Show Menu

AWS Services Cheat Sheet by

AWS Certification comprehends a lot of topics & a broad array of services. Further, these also include every tiny detail for features, patterns, anti-patterns & their integration with other services. This is just a quick synopsis of all the services category-wise & key points for a quick glance before you appear for the exam along with recommended security best practices.


Instances (Virtual machines)
Provides secure, resizable compute capacity in the cloud. It makes web-scale cloud computing easier for develo­pers. EC2
EC2 Spot
Run fault-­tol­erant workloads for up to 90% off. EC2Spot
EC2 Autosc­aling
Automa­tically add or remove compute capacity to meet changes in demand. EC2_Au­sto­Scaling
Designed to be the easiest way to launch & manage a virtual private server with AWS. An easy-t­o-use cloud platform that offers everything need to build an applic­ation or website. Lightsail
Enables develo­pers, scient­ists, & engineers to easily & effici­ently run hundreds of thousands of batch computing jobs on AWS. Fully managed batch processing at any scale. Batch
Elastic Container Service (ECS)
Highly secure, reliable, & scalable way to run contai­ners. ECS
Elastic Container Registry (ECR)
Easily store, manage, & deploy container images. ECR
Elastic Kubernetes Service (EKS)
Fully managed Kubernetes service. EKS
Serverless compute for contai­ners. Fargate
Run code without thinking about servers. Pay only for the compute time you consume. Lamda
Edge and hybrid
Run AWS infras­tru­cture & services on premises for a truly consistent hybrid experi­ence. Outposts
Snow Family
Collect and process data in rugged or discon­nected edge enviro­nments. SnowFamily
Deliver ultra-low latency applic­ation for 5G devices. Wavelenth
VMware Cloud on AWS
Innovate faster, rapidly transition to the cloud, & work securely from any location. VMware­_On_AWS
Local Zones
Run latency sensitive applic­ations closer to end-users. LocalZones


S3 is the storehouse for the internet i.e. object storage built to store & retrieve any amount of data from anywhere S3
AWS Backup
AWS Backup is an extern­all­y-a­cce­ssible backup provider that makes it easier to align & optimize the backup of data across AWS services in the cloud. AWS_Backup
Amazon EBS
Amazon Elastic Block Store is a web service that provides block-­level storage volumes. EBS
Amazon EFS Storage
EFS offers file storage for the user’s Amazon EC2 instances. It's kind of blob Storage. EFS
Amazon FSx
FSx supply fully managed 3rd-party file systems with the native compat­ibility & charac­ter­istic sets for workloads. It's available as FSx for Windows server (Fully managed file storage built on Windows Server) & Lustre (Fully managed high-p­erf­ormance file system integrated with S3). FSx_Wi­ndows FSx_Lustre
AWS Storage Gateway
Storage Gateway is a service which connects an on-pre­mises software appliance with cloud-­based storage. Storag­e_G­ateway
AWS DataSync
DataSync makes it simple & fast to move large amounts of data online between on-pre­mises storage & S3, EFS, or FSx for Windows File Server. DataSync
AWS Transfer Family
The Transfer Family provides fully managed support for file transfers directly into & out of S3. Transf­er_­Family
AWS Snow Family
Highly­-se­cure, portable devices to collect & process data at the edge, and migrate data into and out of AWS. Snow_F­amily
Object storage: S3
File storage services: Elastic File System, FSx for Windows Servers & FSx for Lustre
Block storage: EBS
Backup: AWS Backup
Data transfer:
Storage gateway --> 3 types: Tape, File, Volume.
Transfer Family --> SFTP, FTPS, FTP.
Edge computing and storage and Snow Family --> Snowcone, Snowball, Snowmobile


