☁️ AWS Services — Complete Reference Guide For AWS Cloud and AWS DevOps Engineer

A comprehensive guide to all major AWS services: categories, use cases, functionality, and real-world integrations.

📚 Table of Contents

🖥️ Compute

🗄️ Storage

🛢️ Database

🌐 Networking & Content Delivery

🔐 Security, Identity & Compliance

📊 Analytics

🤖 Machine Learning & AI

💬 Messaging & Integration

🛠️ Developer Tools

📋 Management & Governance

📡 IoT

🚀 Migration & Transfer

💰 Cost Management

🖥️ COMPUTE SERVICES

Amazon EC2

🔍 Why It Is Used

Amazon EC2 provides resizable virtual servers in the cloud, eliminating the need to invest in physical hardware upfront. It allows you to scale up or down within minutes, paying only for what you use. EC2 is the backbone of most cloud architectures when persistent, configurable virtual machines are needed.

⚙️ Functionality

• Launch virtual machines (instances) with hundreds of configurations (CPU, RAM, GPU, storage).
• Choose from various instance families: General Purpose (t3, m6i), Compute Optimized (c6i), Memory Optimized (r6i), GPU (p4), Storage Optimized (i3).
• Attach Elastic Block Store (EBS) volumes as persistent disk storage.
• Use Auto Scaling Groups to automatically adjust capacity.
• Configure Security Groups as virtual firewalls.
• Support for On-Demand, Reserved, Spot, and Dedicated Host pricing models.
• Placement Groups for high-performance computing clusters.
• Elastic IPs for static public addresses.

🌐 Real-World Integration with Other AWS Services

E-commerce Platform Example:

Users → Route 53 (DNS) → CloudFront (CDN)
       → ALB (Load Balancer)
       → EC2 Auto Scaling Group (Web/App Servers)
       → RDS (Database) | ElastiCache (Cache)
       → S3 (Static Assets) | EBS (App Storage)
       → CloudWatch (Monitoring) | SNS (Alerts)

🔝 Back to Table of Contents

AWS Lambda

🔍 Why It Is Used

Lambda allows you to run code without provisioning or managing servers. You upload your code and Lambda runs it in response to events. You pay only for the compute time consumed — there is no charge when code is not running. It is ideal for event-driven architectures, microservices, and automation tasks.

⚙️ Functionality

• Supports Node.js, Python, Java, Go, Ruby, .NET, and custom runtimes.
• Triggered by 200+ AWS services and event sources.
• Scales automatically from zero to thousands of concurrent executions.
• Maximum execution timeout of 15 minutes.
• Supports Layers for shared libraries and dependencies.
• Lambda@Edge runs code at CloudFront edge locations globally.
• Provisioned Concurrency for latency-sensitive applications.
• Up to 10 GB memory and 512 MB ephemeral /tmp storage.
• VPC integration for accessing private resources.

🌐 Real-World Integration with Other AWS Services

Serverless API Backend Example:

Mobile App → API Gateway → Lambda (Business Logic)
                         → DynamoDB (Data Store)
                         → S3 (File Storage)
                         → SES (Email Notifications)
                         → SNS (Push Notifications)

🔝 Back to Table of Contents

Amazon ECS

🔍 Why It Is Used

ECS is a fully managed container orchestration service that makes it easy to deploy, manage, and scale Docker containerized applications. It eliminates the complexity of managing container scheduling infrastructure and integrates deeply with the AWS ecosystem.

⚙️ Functionality

• Run Docker containers using Task Definitions (blueprints).
• Services maintain a desired number of running tasks.
• Two launch types: EC2 (manage your own instances) and Fargate (serverless).
• Service Discovery via AWS Cloud Map.
• Blue/Green deployments via CodeDeploy.
• Auto Scaling based on CPU, memory, or custom metrics.
• Integration with IAM Task Roles for fine-grained permissions.
• Private container registry via Amazon ECR.

🌐 Real-World Integration with Other AWS Services

Microservices Architecture:

CodePipeline → CodeBuild → ECR (Container Registry)
→ ECS Service (Blue/Green Deployment)
→ ALB (Load Balancer per Service)
→ RDS / DynamoDB (Databases)
→ CloudWatch (Logs & Metrics)
→ Secrets Manager (Credentials)

🔝 Back to Table of Contents

Amazon EKS

🔍 Why It Is Used

EKS is a managed Kubernetes service that removes the burden of installing, operating, and maintaining a Kubernetes control plane. It is ideal for organizations that require Kubernetes for portability, complex orchestration, or have existing Kubernetes expertise.

