    {
      "_aws": {
        "Timestamp": 1234567890,
        "CloudWatchMetrics": [{
          "Namespace": "MyApp",
          "Dimensions": [["Service"]],
          "Metrics": [{"Name": "ProcessingTime", "Unit": "Milliseconds"}]
        }]
      },
      "Service": "PaymentService",
      "ProcessingTime": 150       ◄── This becomes a CloudWatch metric!
    }

    ★ Use Amazon's open-source EMF libraries (not Lambda Insights)
    ★ Automatically extracts custom metrics from structured logs
    ★ Can set alarms on the extracted metrics

---

PART 7 — CACHING STRATEGIES

---

17. ElastiCache Patterns

17.1 Lazy Loading vs Write-Through vs Write-Behind

    LAZY LOADING (Cache-Aside):
    ┌──────────────────────────────────────────────────────┐
    │                                                      │
    │  App ──GET──▶ Cache ──HIT──▶ Return data  ✅        │
    │                │                                     │
    │              MISS                                    │
    │                │                                     │
    │                ▼                                     │
    │            Database ──data──▶ App                    │
    │                               │                     │
    │                          Write to cache              │
    │                          for next time               │
    │                                                      │
    │  ✅ Only requested data cached (no waste)            │
    │  ❌ Cache miss = slow (3 trips)                      │
    │  ❌ Data can be STALE                                │
    └──────────────────────────────────────────────────────┘

    WRITE-THROUGH:
    ┌──────────────────────────────────────────────────────┐
    │                                                      │
    │  App ──WRITE──▶ Cache ──AND──▶ Database              │
    │                 (simultaneously)                      │
    │                                                      │
    │  App ──READ──▶ Cache ──HIT (always!)──▶ Return ✅    │
    │                                                      │
    │  ✅ Data always FRESH                                │
    │  ❌ Write penalty (write to cache AND DB)            │
    │  ❌ Caches ALL data (even data never read = waste)   │
    └──────────────────────────────────────────────────────┘

    ★ BEST PRACTICE: Write-Through + TTL
    ┌──────────────────────────────────────────────────────┐
    │  Write-Through ensures freshness                     │
    │  TTL auto-expires unread data → prevents waste       │
    │  = FRESH data + MINIMAL waste ✅✅                   │
    └──────────────────────────────────────────────────────┘

17.2 Redis vs Memcached

    ┌──────────────────────────┬─────────────────────────┐
    │       REDIS              │     MEMCACHED            │
    ├──────────────────────────┼─────────────────────────┤
    │ ✅ Replication (Multi-AZ)│ ❌ No replication        │
    │ ✅ Persistence (AOF/RDB) │ ❌ No persistence        │
    │ ✅ Complex data types    │ Simple key-value only    │
    │    (lists, sets, sorted) │                          │
    │ ✅ Pub/Sub messaging     │ ✅ Multi-threaded        │
    │ Single-threaded          │ ✅ Large cache pools     │
    │                          │                          │
    │ Use for:                 │ Use for:                 │
    │ • HA with failover       │ • Simple caching         │
    │ • Data must survive      │ • Max throughput needed   │
    │   restarts               │ • Data loss acceptable    │
    │ • Leaderboards, queues   │                          │
    └──────────────────────────┴─────────────────────────┘

