Yesterday I successfully passed the exam to become an AWS Certified Solutions Architect - Professional at the first attempt. It was a very tough test and I invested a lot of time in preparation. In the exam, I noticed that the focus was a little different than I initially thought - and was briefly shocked. To save you this shock, I would like to briefly describe how I prepared for the exam and give further tips on how to prepare.

Warning: The exam consists of 75 random questions. It is also possible that the focus of your exam is different from what it was for me.

How did I prepare?

1. online course

I have completed the AWS Certified Solutions Architect - Professional course. This course helped me to get an overview of the topics queried. If the site’s licensing model puts off, you can also use udemy. The courses are also available there.

The course deals with the general topics and gives tips on which whitepapers to look at as preparation. I haven’t read all of the white papers. Later more.

In addition, there are also so-called challenges, in which fictitious questions are asked and the answers discussed. I played through these challenges over and over until I reached 100% everywhere.

2. Hands-on preparation

As a hands-on preparation for the exam, I created this blog here. So I was able to practice the interaction of CloudFront, API Gateway, Lambda, StepFunctions and DynamoDB - and it was fun too. More information can be found in the website setup article:

3. Reading Whitepapers & FAQs

In the course of the preparation i read the following whitepapers and FAQs to get a better understanding on areas where I was uncertain about:

Of course, there are many more interesting whitepapers out there. You have to decide, which ones may help you and which don´t.

4. Online sample questions and quizzes

As a final preparation, I worked on the quiz questions in the following YouTube videos and tried to understand the answers:

Additionally I took the free sample quiz here:

AWS also provides sample questions along with answers for preparation. This also is a good opportunity to get a feeling on how questions can look like. You can find the current sample questions here. Furthermore, I studied using the “old” sample questions. Unfortunately, the don´t come with answers provided. Fortunately, the answers are in the japanese version after each section in latin letters.

It took me approximately 2 months to prepare for the exam. It´s hard to be exact here, as I did not count the hours I put into this - a big part of it was for implementing this blog, so not every hour was valuable for preparation.

5. Important things to remember

During preparation, I created a list of services and added lots of things I wanted to remember for the exam. Time passed by and I realized that I had way too many things to remember. So I removed entries radically. I only kept thing I found hard to remember (for whatever reason). So maybe the table helps you, maybe not.

ApiGatewayPublic, private or edge
Application Discovery ServiceUseful for migration
AppstreamStreams applications to local pc
AthenaQueries S3 data; Does not support XML
AWS ConfigConfig rules -> Check automatically for compliance
BatchUses prioritized Job Queues for the workload
CloudFormationStack policies deny deletion of everything by default -> explicit allow required
Stack policies cannot be removed, only edited
Stack policies can only be updated via CLI
CloudFrontPossible origins:
- S3
- HTTP server (also on-prem)

Behavior: Allows to define different origins depending on the URL path
CloudTrailBy default, CloudTrail will log all regions and store them in a single S3 location. It can however be configured to only log specific regions.
CognitoUser pool: Stores users Identity pool: Gives sotred users permissions
Database Migration ServiceDoes not support informix
DocumentDBMongoDb in cloud
DynamoDBGlobal Secondary Index (GSI) -> Separate table with other partition key (hash key)
Local Secondary Index (LSI) -> Additional index to query for attributes not part of the sort key
Eventual consistent by default
Partition formula:
- max. 10GB of size
- rcu/3000 + wcu/1000
EC2Step-scaling policies do not have cooldown period
Reserved instances:
- Regional:
- no capacity reservation
- all instances of the instance family can be used

- Zonal:
- capacity reservation
- only this particular instance type can be used

- Convertable
- Can be modified and exchanged by comparable RIs

It is not possible to move Ris between regions

- Manual
- Scheduled
- Metric based
ECSECS storage is handled by EBS
EFSNo native way to create snapshots. Can also be used by Lambda functions. Can be used along with Direct Connect or VPN connection.
Recommendation: One mount target per AZ
Mount target: IP endpoint for EFS
Mount targets are HA
Elastic LoadbalancerOnly the Network Load Balancer supports static IP with Elastic Ips. Application Load Balancers can use static IPs using Global Accelerator
Elastic BeanstalkPlatforms:
- Go
- Java
- NodeJs
- Python
- Ruby

Deployment options:
- all at once rolling
- rolling with additional batch
- blue/green
- immutable.

It is not possible to edit deployment configuration. You have to recreate it.
Elastic Block storageReplicated automatically within a Single-AZ.
Availability target: 99,999%.
Annual Failure Rate ~0,2%.
Supports RAID configurations.

- RAID 0 (no drive can fail)
- RAID 1 (mirroring)
- RAID 5 (parity bit; 1 drive can fail)
- RAID 6 (2 drives can fail)
ElasticacheRedis -> Sophisticated (Web session store, Leaderboard)
Memcached -> Easy (DB caching)
EMRConsists of multiple products to support huge amounts of data.
Cluster: Collection of EC2 instances to run steps.
Step: Programmatic task to process data
Master Nodes -> Manage cluster
Core Nodes (with HDFS storage)
Task Nodes -> optional
EventBridgeBuilds a bridge (event bus) between 3rd party events and AWS services
GeneralIOPS: Measure how fast we can read and write to a device.
Throughput: Measure of how much data can be moved at a time.
VPC Interface Endpoint -> Sits inside Subnet, so per AZ.
VPC Gateway -> Sits inside VPC
HA by default
Use SQS instead of Kinesis for very large objects.
Oauth -> OpenId -> SAML.
MySQL MyISAM does not support replication.
RAID5 and RAID6 are not recommended (parity bits eat up I/O)
HSMGenerates encrpytion keys. Non-shared hardware tenancy. Supports asymmetric keys
KinesisHA per default.
- default 24h
- up to 7days

- each shard 1MB/sec. input
- each shard 2MB/sec. Output
- each shard provides up to 1000 Puts/sec.