⚙️ Functionality

• Manages the Kubernetes control plane (API server, etcd) automatically.
• Supports EC2 nodes and Fargate (serverless) pods.
• Integrates with AWS networking (VPC CNI plugin).
• Supports Horizontal Pod Autoscaler (HPA) and Cluster Autoscaler.
• OIDC integration for IAM roles for service accounts (IRSA).
• EKS Add-ons for managed components (CoreDNS, kube-proxy, VPC CNI).
• Multi-region and multi-cluster support.
• Supports Kubernetes Operators for stateful workloads.

🌐 Real-World Integration with Other AWS Services

Kubernetes-based Platform:

Developer → CodePipeline → ECR (Images)
→ EKS Cluster (Pods/Services)
→ ALB Ingress Controller (Traffic)
→ RDS / DynamoDB (Data)
→ EFS (Shared Storage for Pods)
→ CloudWatch Container Insights
→ AWS X-Ray (Distributed Tracing)

🔝 Back to Table of Contents

AWS Fargate

🔍 Why It Is Used

Fargate is a serverless compute engine for containers that works with both ECS and EKS. You do not need to provision or manage servers — just define your CPU and memory requirements and Fargate handles the rest. It removes the operational overhead of managing EC2 instances for container workloads.

⚙️ Functionality

• Fully serverless — no EC2 instance management required.
• Each task runs in its own isolated compute environment.
• Granular CPU (0.25–16 vCPU) and memory (0.5–120 GB) allocation.
• Pay per task vCPU and memory consumed (per second).
• Built-in security isolation between tasks.
• Supports Spot pricing (Fargate Spot) for cost savings.
• Works with ECS Services and EKS node groups.

🌐 Real-World Integration with Other AWS Services

Event-Driven Data Processing:

S3 Upload → EventBridge → ECS Task (Fargate)
→ Lambda (Trigger) → Fargate Task (Heavy Processing)
→ RDS (Store Results) → SNS (Notify on Completion)
→ CloudWatch Logs (Audit Trail)

🔝 Back to Table of Contents

AWS Elastic Beanstalk

🔍 Why It Is Used

Elastic Beanstalk is a Platform-as-a-Service (PaaS) that handles deployment, capacity provisioning, load balancing, auto scaling, and health monitoring automatically. Developers just upload their application code and Beanstalk manages the underlying infrastructure.

⚙️ Functionality

• Supports Java, .NET, Node.js, Python, Ruby, PHP, Go, and Docker.
• Automatically provisions EC2, ELB, Auto Scaling, RDS, and CloudWatch.
• Environment tiers: Web Server (HTTP traffic) and Worker (background jobs).
• Supports rolling, immutable, blue/green deployments.
• Customizable via .ebextensions configuration files.
• Managed platform updates.
• Full access to underlying resources.

🌐 Real-World Integration with Other AWS Services

Web Application Deployment:

Developer → EB CLI / Console → Elastic Beanstalk
→ EC2 (App Servers) → ELB (Load Balancer)
→ RDS (Managed Database) → S3 (Static Files & Deployments)
→ CloudWatch (Health & Logs) → SNS (Alerts)

🔝 Back to Table of Contents

Amazon Lightsail

🔍 Why It Is Used

Lightsail is designed for developers, small businesses, and students who need a simple, low-cost VPS (Virtual Private Server). It bundles compute, storage, DNS, and networking into easy-to-manage plans, ideal for simple websites, blogs, and development environments.

⚙️ Functionality

• Fixed-price monthly plans (starting ~$3.50/month).
• Pre-configured blueprints: WordPress, LAMP, Node.js, Nginx, Magento.
• Includes static IP, DNS management, and SSD storage.
• One-click snapshots for backups.
• Load balancers and managed databases available.
• Easy peering with the rest of the AWS ecosystem.
• Managed containers (Lightsail Containers).

🌐 Real-World Integration with Other AWS Services

Blog/Website Hosting:

Users → Lightsail Instance (WordPress)
→ Lightsail DNS (Route 53 compatible)
→ S3 (Media Offloading via plugin)
→ CloudFront (CDN for global performance)
→ SES (Transactional Email)

🔝 Back to Table of Contents

AWS Batch

🔍 Why It Is Used

AWS Batch enables developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs. It dynamically provisions compute resources based on the volume and requirements of the jobs submitted, removing the need to install and manage batch computing software.