Database type
Use cases
Tradit­ional applic­ations, ERP, CRM, e-commerce
Aurora, RDS, Redshift
RDS is a web service that makes it easier to set up, control, and scale a relational database in the cloud. Aurora RDS Redshift
High-t­raffic web apps, e-commerce systems, gaming applic­ations
DynamoDB is a fully admini­stered NoSQL database service that offers quick and reliable perfor­mance with integrated scalab­ility. DynamoDB
Caching, session manage­ment, gaming leader­boards, geospatial applic­ations
Elasti­Cache for Memcached & Redis
Elasti­Cache helps in setting up, managing, and scaling in-memory cache condit­ions. Memcached Redis
Content manage­ment, catalogs, user profiles
DocumentDB (with MongoDB compat­ibi­lity) is a quick, depend­able, and fully-­managed database service that makes it easy for you to set up, operate, and scale MongoD­B-c­omp­atible databases.DocumentDB
Wide column
High scale industrial apps for equipment mainte­nance, fleet manage­ment, and route optimi­zation
Keyspaces (for Apache Cassandra)
Keyspaces is a scalable, highly available, and managed Apache Cassan­dra­–co­mpa­tible database service. Keyspaces
Fraud detection, social networ­king, recomm­end­ation engines
Neptune is a fast, reliable, fully managed graph database service that makes it easy to build and run applic­ations that work with highly connected datasets. Neptune
Time series
IoT applic­ations, DevOps, industrial telemetry
Timestream is a fast, scalable, and serverless time series database service for IoT and operat­ional applic­ations that makes it easy to store and analyze trillions of events per day. Timestream
Systems of record, supply chain, regist­rat­ions, banking transa­ctions
Quantum Ledger Database (QLDB)
QLDB is a fully managed ledger database that provides a transp­arent, immutable, and crypto­gra­phi­cally verifiable transa­ction log ‎owned by a central trusted authority. QLDB

Deve­loper Tools

Cloud9 is a cloud-­based IDE that enables the user to write, run, and debug code. Cloud9
CodeAr­tifact is a fully managed artifact repository service that makes it easy for organi­zations of any size to securely store, publish, & share software packages used in their software develo­pment process. CodeAr­tifact
CodeBuild is a fully managed service that assembles source code, runs unit tests, & also generates artefacts ready to deploy. CodeBuild
CodeGuru is a developer tool powered by machine learning that provides intell­igent recomm­end­ations for improving code quality & identi­fying an applic­ation’s most expensive lines of code. CodeGuru
Cloud Develo­pment Kit
Cloud Develo­pment Kit (AWS CDK) is an open source software develo­pment framework to define cloud applic­ation resources using familiar progra­mming languages. CDK
CodeCommit is a version control service that enables the user to personally store & manage Git archives in the AWS cloud. CodeCommit
CodeDeploy is a fully managed deployment service that automates software deploy­ments to a variety of compute services such as EC2, Fargate, Lambda, & on-pre­mises servers. CodeDeploy
CodePi­peline is a fully managed continuous delivery service that helps automate release pipelines for fast & reliable app & infra updates. CodePi­peline
CodeStar enables to quickly develop, build, & deploy applic­ations on AWS. CodeStar
AWS CLI is a unified tool to manage AWS services & control multiple services from the command line & automate them through scripts. CLI
X-Ray helps developers analyze & debug produc­tion, distri­buted applic­ations, such as those built using a micros­ervices archit­ecture. X-Ray

Migration & Transfer services

Migration Evaluator
Build a data-d­riven business case for AWS. ME
Migration Hub
Migration Hub provides a single location to track the progress of app migrations across multiple AWS & partner solutions. Migrat­ionHub
Applic­ation Discovery Service
Applic­ation Discovery Service helps enterprise customers plan migration projects by gathering inform­ation about their on-pre­mises data centers. ADS
Server Migration Service (SMS)
SMS is an agentless service which makes it easier & faster to migrate thousands of on-pre­mises workloads to AWS. SMS
Database Migration Service (DMS)
DMS helps migrate databases to AWS quickly & securely. DMS
CloudE­ndure Migration
CloudE­ndure Migration simpli­fies, expedites, & reduces the cost of cloud migration by offering a highly automated lift-&-shift solution. CloudE­ndure
VMware Cloud on AWS
Refer compute section.
Refer storage section.
Transfer Family
Refer storage section.
Snow Family
Refer storage section.

