Create and manage multiple AWS accounts using AWS Organizations, define permissions with service control policies, and practice cross-account API actions to prepare for the exam.

Practice hands-on with AWS using the free tier or a sandbox. Compare full-account control, billing implications, and scenario-based labs that validate your skills without extra risk.

Explore AWS account types, compare free and paid plans, and follow a sign-up to create a free tier account with $200 in credits, then log in as root or IAM.

Configure an account alias and enable IAM access to billing, then set a monthly budget with alerts in Cost Explorer and CloudWatch to track and control spend.

Create an IAM user for console access and avoid using the root account. Add the user to an admins group with the administrator access policy to grant full permissions.

Install and configure the AWS CLI and Visual Studio Code, set up credentials with access keys, and practice S3 bucket operations and CloudShell usage.

Learn how AWS Organizations centralizes multi-account management, policy enforcement, and consolidated billing, with organizational units, service control policies, and CloudTrail auditing.

Create an AWS organization, set up the management account, and add a new production account with an account access role. Enable service control policies to govern actions.

Explore how service control policies set the maximum permissions across an AWS organization, using root and OU SCPs, with deny overrides allow, and tag policies governing t2 micro EC2 instances.

Explore service control policies and inheritance in AWS organizations, comparing deny-list vs allow-list strategies, and learn how explicit and implicit denies and explicit allows shape permissions at each level.

Explore service control policy inheritance in AWS Organizations, attach a deny for non-t2 micro EC2 launches at the prod OU, while the management account remains unrestricted.

Explore AWS Control Tower, an extension to AWS Organizations, building a landing zone with security, sandbox, and production OUs, audit and log archive accounts, sso integration, and guardrails.

Set up a landing zone with AWS Control Tower to govern accounts and organizational units, define home region and optional region denial, and configure shared accounts, guardrails, and SSO.

Explore identity management and permissions, covering IAM policies, permissions boundaries, RBAC, ABAC, MFA, and federation use cases to prepare for the SAP-C02 exam.

Learn how IAM authenticates and authorizes AWS requests, using the console, CLI, and API; identify principals, construct request contexts, and apply identity-based and resource-based policies.

Discover how AWS IAM uses users, groups, roles, and policies to grant permissions via identity-based policies and enable role assumption across accounts with short-term credentials.

Discover identity and access management authentication methods, including user accounts with password and optional multifactor authentication, and programmatic access via access keys, signing certificates, ssh, CodeCommit, and Keyspaces credentials.

Understand how AWS security token service provides short-lived credentials to an EC2 instance via an attached instance profile and IAM role, using trust policies and sts:AssumeRole for access to S3.

Explore how multi-factor authentication strengthens AWS security by combining a password with a second factor from a virtual or physical MFA device, while biometrics are not used.

Set up multi-factor authentication for your AWS IAM user using an authenticator app or hardware token, scanning a QR code and entering MFA codes for secure access.

Explore identity-based and resource-based policies in AWS, including inline and managed policies, and learn how to attach them to users, groups, roles, or resources like S3 buckets.

Compare role-based and attribute-based access control, using groups and permissions policies to enforce least privilege, with aws iam, tags, and resource tags for rbac and abac scenarios.

Explore how permissions boundaries cap the maximum permissions for users and prevent privilege escalation, by combining boundary rules with policy permissions for actions like S3, CloudWatch, EC2, and IAM.

Learn how IAM policy evaluation determines access by evaluating explicit denies that override allows, SCPs, resource-based and identity-based policies, and permissions boundaries, in a step-by-step workflow.

Learn the structure of IAM policies as JSON documents, including effect, action, resource, and condition. Explore examples: wildcard admin access, ec2:TerminateInstances with NotIpAddress, and secure-transport resource-based policies.

Apply role-based access control by creating a billing admins group, attaching the AWS billing policy in IAM, and adding Joann to grant access to the billing dashboard.

Learn how to implement attribute-based access control (abac) using principal and resource tags to gate actions like reboot, start, and stop of RDS databases, distinguishing production from development environments.