⚙️ Functionality

• Automatically provisions compute (EC2 or Fargate) for jobs.
• Job Queues prioritize and schedule work.
• Compute Environments define the resources available.
• Job Definitions are templates for batch jobs (Docker containers).
• Supports array jobs for parallel processing.
• Supports Spot Instances for up to 90% cost reduction.
• Managed and unmanaged compute environments.

🌐 Real-World Integration with Other AWS Services

Genomics Data Processing Pipeline:

S3 (Raw Genome Data) → Lambda (Trigger)
→ AWS Batch Jobs (Alignment / Analysis)
→ S3 (Results Output)
→ DynamoDB (Job Metadata)
→ SNS (Completion Notification)
→ QuickSight (Visualization)

🔝 Back to Table of Contents

AWS Outposts

🔍 Why It Is Used

Outposts brings AWS infrastructure, services, APIs, and tools to virtually any on-premises or edge location. It is designed for workloads that require low latency, local data processing, or data residency requirements while still benefiting from AWS capabilities.

⚙️ Functionality

• AWS-managed rack of servers installed in your data center.
• Runs the same AWS hardware and software as in AWS regions.
• Supports EC2, EBS, ECS, EKS, RDS, ElastiCache, EMR locally.
• Data stays on-premises for compliance/residency.
• Managed by AWS remotely (updates, monitoring, support).
• Available in 1U/2U form factors and full rack options.

🌐 Real-World Integration with Other AWS Services

Manufacturing Plant (Low-Latency Processing):

Machines/Sensors → Outposts (Local EC2/RDS Processing)
→ AWS Region (S3 Backup) → CloudWatch (Central Monitoring)
→ Direct Connect (Secure Connectivity to AWS Region)
→ VPC (Seamless Networking)

🔝 Back to Table of Contents

AWS App Runner

🔍 Why It Is Used

App Runner is a fully managed service for deploying containerized web applications and APIs at scale without needing to configure infrastructure. It automatically builds and deploys your app and scales capacity up or down automatically.

⚙️ Functionality

• Deploy directly from source code (GitHub) or container registry (ECR).
• Fully managed build and deploy pipeline.
• Automatic TLS certificate provisioning.
• Auto-scaling based on concurrent requests.
• VPC connector for accessing private resources.
• Built-in load balancing and health checks.

🌐 Real-World Integration with Other AWS Services

GitHub / ECR → App Runner (Auto Deploy)
→ RDS / DynamoDB (Data) → ElastiCache (Cache)
→ Secrets Manager (Credentials)
→ CloudWatch (Logs & Metrics) → X-Ray (Tracing)

🔝 Back to Table of Contents

🗄️ STORAGE SERVICES

Amazon S3

🔍 Why It Is Used

S3 is the most widely used cloud storage service, providing object storage with industry-leading scalability, availability, security, and performance. It stores and retrieves any amount of data from anywhere — from websites, mobile apps, IoT devices, and enterprise applications.

⚙️ Functionality

• Store objects (files) in buckets with up to 5 TB per object.
• Storage Classes: Standard, Intelligent-Tiering, Standard-IA, One Zone-IA, Glacier, Glacier Deep Archive.
• S3 Lifecycle Policies for automatic tiering and deletion.
• Versioning to keep multiple variants of objects.
• Server-Side Encryption (SSE-S3, SSE-KMS, SSE-C).
• S3 Access Points and bucket policies for fine-grained access.
• Static website hosting.
• S3 Event Notifications to Lambda, SQS, SNS.
• S3 Replication (Cross-Region and Same-Region).
• S3 Select to query data directly.

🌐 Real-World Integration with Other AWS Services

Media Processing Platform:

User Upload → S3 (Raw Video Storage)
→ S3 Event → Lambda (Trigger Transcoding)
→ MediaConvert (Video Processing)
→ S3 (Processed Video) → CloudFront (Global Delivery)
→ DynamoDB (Metadata) → Cognito (User Auth)

🔝 Back to Table of Contents

Amazon EBS

🔍 Why It Is Used

EBS provides persistent block-level storage volumes for use with EC2 instances. It delivers the low-latency performance required for both throughput-intensive and IOPS-intensive workloads at any scale — from a single EC2 instance to large database clusters.

⚙️ Functionality

• Volume types: gp3 (General Purpose), io2 (Provisioned IOPS), st1 (Throughput HDD), sc1 (Cold HDD).
• Snapshots stored in S3 for backup and disaster recovery.
• Encrypt volumes using AWS KMS.
• Resize volumes without downtime.
• Multi-Attach for io1/io2 volumes (multiple EC2 instances).
• Fast Snapshot Restore (FSR) for instant volume restoration.
• Up to 64,000 IOPS and 1,000 MB/s throughput per volume.