Cost Management

Use cases
Construct cost allocation & governance foundation with your own tagging strategy
1) Cost Allocation Tags 2) Cost Categories
Cost Categories is a feature within AWS Cost Management product suite that enables group cost & usage inform­ation into meaningful categories based on needs. CostAl­loc­ati­onTags CostCa­teg­ories
Raise awareness & accoun­tab­ility of your cloud spend with the detailed, allocable cost data
1) Cost Explorer 2) Cost & Usage Report
Cost & Usage Report contains the most compre­hensive set of AWS cost & usage data available, including additional metadata about AWS services, pricing, & reserv­ations. CostEx­plorer CUR
Track billing inform­ation across the organi­zation in a consol­idated view
1) Consol­idated Billing 2) Credits
credits are applied to bills to help cover costs that are associated with eligible services. Consol­ida­ted­Billing Credits
Establish effective governance mechanisms with the right guardrails in place
1) IAM 2) Organi­zations 3) Control Tower 4) Service Catalog
Organi­zations helps centrally govern enviro­nment as you grow & scale workloads on AWS. Control tower is the easiest way to set up & govern a new, secure multi-­account AWS enviro­nment. Contro­lTower
Estimate resource utiliz­ation & spend with forecast dashbo­ards.
1) Cost Explorer (Self-­Ser­vice) 2) Budgets (Event­-Dr­iven)
A forecast is a prediction of how much you will use AWS services over the forecast time period that you selected, based on your past usage. Foreca­sting EventD­riv­enB­udgets
Keep spend in check with custom budget threshold & auto alert notifi­cation
1) Budgets 2) Budget Alerts via Chime & Slack 3) Service Catalog
Budgets allows to set custom budgets to track cost & usage from the simplest to the most complex use cases. Budgets Budget­Alerts Servic­eCa­talog
Leverage free trials & progra­mmatic discounts based on workload pattern & needs
1) Free Tier 2) Reserved Instances 3) Savings Plans 4) Spot Instances 5) DynamoDB On-demand
RI provide a signif­icant discount (up to 75%) compared to On-Demand pricing. RI FreeTier Saving­sPlan SpotEC2 DynamoDBOD
Scale & schedule services based on expected utiliz­ation pattern & needs
1) Instance Scheduler 2) Redshift pause & resume 3) EC2 Auto Scaling 4) Trusted Advisor
Trusted Advisor is an online tool that provides real time guidance to help provision resources following AWS best practices. Instan­ceS­che­duler Redshi­ftP­&R EC2ASG Truste­dAd­visor
Align service allocation size to actual workload demand
1) Cost Explorer Right Sizing Recomm­end­ations 2) Compute Optimizer 3) Redshift resize 4) S3 Intell­igent Tiering
Compute Optimizer recommends optimal AWS Compute resources for your workloads to reduce costs & improve perfor­mance by using ML to analyze historical utiliz­ation metrics. CO
Stay up-to-date with resource deployment & cost optimi­zation opport­unities
Cost Explorer
Cost Explorer has an easy-t­o-use interface that lets you visualize, unders­tand, & manage AWS costs & usage over time. CostEx­plorer

SDKs & Toolkits

CDK uses the famili­arity & expressive power of progra­mming languages for modeling apps. CDK
Corretto is a no-cost, multip­lat­form, produc­tio­n-ready distri­bution of the OpenJDK. Corretto
Crypto Tools
Crypto­graphy is hard to do safely & correctly. The AWS Crypto Tools libraries are designed to help everyone do crypto­graphy right, even without special expertise. Crypto Tools
Serverless Applic­ation Model (SAM)
SAM is an open-s­ource framework for building serverless applic­ations. It provides shorthand syntax to express functions, APIs, databases, & event source mappings. SAM
Tools for developing and managing applic­ations on AWS
Complete list of tools can be found here: Tools