---

PART 8 — QUICK REFERENCE TABLES

---

18. Service Limits & Defaults

    ┌──────────────────────┬──────────────────────────────────────────┐
    │ Service              │ Key Limits                               │
    ├──────────────────────┼──────────────────────────────────────────┤
    │ Lambda               │ 15 min timeout, 10 GB memory             │
    │                      │ 1,000 concurrent (soft), 250 MB unzipped │
    │                      │ /tmp: 512 MB free, max 10 GB             │
    │                      │ 5 layers, max 5 env vars size 4 KB       │
    ├──────────────────────┼──────────────────────────────────────────┤
    │ API Gateway          │ 29s integration timeout                   │
    │                      │ 10,000 req/s (account), cache TTL 0-3600s│
    ├──────────────────────┼──────────────────────────────────────────┤
    │ DynamoDB             │ 400 KB max item, 1 RCU = 4 KB strong     │
    │                      │ 1 WCU = 1 KB, Streams: 24h retention     │
    │                      │ 5 LSI (at creation), 20 GSI (anytime)    │
    ├──────────────────────┼──────────────────────────────────────────┤
    │ SQS Standard         │ Unlimited TPS, at-least-once             │
    │ SQS FIFO             │ 300 TPS (3,000 batch), exactly-once      │
    │ SQS Visibility       │ Default 30s, max 12h                     │
    │ SQS Retention        │ Default 4 days, max 14 days              │
    ├──────────────────────┼──────────────────────────────────────────┤
    │ Kinesis              │ 24h default retention (max 365 days)      │
    │ KMS                  │ 4 KB direct encrypt, 5,500-30,000 ops/s  │
    │ Cognito Sync         │ 1 MB/dataset, 20 datasets/identity       │
    │ Step Functions       │ 25,000 execution history events          │
    └──────────────────────┴──────────────────────────────────────────┘

---

19. Error Code Cheat Sheet

    ┌──────────────────────────────────────────────────────────────────┐
    │                    ERROR → ROOT CAUSE → FIX                      │
    ├──────────────────────────────────────────────────────────────────┤
    │                                                                  │
    │  API Gateway 502    → Lambda wrong response format               │
    │                       FIX: Return proper JSON proxy response     │
    │                                                                  │
    │  API Gateway 504    → Backend exceeded 29s timeout               │
    │                       FIX: Optimize Lambda or use async          │
    │                                                                  │
    │  Lambda 429         → Throttled (concurrency limit)              │
    │                       FIX: Reserved concurrency + backoff        │
    │                                                                  │
    │  DynamoDB Provisioned                                            │
    │  ThroughputExceeded → Hot partition or low capacity              │
    │                       FIX: Exponential backoff + better PK       │
    │                                                                  │
    │  AccessDeniedException                                           │
    │  (Lambda→service)   → Execution role missing permissions         │
    │                       FIX: Update execution role policy          │
    │                                                                  │
    │  UnauthorizedOp     → IAM policy missing                         │
    │  (EC2 CLI)           FIX: sts:DecodeAuthorizationMessage        │
    │                                                                  │
    │  InvalidInstanceID  → Wrong region in CLI config                 │
    │  NotFound            FIX: Match CLI region to instance region    │
    │                                                                  │
    │  NoSuchBucket (CDK) → CDK not bootstrapped in account            │
    │                       FIX: Run cdk bootstrap                     │
    │                                                                  │
    │  Unable to import   → Missing modules in Lambda package          │
    │  module (Lambda)     FIX: Install locally + zip + upload         │
    │                                                                  │
    │  RequestError       → Missing proxy config in CodeBuild          │
    │  timeout (CodeBuild) FIX: Add proxy element to buildspec.yml    │
    │                                                                  │
    │  DownloadBundle     → EC2 IAM profile lacks S3 access            │
    │  "not opened for     FIX: Add S3 permissions to instance role   │
    │   reading" error    ❌ NOT: S3 versioning, region, or AppSpec   │
    │  (CodeDeploy)       ❌ DownloadBundle = agent-managed, not      │
    │                       configurable in AppSpec file!             │
    └──────────────────────────────────────────────────────────────────┘