🌐 Real-World Integration with Other AWS Services

Database Server on EC2:

EC2 (Database Server) → EBS io2 (High IOPS Data Volume)
→ EBS gp3 (OS Volume)
→ AWS Backup (Scheduled Snapshots)
→ KMS (Encryption at Rest)
→ CloudWatch (I/O Metrics & Alarms)

🔝 Back to Table of Contents

Amazon EFS

🔍 Why It Is Used

EFS provides a simple, scalable, serverless, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. Unlike EBS, EFS can be mounted by multiple EC2 instances simultaneously, making it ideal for shared file storage.

⚙️ Functionality

• Fully managed NFS v4.1/4.0 file system.
• Scales automatically from gigabytes to petabytes.
• Performance modes: General Purpose and Max I/O.
• Throughput modes: Bursting and Provisioned.
• Storage classes: Standard and Infrequent Access (IA).
• Lifecycle management to move files to IA automatically.
• Encryption at rest (KMS) and in transit (TLS).
• Works with ECS, EKS, Lambda, and on-premises via Direct Connect/VPN.

🌐 Real-World Integration with Other AWS Services

Shared Content Management System:

Multiple EC2 Instances (Web Servers) → EFS (Shared /var/www/html)
→ EFS IA (Archival Files) → Lambda (File Processing)
→ EKS Pods (PersistentVolumeClaim on EFS)
→ Direct Connect (On-premises access)
→ CloudWatch (Throughput & Connection Metrics)

🔝 Back to Table of Contents

Amazon S3 Glacier

🔍 Why It Is Used

S3 Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup. It is designed for data that is infrequently accessed and for which retrieval times of minutes to hours are acceptable.

⚙️ Functionality

• Three storage tiers: Glacier Instant Retrieval, Glacier Flexible Retrieval, Glacier Deep Archive.
• Retrieval options: Expedited (1-5 min), Standard (3-5 hrs), Bulk (5-12 hrs).
• Vault Lock for WORM (Write Once, Read Many) compliance.
• 99.999999999% (11 nines) durability.
• Integrated with S3 Lifecycle Policies for automatic archiving.
• Deep Archive: lowest-cost storage for 7-10 year retention.

🌐 Real-World Integration with Other AWS Services

Compliance Data Archival:

RDS Backups → S3 Standard → S3 Lifecycle Policy
→ Glacier Flexible Retrieval (30-day archive)
→ Glacier Deep Archive (1-year+ archive)
→ Vault Lock (WORM compliance policy)
→ CloudTrail (Audit of archive access)

🔝 Back to Table of Contents

AWS Storage Gateway

🔍 Why It Is Used

Storage Gateway is a hybrid cloud storage service that gives on-premises applications access to cloud storage. It bridges on-premises environments and AWS, enabling seamless data migration, backup, and DR scenarios.

⚙️ Functionality

• File Gateway: NFS/SMB interface to S3 objects.
• Volume Gateway: iSCSI block storage backed by S3.
• Tape Gateway: Virtual tape library backed by S3/Glacier.
• Low-latency local cache for frequently accessed data.
• Seamless integration with on-premises backup software.
• Hardware appliance or VM deployment on-premises.

🌐 Real-World Integration with Other AWS Services

On-premises Servers → Storage Gateway (NFS/SMB/iSCSI)
→ S3 (Primary Storage) → Glacier (Archival)
→ KMS (Encryption) → CloudWatch (Monitoring)
→ Direct Connect (Dedicated Bandwidth)

🔝 Back to Table of Contents

Amazon FSx

🔍 Why It Is Used

FSx provides fully managed third-party file systems optimized for performance, for workloads requiring Windows-native file systems, high-performance computing (Lustre), or enterprise NetApp/OpenZFS storage.

⚙️ Functionality

• FSx for Windows File Server: Full SMB protocol, Active Directory integration.
• FSx for Lustre: High-performance for ML, HPC, analytics.
• FSx for NetApp ONTAP: Enterprise NAS features with multi-protocol support.
• FSx for OpenZFS: ZFS-based for low-latency Linux workloads.
• Automatic backups, encryption, and multi-AZ deployments.
• Seamless S3 integration (Lustre) for data lake acceleration.