Netw­orking & Content Delivery

Use cases
Build a cloud network
Define and provision a logically isolated network for your AWS resources
VPC lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. VPC
Connect VPCs and on-pre­mises networks through a central hub
Transit Gateway
Transit Gateway connects VPCs & on-pre­mises networks through a central hub. This simplifies network & puts an end to complex peering relati­ons­hips. Transi­tGa­teway
Provide private connec­tivity between VPCs, services, and on-pre­mises applic­ations
Privat­eLink provides private connec­tivity between VPCs & services hosted on AWS or on-pre­mises, securely on the Amazon network. Privat­eLink
Route users to Internet applic­ations with a managed DNS service
Route 53
Route 53 is a highly available & scalable cloud DNS web service. Route53
Scale your network design
Automa­tically distribute traffic across a pool of resources, such as instances, contai­ners, IP addresses, and Lambda functions
Elastic Load Balancing
Elastic Load Balancing automa­tically distri­butes incoming applic­ation traffic across multiple targets, such as EC2's, contai­ners, IP addresses, & Lambda functions. Elasti­cLo­adB­ala­ncing
Direct traffic through the AWS Global network to improve global applic­ation perfor­mance
Global Accele­rator
Global Accele­rator is a networking service that sends user’s traffic through AWS’s global network infras­tru­cture, improving internet user perfor­mance by up to 60%. Global­Acc­ele­rator
Secure your network traffic
Safeguard applic­ations running on AWS against DDoS attacks
Shield is a managed Distri­buted Denial of Service (DDoS) protection service that safeguards applic­ations running on AWS. Shield
Protect your web applic­ations from common web exploits
WAF is a web applic­ation firewall that helps protect your web applic­ations or APIs against common web exploits that may affect availa­bility, compromise security, or consume excessive resources. WAF
Centrally configure and manage firewall rules
Firewall Manager
Firewall Manager is a security management service which allows to centrally configure & manage firewall rules across accounts & apps in AWS Organi­zation. link text
Build a hybrid IT network
Connect your users to AWS or on-pre­mises resources using a Virtual Private Network
(VPN) - Client
VPN solutions establish secure connec­tions between on-pre­mises networks, remote offices, client devices, & the AWS global network. VPN
Create an encrypted connection between your network and your Amazon VPCs or AWS Transit Gateways
(VPN) - Site to Site
Site-t­o-Site VPN creates a secure connection between data center or branch office & AWS cloud resources. site_t­o_site
Establish a private, dedicated connection between AWS and your datace­nter, office, or colocation enviro­nment
Direct Connect
Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Direct­Connect
Content delivery networks
Securely deliver data, videos, applic­ations, and APIs to customers globally with low latency, and high transfer speeds
CloudFront expedites distri­bution of static & dynamic web content. CloudFront
Build a network for micros­ervices archit­ectures
Provide applic­ati­on-­level networking for containers and micros­ervices
App Mesh
App Mesh makes it accessible to guide & control micros­ervices operating on AWS. AppMesh
Create, maintain, and secure APIs at any scale
API Gateway
API Gateway allows the user to design & expand their own REST and WebSocket APIs at any scale. APIGateway
Discover AWS services connected to your applic­ations
Cloud Map
Cloud Map permits the name & handles the cloud resources. CloudMap