Apply a permissions boundary to restrict IAM principals from elevating their permissions, using a boundary policy attached to Lindsey and tested with an X user to prevent privilege escalation.

Explore practical use cases for IAM roles, including cross-account access with restricted permissions to S3 buckets, third-party access with external IDs, and EC2 instance role delegation to other AWS services.

Explore cross-account access by assuming a role with an external id to access a private s3 bucket. Configure temporary credentials and list the bucket from the other account.

Compare access keys versus IAM roles for EC2 to access S3, highlighting risks of long-term, plain-text credentials and endorsing temporary credentials via IAM roles and instance profiles.

Learn to create an IAM user, craft a role with policies and trust, and passrole that role to an EC2 instance via an instance profile using the CLI.

Apply iam best practices by locking root keys, creating individual users, grouping permissions, and using customer managed policies for least privilege; enable mfa, rotate credentials, and monitor activity.

Explore directory services and federation with hands-on practice, set up AWS managed Microsoft AD and AWS single sign-on using Microsoft AD, and review identity federation types and Amazon Cognito.

Explore aws directory services options—managed microsoft ad, ad connector, and simple ad—and learn how each facilitates authentication, group policies, and on-premises integration.

Explore identity providers and federation to authenticate and authorize AWS access using SAML, STS with SAML, web identity, Cognito, and IAM Identity Center.

Explore IAM Identity Center, the successor to single sign-on, and configure identity sources, MFA, and permission sets to grant administrator or read-only access across AWS accounts.

Learn how Amazon Cognito manages sign in and sign up for web and mobile apps with user pools and identity pools, enabling temporary credentials to access AWS services.

Explore Amazon VPC fundamentals and advanced configurations, including VPC routing, CIDR blocks, subnets, IPv6, cross-account VPC peering, and VPC endpoints.

Explore the AWS global infrastructure, including regions, availability zones, data centers, subnets, outposts, local and wavelength zones, and edge caches with CloudFront for low latency and high availability.

Define vpc cidr blocks and plan subnets with classless routing and variable length subnet masks. Use examples like 10.0.0.0/16 with /20 subnets, respecting reserved addresses and avoiding overlaps.

Create a custom vpc with a 10.0.0.0/16 cidr, two public and two private subnets across two availability zones, and an internet gateway with main and private route tables.

Explore VPC routing with main and private route tables, internet and net gateways, longest-prefix rules, and gateway route tables for in-line security appliances and peering.

Explore how security groups and network ACLs regulate traffic in AWS, compare stateful and stateless firewalls, and learn practical rule designs for subnets, EC2 instances, and load balancer configurations.

Practice configuring security groups and network ACLs in a custom VPC by launching a web server, opening SSH and HTTP inbound rules, and testing access.

Explore how NAT gateways and NAT instances provide outbound internet access for private subnets via a public subnet, using private route tables and elastic IPs.

Enable internet access for a private subnet instance by creating a NAT gateway in a public subnet and updating the private route table; test connectivity to Google and clean up.

Learn to use IPv6 in an Amazon VPC, configuring /56 and /64 subnets, routing via an internet gateway with no NAT, and enabling an egress-only internet gateway for outbound IPv6.

Configure IPv6 for your VPC by adding an Amazon-provided IPv6 CIDR, enabling IPv6 on subnets, updating routes to an Internet gateway, and validating connectivity with ping6.

Explore how VPC peering enables private IPv4 and IPv6 routing between VPCs across regions and accounts using the AWS Global Network, with non overlapping CIDR blocks and no transitive routing.

Configure VPC peering between two VPCs in US East and US West using CloudFormation, set security groups for SSH and ICMP over private IPs, update routes, and test with ping.

Explore how VPC endpoints enable private access to AWS services like S3 and DynamoDB via interface and gateway endpoints, using private IP addresses, route tables, and policies.

Launch a VPC with two public and two private subnets, create an S3 gateway endpoint, and configure a route table to direct S3 traffic via the endpoint’s prefix list.

Discover how hybrid connectivity links on-premises data centers with the cloud and multiple clouds using VPN technologies, AWS Direct Connect, and Transit Gateway.