🌐 Real-World Integration with Other AWS Services

HPC Workload:

S3 (Source Data) → FSx for Lustre (High-Speed Cache)
→ EC2 HPC Cluster / AWS Batch (Processing)
→ S3 (Results) → CloudWatch (Performance Metrics)
→ Active Directory (FSx Windows Auth)

🔝 Back to Table of Contents

AWS Backup

🔍 Why It Is Used

AWS Backup is a fully managed, policy-based backup service that simplifies data protection across AWS services. It centralizes and automates backup tasks for EBS, RDS, DynamoDB, EFS, FSx, Aurora, EC2, Storage Gateway, and more.

⚙️ Functionality

• Centralized backup management console.
• Backup Plans with schedules, retention, and lifecycle rules.
• Cross-region and cross-account backup copies.
• WORM backup vaults with Vault Lock.
• Backup audit reports for compliance.
• Supports 15+ AWS services natively.

🌐 Real-World Integration with Other AWS Services

Backup Plan (Policy) → EBS Snapshots → RDS Snapshots
→ DynamoDB Backups → EFS Backups → FSx Backups
→ Backup Vault (S3/Glacier Storage) → KMS (Encryption)
→ SNS (Backup Job Notifications) → CloudTrail (Audit)

🔝 Back to Table of Contents

🛢️ DATABASE SERVICES

Amazon RDS

🔍 Why It Is Used

RDS makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient, resizable capacity while managing time-consuming database administration tasks (patching, backups, replication).

⚙️ Functionality

• Supports MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Aurora.
• Multi-AZ deployments for high availability and automatic failover.
• Read Replicas for read scaling (up to 5 replicas for MySQL).
• Automated backups with point-in-time recovery (up to 35 days).
• Storage Auto Scaling.
• Performance Insights for query analysis.
• Encryption at rest (KMS) and in transit (TLS).
• RDS Proxy for connection pooling in serverless/Lambda environments.

🌐 Real-World Integration with Other AWS Services

Three-Tier Web Application:

ALB → EC2 / ECS (App Tier)
→ RDS Multi-AZ (Primary DB) ←→ RDS Read Replica (Read Scaling)
→ ElastiCache (Query Caching) → S3 (File Storage)
→ SecretsManager (DB Credentials) → CloudWatch (Performance Insights)
→ Lambda + RDS Proxy (Serverless Connections)

🔝 Back to Table of Contents

Amazon Aurora

🔍 Why It Is Used

Aurora is a MySQL and PostgreSQL-compatible relational database built for the cloud that combines the performance and availability of commercial databases with the simplicity and cost-effectiveness of open-source databases. It is up to 5× faster than MySQL and 3× faster than PostgreSQL on RDS.

⚙️ Functionality

• MySQL and PostgreSQL compatible.
• Distributed, fault-tolerant, self-healing storage (6 copies across 3 AZs).
• Aurora Global Database for multi-region replication (<1 second RPO).
• Aurora Serverless v2 — automatically scales capacity.
• Up to 15 Aurora Replicas with <10ms replica lag.
• Backtrack feature: rewind DB without restoring from backup.
• Parallel Query for analytical workloads on transactional data.
• Aurora Multi-Master for write scaling.

🌐 Real-World Integration with Other AWS Services

High-Traffic SaaS Application:

ALB → ECS (App Servers) → Aurora Cluster (Writer)
→ Aurora Replicas (Read Scaling) → ElastiCache (Cache Layer)
→ Aurora Global Database (Disaster Recovery Region)
→ Lambda + RDS Proxy (Serverless APIs)
→ DMS (Live Migration from MySQL)

🔝 Back to Table of Contents

Amazon DynamoDB

🔍 Why It Is Used

DynamoDB is a fully managed, serverless, key-value NoSQL database designed for single-digit millisecond performance at any scale. It is the go-to database for applications that require consistent performance, high availability, and seamless scalability without managing servers.

⚙️ Functionality

• Serverless — no cluster management required.
• Single-digit millisecond reads/writes at any scale.
• On-Demand and Provisioned capacity modes with auto-scaling.
• Global Tables for multi-region active-active replication.
• DynamoDB Streams for change data capture.
• DynamoDB Accelerator (DAX) for microsecond in-memory caching.
• TTL (Time to Live) for automatic item expiration.
• Point-in-time recovery and on-demand backups.
• Transactions support (ACID-compliant across multiple items).

🌐 Real-World Integration with Other AWS Services

Serverless Shopping Cart:

API Gateway → Lambda → DynamoDB (Cart Data)
→ DAX (Read Cache) → DynamoDB Streams
→ Lambda (Process Changes) → ElasticSearch (Search)
→ Global Tables (US, EU, AP regions)
→ SNS (Order Notifications) → S3 (Exports)

🔝 Back to Table of Contents

Amazon ElastiCache

🔍 Why It Is Used

ElastiCache is a fully managed in-memory data store and caching service, compatible with Redis and Memcached. It speeds up application performance by caching frequently accessed data, reducing database load and response times dramatically.