Security, Identity, & Compliance

Use cases
Identity & access management
Securely manage access to services and resources
Identity & Access Management (IAM)
IAM is a web service for safely contro­lling access to AWS services. IAM
Securely manage access to services and resources
Single Sign-On
SSO helps in simpli­fying, managing SSO access to AWS accounts & business applic­ations. SSO
Identity management for apps
Cognito lets you add user sign-up, sign-in, & access control to web & mobile apps quickly and easily. Cognito
Managed Microsoft Active Directory
Directory Service
AWS Managed Microsoft Active Directory (AD) enables your direct­ory­-aware workloads & AWS resources to use managed Active Directory (AD) in AWS. Direct­ory­Service
Simple, secure service to share AWS resources
Resource Access Manager
Resource Access Manager (RAM) is a service that enables you to easily & securely share AWS resources with any AWS account or within AWS Organi­zation. RAM
Central governance and management across AWS accounts
Organi­zations helps you centrally govern your enviro­nment as you grow and scale your workloads on AWS. Orgs
Unified security and compliance center
Security Hub
Security Hub gives a compre­hensive view of security alerts & security posture across AWS accounts. Securi­tyHub
Managed threat detection service
GuardDuty is a threat detection service that contin­uously monitors for malicious activity & unauth­orized behavior to protect AWS accounts, workloads, & data stored in S3. GuardDuty
Analyze applic­ation security
Inspector is a security vulner­ability assessment service improves the security & compliance of the AWS resources. Inspector
Record and evaluate config­ura­tions of your AWS resources
Config is a service that enables to assess, audit, & evaluate the config­ura­tions of AWS resources. Config
Track user activity and API usage
CloudTrail is a service that enables govern­ance, compli­ance, operat­ional auditing, & risk auditing of AWS account. CloudTrail
Security management for IoT devices
IoT Device Defender
IoT Device Defender is a fully managed service that helps secure fleet of IoT devices. IoTDD
Infras­tru­cture protection
DDoS protection
Shield is a managed DDoS protection service that safeguards apps running. It provides always-on detection & automatic inline mitiga­tions that minimize applic­ation downtime & latency. Shield
Filter malicious web traffic
Web Applic­ation Firewall (WAF)
WAF is a web applic­ation firewall that helps protect web apps or APIs against common web exploits that may affect availa­bility, compromise security, or consume excessive resources. WAF
Central management of firewall rules
Firewall Manager
Firewall Manager eases the user AWS WAF admini­str­ation & mainte­nance activities over multiple accounts & resources. Firewa­llM­anager
Data protection
Discover and protect your sensitive data at scale
Macie is a fully managed data (security & privacy) service that uses ML & pattern matching to discover & protect sensitive data. Macie
Key storage and management
Key Management Service (KMS)
KMS makes it easy for to create & manage crypto­graphic keys & control their use across a wide range of AWS services & in your applic­ations. KMS
Hardware based key storage for regulatory compliance
CloudHSM is a cloud-­based hardware security module (HSM) that enables you to easily generate & use your own encryption keys. CloudHSM
Provision, manage, and deploy public and private SSL/TLS certif­icates
Certif­icate Manager
Certif­icate Manager is a service that easily provision, manage, & deploy public and private SSL/TLS certs for use with AWS services & internal connected resources. ACM
Rotate, manage, and retrieve secrets
Secrets Manager
Secrets Manager assist the user to safely encode, store, & recover creden­tials for any user’s database & other services. Secret­sMa­nager
Incident response
Invest­igate potential security issues
Detective makes it easy to analyze, invest­igate, & quickly identify the root cause of potential security issues or suspicious activi­ties. Detective
Fast, automated, cost- effective disaster recovery
CloudE­ndure Disaster Recovery
Provides scalable, cost-e­ffe­ctive business continuity for physical, virtual, & cloud servers. CloudE­ndure
No cost, self-s­ervice portal for on-demand access to AWS’ compliance reports
Artifact is a web service that enables the user to download AWS security & compliance records. Artifact

Data Lakes & Analytics

Use cases
Intera­ctive analytics
Athena is an intera­ctive query service that makes it easy to analyze data in S3 using standard SQL. Athena
Big data processing
EMR is the indust­ry-­leading cloud big data platform for processing vast amounts of data using open source tools such as Apache Spark, Hive, HBase,­Flink, Hudi, & Presto. EMR
Data wareho­using
The most popular & fastest cloud data warehouse. Redshift
Real-time analytics
Kinesis makes it easy to collect, process, & analyze real-time, streaming data so one can get timely insights. Kinesis
Operat­ional analytics
Elasti­csearch Service
Elasti­csearch Service is a fully managed service that makes it easy to deploy, secure, & run Elasti­csearch cost effect­ively at scale. ES
Dashboards & visual­iza­tions
QuickSight is a fast, cloud-­powered business intell­igence service that makes it easy to deliver insights to everyone in organi­zation. QuickSight
Data movement
Real-time data movement
1) Amazon Managed Streaming for Apache Kafka (MSK) 2) Kinesis Data Streams 3) Kinesis Data Firehose 4) Kinesis Data Analytics 5) Kinesis Video Streams 6) Glue
MSK is a fully managed service that makes it easy to build & run applic­ations that use Apache Kafka to process streaming data. MSK KDS KDF KDA KVS Glue
Data lake
Object storage
1) S3 2) Lake Formation
Lake Formation is a service that makes it easy to set up a secure data lake in days. A data lake is a centra­lized, curated, & secured repository that stores all data, both in its original form & prepared for analysis. S3 LakeFo­rmation
Backup & archive
1) S3 Glacier 2) Backup
S3 Glacier & S3 Glacier Deep Archive are a secure, durable, & extremely low-cost S3 cloud storage classes for data archiving & long-term backup. S3Glacier
Data catalog
1) Glue 2)) Lake Formation
Refer as above.
Third-­party data
Data Exchange
Data Exchange makes it easy to find, subscribe to, & use third-­party data in the cloud. DataEx­change
Predictive analytics && machine learning
Frameworks & interfaces
Deep Learning AMIs
Deep Learning AMIs provide machine learning practi­tioners & resear­chers with the infras­tru­cture & tools to accelerate deep learning in the cloud, at any scale. DeepLe­arn­ingAMIs
Platform services
SageMaker is a fully managed service that provides every developer & data scientist with the ability to build, train, & deploy machine learning (ML) models quickly. SageMaker