Learn how AWS client VPN lets your computer connect to a VPC over an encrypted SSL/TLS VPN, with endpoints in subnets and network address translation enabling access to EC2 resources.

Set up a site-to-site vpn linking a customer gateway to a virtual private gateway in AWS, enabling encrypted ipsec traffic over the internet with static routes or bgp.

Explore how AWS VPN CloudHub uses a hub-and-spoke architecture to connect multiple customer gateways to a single virtual private gateway using site-to-site IPsec VPN and BGP-based route advertisement.

Connect your on-premises data center to AWS using a private Direct Connect link, with private virtual interfaces and VGWs, and enable IPsec VPN encryption for reliable redundancy and security.

Explore how AWS Direct Connect Gateway simplifies connectivity by linking a single corporate office to multiple regions via a DX Gateway, private VIFs, and virtual gateways across the AWS backbone.

Learn how AWS transit gateway acts as a hub to connect vpcs and on-premises networks, simplifying complex peering and enabling transitive routing via VPN, DX gateway, and transit VIFs.

Explore EC2, autoscaling, and elastic load balancing, essential AWS fundamentals for the SAP-C02 exam. Build practical understanding through hands-on exercises and diagrams.

Explore Amazon EC2 pricing options, from on-demand to reserved, spot, dedicated instances and hosts, plus savings plans, with per-second and per-hour billing and practical use-case guidance for exam prep.

Map each EC2 pricing model to its use case, from on-demand for ad hoc tasks to spot for workloads, aligning reserved instances and dedicated hosts with licensing and security needs.

Speed up EC2 launches by using customized AMIs or bootstrapping with user data to preinstall dependencies, applications, and updates, and automate with CloudFormation, Systems Manager, and CodeDeploy.

Explore EC2 placement groups—cluster for low-latency inter-instance traffic, partition for distributed workloads across partitions, and spread for separate hardware to reduce correlated failures.

Explore how EC2 instances attach multiple adapters in the same availability zone across subnets. Compare ENI, ENA, and EFA for networking performance and specialized HPC and AI use cases.

Learn to work with elastic network interfaces and IP addresses in EC2, including managing private and public IPs, using an elastic IP for persistence, and attaching and detaching ENIs.

Explore public, private, and elastic IP addresses in AWS, noting dynamic public IPs and static elastic IPs, how private IPs stay fixed, and remapping across instances in an AZ.

Explore how NAT translates private IPs to public addresses outside the instance. Learn how the NAT gateway performs one-to-one translation to elastic IPs in AWS.

This lesson dives into autoscaling fundamentals, EC2 status checks, CloudWatch metrics, target tracking, and queue-based scaling with custom metrics, including cooldowns and life-cycle hooks.

Create an ASG and ALB using the CLI to deploy a website behind an application load balancer, with security groups, launch templates, target groups, and listeners.

Create a lifecycle hook for an EC2 auto scaling group to pause termination, trigger a Lambda to snapshot the instance, and automate the process via SNS, CloudWatch, and Python code.

Explore elastic load balancers, including application load balancers for layer 7 routing and network load balancers for high-performance layer 4 traffic with TLS offloading.

Learn to route with the application load balancer and network load balancer, using path-based and host-based routing to target groups of EC2 instances, IPs, or containers across subnets and AZs.

Configure secure listeners for elastic load balancers by applying SSL/TLS certificates with AWS Certificate Manager, enabling encryption in transit for ALB and NLB, and consider end-to-end encryption and certificate scope.

Register a domain with Amazon Route 53 to enable DNS management and domain registration, check availability, choose a name, and complete checkout with optional annual pricing.

Explore host-based routing with an application load balancer, routing requests by host header to separate target groups, backed by Route 53 DNS, ACM SSL certificates, and health- checked EC2 instances.

Configure a network load balancer with static elastic IPs across two availability zones and deploy a test client. Implement whitelisting by restricting outbound traffic to those IPs on port 80.

Discover how to manage session state with elastic load balancers by using external stores such as DynamoDB and ElastiCache, and implement sticky sessions to improve usability while balancing latency.