⚙️ Functionality

• Redis: Advanced data structures, pub/sub, persistence, clustering, replication.
• Memcached: Simple caching, multi-threaded, no persistence.
• Sub-millisecond response times.
• Cluster mode with sharding for horizontal scalability.
• Redis Streams for message queuing.
• Global Datastore for multi-region replication (Redis).
• Automatic failover and Multi-AZ support.
• Encryption at rest and in transit.

🌐 Real-World Integration with Other AWS Services

High-Performance API Backend:

API Request → Lambda / EC2
→ ElastiCache Redis (Check Cache)
  → Cache Hit: Return Data Immediately
  → Cache Miss: Query RDS / DynamoDB
               → Store in ElastiCache → Return Data
→ ElastiCache Pub/Sub (Real-time notifications)
→ CloudWatch (Cache Hit Ratio Metrics)

🔝 Back to Table of Contents

Amazon Redshift

🔍 Why It Is Used

Redshift is a fully managed, petabyte-scale cloud data warehouse that allows you to analyze large datasets using standard SQL. It is designed for online analytical processing (OLAP) rather than transactional (OLTP) workloads.

⚙️ Functionality

• Columnar storage for fast analytical queries.
• Massively parallel processing (MPP) architecture.
• Redshift Spectrum: query data directly in S3.
• AQUA (Advanced Query Accelerator) for 10× faster queries.
• Concurrency Scaling for consistent performance under load.
• Redshift Serverless — no cluster management.
• Data Sharing across clusters/accounts.
• Integration with S3, Glue, Kinesis, QuickSight.
• ML capabilities (CREATE MODEL in SQL).

🌐 Real-World Integration with Other AWS Services

Analytics Data Platform:

Kinesis (Streaming) → S3 (Data Lake)
→ Glue ETL (Transform) → Redshift (Data Warehouse)
→ Redshift Spectrum (Query S3 directly)
→ QuickSight (Dashboards) → SageMaker (ML Models)
→ Lambda (Scheduled ETL Triggers) → CloudWatch (Query Metrics)

🔝 Back to Table of Contents

Amazon DocumentDB

🔍 Why It Is Used

DocumentDB is a fully managed document database service compatible with MongoDB. It is designed for JSON-like document workloads that require MongoDB API compatibility without managing MongoDB infrastructure.

⚙️ Functionality

• MongoDB 3.6/4.0 API compatibility.
• Decoupled compute and storage (like Aurora).
• Storage scales automatically up to 128 TB.
• Up to 15 read replicas.
• Continuous backup to S3.
• Full-text search integration.
• Change streams for event-driven architectures.

🌐 Real-World Integration with Other AWS Services

Content Management System:

API Gateway → Lambda → DocumentDB (JSON Documents)
→ ElastiCache (Cache Popular Content)
→ S3 (Media Assets) → CloudFront (Delivery)
→ Lambda (Change Streams Processing)
→ OpenSearch (Full-text Search Index)

🔝 Back to Table of Contents

Amazon Neptune

🔍 Why It Is Used

Neptune is a fully managed graph database service optimized for storing and querying billions of relationships. It supports both Property Graph (Gremlin, openCypher) and RDF (SPARQL) models, ideal for social networks, fraud detection, knowledge graphs, and recommendation engines.

⚙️ Functionality

• Supports Gremlin, openCypher, and SPARQL query languages.
• Storage up to 64 TB, automatically scaled.
• Up to 15 read replicas.
• Fully managed with automated backups, patching, failover.
• Neptune ML integrates with SageMaker for graph machine learning.
• Global Database for multi-region reads.
• Bulk loader from S3.

🌐 Real-World Integration with Other AWS Services

Fraud Detection System:

Transaction Events → Kinesis → Lambda
→ Neptune (Graph: Users, Transactions, Merchants, Devices)
→ Neptune ML / SageMaker (Anomaly Detection)
→ SNS (Fraud Alerts) → DynamoDB (Case Management)
→ QuickSight (Fraud Analytics Dashboard)

🔝 Back to Table of Contents

Amazon Keyspaces

🔍 Why It Is Used

Keyspaces is a scalable, highly available, and managed Apache Cassandra-compatible database service. It eliminates the need to provision, patch, or manage Cassandra infrastructure, ideal for IoT, time-series, and high-write-throughput applications.