Use cases
Store, encrypt, and manage container images
Refer compute section
Run contai­nerized applic­ations or build micros­ervices
Refer compute section
Manage containers with Kubernetes
Refer compute section
Run containers without managing servers
Fargate is a serverless compute engine for containers that works with both ECS & EKS. Fargate
Run containers with server­-level control
Refer compute section
Contai­nerize and migrate existing applic­ations
App2Co­ntainer (A2C) is a comman­d-line tool for modern­izing .NET & Java applic­ations into contai­nerized applic­ations. App2Co­ntainer
Quickly launch and manage contai­nerized applic­ations
Copilot is a command line interface (CLI) that enables customers to quickly launch & easily manage contai­nerized applic­ations on AWS. Copilot


Lambda lets you run code without provis­ioning or managing servers. You pay only for the compute time you consume.
Lambda­@Edge is a feature of Amazon CloudFront that lets you run code closer to users of your applic­ation, which improves perfor­mance & reduces latency.
Refer containers section
Refer storage section
Refer storage section
Data stores
DynamoDB is a key-value & document database that delivers single­-digit millis­econd perfor­mance at any scale.
Aurora Serverless is an on-demand, auto-s­caling config­uration for Amazon Aurora (MySQL & Postgr­eSQ­L-c­omp­atible editions), where the database will automa­tically start up, shut down, & scale capacity up or down based on your applic­ation's needs.
RDS Proxy is a fully managed, highly available database proxy for RDS that makes applic­ations more scalable, resilient to database failures, & more secure.
API Proxy
API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, & secure APIs at any scale.
Applic­ation integr­ation
SNS is a fully managed messaging service for both system­-to­-system & app-to­-person (A2P) commun­ica­tion.
SQS is a fully managed message queuing service that enables to decouple & scale micros­erv­ices, distri­buted systems, & serverless applic­ations.
AppSync is a fully managed service that makes it easy to develop GraphQL APIs by handling the heavy lifting of securely connecting to data sources like AWS DynamoDB, Lambda.
EventB­ridge is a serverless event bus that makes it easy to connect applic­ations together using data from apps, integrated SaaS apps, & AWS services.
Step Functions is a serverless function orches­trator that makes it easy to sequence Lambda functions & multiple AWS services into busine­ss-­cri­tical applic­ations.
Kinesis makes it easy to collect, process, & analyze real-time, streaming data so one can get timely insights.
Athena is an intera­ctive query service that makes it easy to analyze data in Amazon S3 using standard SQL.

Applic­ation Integr­ation

Reliable high throughput pub/sub, SMS, email, and mobile push notifi­cations
Message queue that sends, stores, and receives messages between applic­ation components at any volume
Message broker for Apache ActiveMQ that makes migration easy and enables hybrid archit­ectures
Coordinate multiple AWS services into serverless workflows so you can build and update apps quickly
API management
Create, publish, maintain, monitor, & secure APIs at any scale for serverless workloads & web apps
Create a flexible API to securely access, manipu­late, & combine data from one or more data sources
Event bus
Build an event-­driven archit­ecture that connects applic­ation data from your own apps, SaaS, & AWS services
Automate the flow of data between SaaS applic­ations & AWS services at nearly any scale, without code.