Launch and deploy virtual servers quickly with Amazon LightSail, a simple, low-cost cloud option that provides pre-configured operating systems and databases, basic networking, and optional load balancing.

Explore architecture patterns for compute that enable highly available, elastically scalable web services using EC2 autoscaling, ALB/NLB across AZs, and cost-efficient strategies such as reserved, spot, and batch.

Explore how AWS Batch runs batch jobs from a job definition to a queue and compute environment, managing resources on EC2, ECS, or Fargate for large workloads.

Explore storage technologies such as Elastic Block Store, Elastic File System, and Amazon S3. Target CSA professional exam topics with hands-on insights for AWS certification.

Explore AWS elastic block store deployment options and volume types, including multi-attach, io1 io2 gp3 gp2, st1 sc1 hdd, boot volumes, and durability within an availability zone.

Explore copying, sharing, and encryption of EBS volumes, snapshots, and AMIs across regions and availability zones, including encryption states, custom KMS keys, and cross-account sharing.

Compare EBS and instance store to decide when high performance fits. Instance stores are fast, local, ephemeral, and cannot be detached; expect data loss if an instance stops.

Explore Amazon elastic file system basics, including network attached storage concepts, Linux-based mounting with NFS, and cross-region cross-account connectivity using mount targets and IP addresses.

Learn to create an EFS file system, attach it to EC2 instances across two availability zones, configure security groups and mount targets, and enforce TLS with the EFS mount helper.

Discover Amazon S3 as an object-based storage system with buckets, objects, and keys accessed via REST API and HTTP, covering regions, unique bucket names, and gateway endpoints.

Explore Amazon S3 storage classes, their 11 nines durability, varying availability, and cost considerations, including one zone ia, three availability zones, and Glacier archival options.

Learn how Amazon S3 lifecycle policies automate object transitions between storage classes and expirations, including supported and unsupported transitions, policy creation via console, CLI, or API with XML or JSON.

Configure same-region and cross-region S3 replication with versioning, creating source and destination buckets, an IAM role, and an inline policy, then explore lifecycle rules and object versioning.

Learn how S3 versioning preserves, retrieves, and restores object versions and how cross-region and same-region replication enable DR scenarios and multi-region failover, with versioning as a prerequisite.

Explore S3 encryption options including SSE-S3, SSE-KMS, SSE-C, and client-side encryption, and learn how default encryption, batch operations, copy operations, and bucket policies enforce encryption.

Enforce encryption in S3 by applying a bucket policy that denies put objects unless server-side encryption with AWS KMS is used.

Use s3 presigned URLs to grant time-limited access to bucket objects without permissions, keys, or IAM accounts. Generate a URL with aws s3 presign that expires after one hour.

Enable server access logging to record bucket requests, including requester, bucket name, time, action, status, and error codes; grant write permissions to the S3 log delivery group.

Create an SNS topic, subscribe your email, and wire S3 event notifications for all object create events to send detailed email alerts on uploads.

Explore AWS Storage Gateway, connecting on-prem storage to AWS with file gateway (NFS/SMB), volume gateway (cached or stored modes), and tape gateway for backups to S3 and Glacier.

Master DNS, caching, and performance optimization using AWS Route 53, Amazon CloudFront, and AWS Global Accelerator to improve latency and content delivery across geographies.

Learn the differences between public and private Route 53 hosted zones, configure DNS records and TTLs, and migrate or associate zones across VPCs, accounts, and providers.

Explore Route 53 routing policies, including simple, failover, geolocation, geoproximity, latency, multivalue, and weighted, with health checks and use cases like blue-green deployments and disaster recovery across regions.

Explore Route 53 failover routing with two application load balancers, building and deploying CloudFormation templates, configuring health checks, and creating primary and secondary alias records for automatic failover.

Learn how Route 53 Resolver connects on-premises DNS with Route 53, using outbound and inbound endpoints to resolve internal and internet domain records across VPCs and corporate data centers.

Explore CloudFront origins and distributions, using S3 and EC2 origins, with geography-based edge locations for low latency, delivering static and dynamic content over HTTP or HTTPS.