---

20. Exam Strategy — Answer Elimination

    ╔══════════════════════════════════════════════════════════════════╗
    ║              ANSWER ELIMINATION FRAMEWORK                       ║
    ╠══════════════════════════════════════════════════════════════════╣
    ║                                                                  ║
    ║  STEP 1: Read the question for KEY PHRASES                      ║
    ║  ┌────────────────────────────────────────────────────────┐     ║
    ║  │ "Least effort"      → Managed service, built-in feature│     ║
    ║  │ "Most secure"       → IAM roles, least privilege, encrypt│   ║
    ║  │ "Cost-effective"    → Query>Scan, binpack, on-demand   │     ║
    ║  │ "Without code change"→ ALB OIDC, CloudFront, API cache │     ║
    ║  │ "Near real-time"    → DynamoDB Streams, Kinesis        │     ║
    ║  │ "Exactly-once"      → SQS FIFO, NOT Standard          │     ║
    ║  │ "Cross-account"     → AssumeRole + trust policy        │     ║
    ║  │ "MFA protected"     → GetSessionToken (only STS API!)  │     ║
    ║  └────────────────────────────────────────────────────────┘     ║
    ║                                                                  ║
    ║  STEP 2: Eliminate OBVIOUS wrong answers                        ║
    ║  ┌────────────────────────────────────────────────────────┐     ║
    ║  │ ❌ "Use EC2" when serverless is better                 │     ║
    ║  │ ❌ "Store access keys in code"                         │     ║
    ║  │ ❌ "Use root user credentials"                         │     ║
    ║  │ ❌ "Disable encryption" or "use HTTP"                  │     ║
    ║  │ ❌ "AppSpec.yml" for CodeBuild (it's buildspec.yml!)   │     ║
    ║  │ ❌ "Lambda Authorizer" for API Gateway when topic is   │     ║
    ║  │    clearly about Cognito User Pools or IAM auth        │     ║
    ║  └────────────────────────────────────────────────────────┘     ║
    ║                                                                  ║
    ║  STEP 3: Between two remaining options, ask:                    ║
    ║  ┌────────────────────────────────────────────────────────┐     ║
    ║  │ 1. Does this follow least privilege?                   │     ║
    ║  │ 2. Does this use a managed/native service?             │     ║
    ║  │ 3. Does this address the ROOT CAUSE?                   │     ║
    ║  │ 4. Is this the SIMPLEST path meeting ALL requirements? │     ║
    ║  └────────────────────────────────────────────────────────┘     ║
    ║                                                                  ║
    ║  SERVICE CONFUSION MATRIX:                                      ║
    ║  ┌──────────────────────────┬───────────────────────────┐       ║
    ║  │ If question says...      │ Don't pick...             │       ║
    ║  ├──────────────────────────┼───────────────────────────┤       ║
    ║  │ "Simple decoupling"      │ Kinesis (use SQS)         │       ║
    ║  │ "Serverless deploy"      │ Raw CloudFormation (SAM!) │       ║
    ║  │ "Coordinate Lambdas"     │ Direct invoke (Step Fn!)  │       ║
    ║  │ "Feature flags"          │ Lambda+SSM (AppConfig!)   │       ║
    ║  │ "Distributed tracing"    │ CloudWatch (X-Ray!)       │       ║
    ║  │ "API auditing"           │ X-Ray (CloudTrail!)       │       ║
    ║  │ "npm repo"               │ ECR (CodeArtifact!)       │       ║
    ║  │ "Cross-device sync"      │ AppSync (Cognito Sync!)   │       ║
    ║  │ "Multi-user realtime"    │ Cognito Sync (AppSync!)   │       ║
    ║  │ "Infra as code in Python"│ CloudFormation (CDK!)     │       ║
    ║  │ "DB credential rotation" │ Param Store (Secrets Mgr!)│       ║
    ║  │ "3rd-party webhook"      │ API GW (Fn URL+NONE!)    │       ║
    ║  │ "JWT auth for API GW"    │ Identity Pool (User Pool!)│       ║
    ║  │ "Public HTTPS for Lambda"│ API GW overkill (Fn URL!) │       ║
    ║  └──────────────────────────┴───────────────────────────┘       ║
    ╚══════════════════════════════════════════════════════════════════╝

---

21. Additional Services — Quick Cards

    ┌─────────────── SSM Parameter Store ──────────────────┐
    │  Standard: Free, 4 KB, no policies                   │
    │  Advanced: Paid, 8 KB, supports policies:            │
    │    • ExpirationNotification                          │
    │    • NoChangeNotification (rotation monitoring!)     │
    │    • Expiration                                      │
    │  SecureString: Encrypted with KMS                    │
    │  CloudFormation: {{resolve:ssm-secure:name:version}} │
    └──────────────────────────────────────────────────────┘