Management & Governance

Control Tower
The easiest way to set up and govern a new, secure multi-­account AWS enviro­nment. Contro­lTower
Organi­zations helps centrally govern enviro­nment as you grow & scale workloads on AWS Organi­zations
Well-A­rch­itected Tool
Well-A­rch­itected Tool helps review the state of workloads & compares them to the latest AWS archit­ectural best practices. WATool
Budgets allows to set custom budgets to track cost & usage from the simplest to the most complex use cases. Budgets
License Manager
License Manager makes it easier to manage software licenses from software vendors such as Microsoft, SAP, Oracle, & IBM across AWS & on-pre­mises enviro­nments. Licens­eMa­nager
CloudF­orm­ation enables the user to design & provision AWS infras­tru­cture deploy­ments predic­tably & repeat­edly. CloudF­orm­ation
Service Catalog
Service Catalog allows organi­zations to create & manage catalogs of IT services that are approved for use on AWS. Servic­eCa­talog
OpsWorks presents a simple and flexible way to create and maintain stacks and applic­ations. OpsWorks
Market­place is a digital catalog with thousands of software listings from indepe­ndent software vendors that make it easy to find, test, buy, & deploy software that runs on AWS. Market­place
CloudWatch offers a reliable, scalable, & flexible monitoring solution that can easily start. CloudWatch
CloudTrail is a service that enables govern­ance, compli­ance, operat­ional auditing, & risk auditing of AWS account. CloudTrail
Systems Manager
Systems Manager to plan, proctor, & automate admini­str­ation tasks on the AWS resources. System­sMa­nager
Cost & usage report
Refer cost management section
Cost explorer
Refer cost management section
Managed Services
Operate your AWS infras­tru­cture on your behalf. Manage­dSe­rvices
X Ray

Recommend security best practices

Turn on multif­actor authen­tic­ation for the “root” account
Turn on CloudTrail log file valida­tion.
Enable CloudTrail multi-­region logging.
Integrate CloudTrail with CloudW­atch.
Enable access logging for CloudTrail S3 buckets.
Enable access logging for Elastic Load Balancer (ELB).
Enable Redshift audit logging.
Enable Virtual Private Cloud (VPC) flow logging.
Require multif­actor authen­tic­ation (MFA) to delete CloudTrail buckets
Enable CloudTrail logging across all AWS.
Turn on multi-­factor authen­tic­ation for IAM users.
Enable IAM users for multi-mode access.
Attach IAM policies to groups or roles
Rotate IAM access keys regularly, and standa­rdize on the selected number of days
Set up a strict password policy.
Set the password expiration period to 90 days and prevent reuseC­ustomer Visual­force pages with standard headers
Don’t use expired SSL/TLS certif­icates
User HTTPS for CloudFront distri­butions
Restrict access to CloudTrail bucket.
Encrypt CloudTrail log files at rest
Encrypt Elastic Block Store (EBS) database.
Provision access to resources using IAM roles.
Ensure EC2 security groups don’t have large ranges of ports open
Configure EC2 security groups to restrict inbound access to EC2.
Avoid using root user accounts.
Use secure SSL ciphers when connecting between the client and ELB.
Use secure SSL versions when connecting between client and ELB.
Use a standard naming (tagging) convention for EC2.
Encrypt RDS.
Ensure access keys are not being used with root accounts.
Use secure CloudFront SSL versions.
Enable the requir­e_ssl parameter in all Redshift clusters.
Rotate SSH keys period­ically.
Minimize the number of discrete security groups.
Reduce number of IAM groups.
Terminate unused access keys
Disable access for inactive or unused IAM users
Remove unused IAM access keys
Delete unused SSH Public Keys
Restrict access to AMIs.
Restrict access to EC2 security groups.
Restrict access to RDS instances.
Restrict access to Redshift clusters.
Restrict outbound access.
Disallow unrest­ricted ingress access on uncommon ports.
Restrict access to well-known ports such as CIFS, FTP, ICMP, SMTP, SSH, Remote desktop
Inventory & categorize all existing custom apps by the types of data stored, compliance requir­ements & possible threats they face.
Involve IT security throughout the develo­pment process.
Grant the fewest privileges as possible for applic­ation users
Enforce a single set of data loss prevention policies across custom applic­ations and all other cloud services.
Encrypt highly sensitive data such as protected health inform­ation (PHI) or personally identi­fiable inform­ation (PII).


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          awsReference Cheat Sheet
          AWS Services by Nir Elbaz
          Core Cloud Concepts with AWS Cheat Sheet