Explore how CloudFront uses multiple origins and regional edge caches to deliver content with low latency, and how TTLs, cache misses, and path patterns optimize performance.

Learn to secure content with CloudFront signed URLs and cookies, including expiration and IP restrictions, and understand origin access identity (OAI) deprecated and origin access control (OAC) with bucket policies.

Configure a CloudFront distribution with a static website origin and two file origins (pdf and jpeg), enabling origin access control and path-based cache behaviors.

Learn how CloudFront secures content with SSL/TLS, uses ACM certificates (in us-east-1) or third-party certs, and leverages SNI to host multiple domain certificates on one IP.

Learn how Lambda@Edge runs Node.js and Python functions to customize content delivered by CloudFront, processing at viewer request, origin request, origin response, and viewer response, closer to users.

Explore how AWS Global Accelerator uses the AWS Global Network and static IPs to route users through edge locations to the nearest healthy region, improving latency and bandwidth.

Create an AWS global accelerator that routes traffic to healthy endpoints using anycast IPs, with application load balancers in us east 1 and us west 1 and failover logic.

Explore relational and analytics databases across multi-region deployments; learn to deploy redundant databases and DR scenarios on AWS, and understand availability and scalability options.

Explore Amazon RDS scaling and deployment, including vertical scaling of instance types, Multi-AZ disaster recovery with synchronous replication, and read replicas for asynchronous read scaling with cross-region promotion.

Configure RDS backup windows and maintenance windows, use automated backups as snapshots up to 35 days, and perform manual full-database snapshots with restore to any point.

Secure Amazon RDS by placing it in your VPC, controlling access with security groups, and enabling encryption at rest (AES-256) and in transit (SSL/TLS) with KMS and TDE where supported.

Explore Amazon Aurora core features: high performance self-healing storage up to 64 terabytes, MySQL or Postgres engines, in-region replicas for read scaling and automatic failover, plus global database and serverless.

Explore Amazon Aurora deployment options, including regional fault tolerance with replicas, automated failover, cross-region and global reads, and Aurora Servius on-demand capacity units.

Explore anti-patterns for Amazon RDS and learn when it is not the best fit. Consider alternatives like EC2, DynamoDB, and S3 for scalability, control, and cross-region recovery.

Explore how Amazon ElastiCache delivers a fast in-memory key/value store (Redis or Memcached) in front of databases like RDS and DynamoDB, boosting read performance.

Scale ElastiCache for Memcached and Redis by adding nodes, vertical scaling, and cluster mode options with online and offline resharding across shards and replicas, Memcached has no replication.

Explore DynamoDB core knowledge, a fully managed NoSQL service, serverless with push-button scaling, offering key/value and document store capabilities, flexible schema, and global tables.

Learn how DynamoDB capacity units, RCUs and WCUs drive reads and writes, and calculate provisioned and on-demand capacity with auto scaling and read/write request types.

Practice creating DynamoDB tables with partition keys and optional sort keys, configure read/write capacity, explore on-demand vs provisioned modes, and learn about encryption at rest and composite keys.

DynamoDB streams capture insert, update, and delete item changes on a table and can trigger a Lambda; configure to log keys, new image, old image, or both within 24 hours.

DAX provides a fully managed in-memory cache that accelerates DynamoDB reads from milliseconds to microseconds, with API compatibility, no app changes required, and focus on read performance.

Explore DynamoDB global tables across multiple regions with asynchronous replication via DynamoDB streams; replica tables store the same data and enable multi-active read-write and failover.

Create a global DynamoDB table in another region to enable multi-master replication, with changes synchronized across regions. Test by modifying items in either region and delete the replica when finished.

Explore AWS DocumentDB for JSON data with MongoDB compatibility and scalable storage, plus Keyspaces for Cassandra, Neptune for graph workloads, and QLDB for immutable ledgers, focusing on scalability and availability.

Learn architectural patterns for AWS databases, including RDS multi-AZ, read replicas, Aurora Global Database and cross-region replication, multi-master, and DynamoDB with Global Tables and Aurora Serverless.