KCL -> Kinesis client library
KPL -> Kinesis Producer Library
Record: unit of data stored in Kinesis stream, max. 1MB per record
KMSStores and manages kryptographic keys. Shared-hardware tenancy
MQNot supported as VPC endpoint service
OpsWorksGlobal service. Can only manage resources in the region you create the stack
RedshiftNo Multi-AZ
Route53CNAME -> Alias for domain
A record -> IP address
Alias -> Alias for domain & support for zone-apex
S3Max 5 TB object size
Max 5 GB in single PUT
Recommended to upload in multiparts when >100 MB
HEAD or GET to a non-existing object result in eventual consistency
Overwrite PUT and DELETES are eventual consistent

Encryption at rest:
SSE-S3: Uses S3 encryption key
SSE-C: Cutomer-managed key
SSE-KMS: Encryption key generated by KMS
Client-side encryption
Schema Conversion Tool (SCT)Supported sources:
SQL Server
Service CatalogFramework allowing admins to create pre-defined products.
Granular control over which users have access to which offerings.
Based on CloudFormation templates.
Uses constraints to control how the products can be consumed.

Launch constraint:
IAM Role used while launching a product.
Notification constraint: SNS topic to receive events.
Template Constraint Allowed values in templates
default: 4 days
min: 60 seconds
max: 14 days
Storage GatewayFile Gateway -> NFS.
Volume Gateway stored mode -> async backups.
Volume Gateway cached mode -> cached locally and written to S3.
Tape Gateway -> for existing tape processes
SWFConsists of Decider and Activity Worker. Best-suited for human-enabled workflows
System ManagerCan also manage on-prem resources.
Baselines -> Defines, which patches are approved for installation on instances.

Explorer -> health/performance of AWS environment
Resource Groups -> Logical group of resources
Patch Manager -> Patch management for EC2 fleets
Parameter store
VPCVPC Endpoints:
Interface endpoints
Gateway Endpoints.
Access to VPC endpoints via IAM policies.
VPC cross-account peering is possible, if in same region.
VPC inter-region peering is possible.
Customer Gateway -> Customer facing appliance to establish VPN connection.
Virtual Private Gateway -> AWS-facing appliance to establish VPN connection.
Don´t support broadcast.
Route table: Most specific route first.
5 IP addressess are always reserved.
The IP address of the DNS in a VPC is always the base of the subnet range + 2.
Server Name Indication (SNI) -> enables virtual hosting.
No “enhanced peering mode”
WorkdocsSimilar to dropbox
WorkspacesDesktop in the cloud
X-RayDebugging Microservices
Not inherently redundant.
Only BGP and static routes are supported.
Traffic coming from on-prem via a Direct Connect connect is restricted from internet access

Tips for the exam

Take your time for preparation

The AWS SA Pro is one of the toughest certification exams you can sit for. Therefore, take your time and make sure you have a very good understanding on the most important services AWS provides. I also realized (after the exam), that some of the questions I had were originating from the support page. See here for an example. It may be a good idea to have a look at the AWS support center pages also.

Have a concept on how to deal with the short amount of time you have for each question

The exam consist of 75 questions. Many of these questions are very long and complex. So make sure you have a concept on how to cope with that. I quickly read through large questions and just gave an answer from my gut-feeling. I then flagged those questions for review and moved on to the next ones. At the end, I had a bit time left to go over the flagged questions again, although I didn´t change any of the answers. Seems the first gut-feeling is often a good one.

Drink before going in

This sounds a bit obvious, but you won´t have the chance to drink something for ~3 hours. Make sure you start early on the day drinking enough. Go to the restrooms right before the exam :-)

Use additional time, if possible

For me as a non-native english speaker, it was very helpful to have an extra amount of 30 minutes which can be requested if you can prove that you are non-native english speaker. This can be requested while scheduling the exam and definitely helps.

Keep in mind important topics


I realized that the WAF, often in combination with Application Load Balancer and webACLs made up a huge part of my questions. As stated earlier, this can vary from exam to exam, but I recommend you to gain hands-on experience with these components.


The combination of CloudFront & S3 was also part of multiple questions I came across. Make sure you understand how to allow access from CloudFront to S3 and how to avoid direct access to files stored on S3 using Origin Access Identity (OAI).

RDS global tables

I faced multiple questions asking on how to enable multi-region failover for RDS. Make sure you understand what RDS global tables are and what their intention is.

AWS Datasync exists

Unfortunately, I was not aware of the AWS Datasync service. I focused on migration strategies using Storage Gateway and completely oversaw Datasync.

VPC peering

Understand what VPC peering is and what it not is. Remember that VPCs can be peered across accounts (when in same region) and inter-regional (when not cross-account). Understand the purpose of transit gateway.

Good luck!

I wish you good luck with your preparation! Let me know in the comments if this article helped you.