⚙️ Functionality

• CQL (Cassandra Query Language) compatible.
• Serverless — scales automatically.
• Single-digit millisecond reads/writes.
• On-Demand and Provisioned capacity modes.
• Point-in-time recovery and on-demand backups.
• Encryption at rest (KMS) and in transit (TLS).

🌐 Real-World Integration with Other AWS Services

IoT Devices → IoT Core → Kinesis → Lambda
→ Keyspaces (Time-series sensor data)
→ S3 (Analytics Export) → Athena (Query)
→ CloudWatch (Performance Metrics)

🔝 Back to Table of Contents

Amazon QLDB

🔍 Why It Is Used

QLDB is a fully managed ledger database that provides a transparent, immutable, and cryptographically verifiable transaction log owned by a central trusted authority. Ideal for systems of record requiring audit trail and data integrity verification.

⚙️ Functionality

• Append-only immutable journal.
• Cryptographic verification using SHA-256 hash chaining.
• SQL-like query language (PartiQL).
• Serverless — scales automatically.
• Streaming to Kinesis for real-time processing.
• Complete history of all data changes.

🌐 Real-World Integration with Other AWS Services

Supply Chain Tracking:

App → QLDB (Immutable Record of Goods Movement)
→ QLDB Streams → Kinesis → Lambda (Processing)
→ DynamoDB (Operational Data) → S3 (Audit Archives)
→ Athena (Compliance Reports) → QuickSight (Dashboards)

🔝 Back to Table of Contents

Amazon Timestream

🔍 Why It Is Used

Timestream is a fast, scalable, and serverless time-series database for IoT and operational applications. It is up to 1,000× faster and 1/10th the cost of relational databases for time-series data.

⚙️ Functionality

• Serverless — no server management required.
• Automatic data tiering (memory store → magnetic store).
• Built-in time-series analytics functions.
• Adaptive query processing.
• Integration with Grafana, QuickSight, SageMaker.
• Scheduled queries for aggregation.

🌐 Real-World Integration with Other AWS Services

IoT Fleet Monitoring:

IoT Devices → IoT Core → Kinesis → Lambda
→ Timestream (Metric Storage)
→ Grafana (Real-time Dashboards)
→ SageMaker (Anomaly Detection)
→ SNS (Threshold Alerts) → CloudWatch

🔝 Back to Table of Contents

🌐 NETWORKING & CONTENT DELIVERY

Amazon VPC

🔍 Why It Is Used

VPC allows you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. It gives you complete control over your networking environment, including IP address ranges, subnets, route tables, and gateways.

⚙️ Functionality

• Define public and private subnets across multiple Availability Zones.
• Internet Gateway (IGW) for public internet connectivity.
• NAT Gateway for outbound internet from private subnets.
• VPC Peering to connect VPCs within or across accounts.
• Security Groups (stateful firewalls) and NACLs (stateless).
• VPC Endpoints (Gateway and Interface) for private AWS service access.
• Flow Logs for network traffic monitoring.
• VPN Gateway for site-to-site VPN connections.

🌐 Real-World Integration with Other AWS Services

Secure Three-Tier Architecture:

Internet → IGW → Public Subnet (ALB, Bastion Host)
→ Private Subnet (EC2 App Servers, ECS)
→ Private Subnet (RDS, ElastiCache, DynamoDB VPC Endpoint)
→ NAT Gateway (Outbound Internet for Private Subnet)
→ VPC Endpoints (S3, DynamoDB without internet)
→ VPC Flow Logs → CloudWatch / S3 (Analysis)

🔝 Back to Table of Contents

Amazon CloudFront

🔍 Why It Is Used

CloudFront is a fast content delivery network (CDN) that securely delivers data, videos, applications, and APIs globally with low latency and high transfer speeds, using a network of 450+ edge locations worldwide.

⚙️ Functionality

• 450+ points of presence globally.
• Caches content at edge for low-latency delivery.
• Supports dynamic and static content.
• Lambda@Edge and CloudFront Functions for edge computing.
• HTTPS by default with custom SSL certificates (ACM).
• Origin failover for high availability.
• Geo-restriction to block specific countries.
• AWS WAF and Shield Standard integration.
• Signed URLs and Cookies for content access control.
• Real-time logs and standard access logs.