    ┌─────────────── Secrets Manager ──────────────────────┐
    │  ★ Auto-rotation of secrets (Lambda-based)           │
    │  ★ Native RDS integration                            │
    │  Best for: DB credentials needing periodic rotation  │
    │  More expensive than Parameter Store                 │
    └──────────────────────────────────────────────────────┘

    ┌─────────────── AppConfig ────────────────────────────┐
    │  Feature flags & configuration profiles              │
    │  Gradual rollout without code deployment             │
    │  Preferred over Lambda + Parameter Store             │
    └──────────────────────────────────────────────────────┘

    ┌─────────────── SQS Extended Client ──────────────────┐
    │  Messages > 256 KB (up to 2 GB)                      │
    │  Uses S3 to store message payloads                   │
    │  ★ Only available for Java SDK                       │
    │  ❌ NOT via CLI, Console, HTTP API, or other SDKs    │
    └──────────────────────────────────────────────────────┘

    ┌─────────────── EC2 Metadata ─────────────────────────┐
    │  http://169.254.169.254/latest/meta-data/            │
    │  http://169.254.169.254/latest/user-data/            │
    │  ★ user-data = run scripts at launch                 │
    │  ★ metadata = query instance details                 │
    │  ❌ Cannot run scripts via metadata!                 │
    └──────────────────────────────────────────────────────┘

    ┌─────────────── ALB ──────────────────────────────────┐
    │  Layer 7, supports OIDC auth on HTTPS:443            │
    │  ★ No code changes for authentication!               │
    │  X-Forwarded-For header = client's real IP           │
    │  Multi-value headers for duplicate query params      │
    │  NLB = Layer 4, NO OIDC, NO Lambda targets           │
    └──────────────────────────────────────────────────────┘

    ┌─────────────── CloudFront ───────────────────────────┐
    │                                                       │
    │  CACHE UPDATE STRATEGIES:                             │
    │  ┌─────────────────────┬──────────┬──────────────┐   │
    │  │ Strategy            │ Fast?    │ Cost?        │   │
    │  ├─────────────────────┼──────────┼──────────────┤   │
    │  │ Versioned file names│ ✅ YES   │ ✅ FREE      │   │
    │  │ (img_v2.jpg)        │          │ ★ BEST ANSWER│   │
    │  ├─────────────────────┼──────────┼──────────────┤   │
    │  │ Invalidation        │ ✅ YES   │ ❌ COSTS $$  │   │
    │  │                     │          │ ($0.005/path)│   │
    │  ├─────────────────────┼──────────┼──────────────┤   │
    │  │ Wait for TTL expire │ ❌ SLOW  │ ✅ FREE      │   │
    │  ├─────────────────────┼──────────┼──────────────┤   │
    │  │ Disable/re-enable   │ ❌ SLOW  │ ❌ DOWNTIME  │   │
    │  │ distribution        │ no clear │              │   │
    │  └─────────────────────┴──────────┴──────────────┘   │
    │                                                       │
    │  ★ "Fast + cost-efficient" = versioned file names     │
    │  ★ "Immediate" = invalidation OR versioned names      │
    │  ★ Invalidation: 1st 1000/month free, then charges    │
    │                                                       │
    │  CloudFront-Viewer-Country header for geo-routing     │
    │  CloudFront Functions for lightweight edge logic       │
    │  Lambda@Edge for heavier processing                   │
    │  OAC: Restrict S3 access to CloudFront only           │
    └───────────────────────────────────────────────────────┘

---

    ╔══════════════════════════════════════════════════════════════╗
    ║                                                              ║
    ║    "When in doubt, choose the answer that is:               ║
    ║     ✅ Most secure (least privilege)                         ║
    ║     ✅ Least effort (managed service)                        ║
    ║     ✅ Addresses root cause (not symptoms)                   ║
    ║     ✅ Simplest path meeting ALL requirements"               ║
    ║                                                              ║
    ║                         Good luck! 🚀                        ║
    ╚══════════════════════════════════════════════════════════════╝

---

AWS DVA-C02 Visual Study Guide v2 — March 2026