🌐 Real-World Integration with Other AWS Services

Global Streaming Platform:

Users (Global) → CloudFront (450+ Edge Locations)
→ S3 (Static Assets: HTML/CSS/JS/Images)
→ MediaPackage (Video Streams)
→ ALB → EC2/ECS (Dynamic API)
→ WAF (Security Rules) → Shield Advanced (DDoS)
→ Lambda@Edge (Auth, A/B Testing, Header Manipulation)
→ CloudWatch (Cache Hit Ratio, Error Rates)

🔝 Back to Table of Contents

Amazon Route 53

🔍 Why It Is Used

Route 53 is a highly available and scalable cloud DNS service. It connects user requests to infrastructure running in AWS, routes traffic globally, and checks the health of your resources for automatic failover.

⚙️ Functionality

• DNS record types: A, AAAA, CNAME, MX, TXT, NS, SOA, CAA, Alias.
• Routing policies: Simple, Weighted, Latency-based, Failover, Geolocation, Geoproximity, Multi-value.
• Health checks with automatic DNS failover.
• Private hosted zones for internal VPC DNS.
• Traffic Flow visual policy builder.
• DNSSEC for DNS security.
• Domain registration.
• Resolver for DNS forwarding between on-premises and VPC.

🌐 Real-World Integration with Other AWS Services

Multi-Region Active-Active Application:

Users → Route 53 (Latency-Based Routing)
→ US-East: CloudFront → ALB → ECS (US Region)
→ EU-West: CloudFront → ALB → ECS (EU Region)
→ Route 53 Health Checks (Failover)
→ Aurora Global Database (Cross-region replication)
→ CloudWatch (Alarm triggers DNS failover)

🔝 Back to Table of Contents

Amazon API Gateway

🔍 Why It Is Used

API Gateway is a fully managed service for creating, publishing, maintaining, monitoring, and securing APIs. It acts as the front door for applications to access backend services (Lambda, EC2, HTTP endpoints) and supports REST, HTTP, and WebSocket APIs.

⚙️ Functionality

• REST API, HTTP API (faster, cheaper), and WebSocket API.
• Request/Response transformation and validation.
• Usage Plans and API Keys for throttling and quota management.
• Authorization: IAM, Cognito User Pools, Lambda Authorizers.
• Stage management for dev/staging/prod environments.
• Built-in caching with configurable TTL.
• Custom domain names with ACM certificates.
• VPC Link for connecting to private backend resources.
• Integration with CloudWatch for logging and metrics.

🌐 Real-World Integration with Other AWS Services

Full Serverless API:

Mobile App → API Gateway (REST/HTTP API)
→ Cognito Authorizer (Auth) → Lambda (Business Logic)
→ DynamoDB (Data) → S3 (Files) → SES (Email)
→ CloudWatch (Logs & Metrics) → X-Ray (Tracing)
→ WAF (Security) → ACM (SSL/TLS)

🔝 Back to Table of Contents

Elastic Load Balancing

🔍 Why It Is Used

ELB automatically distributes incoming application traffic across multiple targets (EC2, containers, IPs, Lambda) in one or more Availability Zones. It ensures fault tolerance and horizontal scalability for applications.

⚙️ Functionality

• ALB (Application): Layer 7, HTTP/HTTPS, path/host-based routing, WebSocket.
• NLB (Network): Layer 4, ultra-low latency, TCP/UDP, static IP.
• GLB (Gateway): Layer 3, for inline virtual appliances (firewalls, IDS).
• CLB (Classic): Legacy, L4/L7 combined (not recommended for new workloads).
• Health checks to route only to healthy targets.
• SSL/TLS termination and offloading.
• Sticky Sessions (session affinity).
• Integration with Auto Scaling Groups.
• Access logs to S3.

🌐 Real-World Integration with Other AWS Services

Auto-Scaling Web Application:

Route 53 → ALB (Multi-AZ)
→ EC2 Auto Scaling Group (Target Group)
→ ECS Fargate Services (Weighted Target Groups)
→ Cognito (ALB Authentication Action)
→ WAF (Rate Limiting) → ACM (SSL Termination)
→ S3 (ALB Access Logs) → CloudWatch (Request Metrics)

🔝 Back to Table of Contents

AWS Direct Connect

🔍 Why It Is Used

Direct Connect provides a dedicated private network connection from on-premises to AWS, bypassing the public internet. It provides more consistent network performance, lower bandwidth costs for high-volume data transfer, and can meet compliance requirements for private connectivity.

⚙️ Functionality

• Dedicated connections: 1 Gbps, 10 Gbps, 100 Gbps.
• Hosted connections: 50 Mbps to 10 Gbps via partners.
• Virtual Interfaces (VIFs): Private (VPC), Public (AWS services), Transit (TGW).
• Direct Connect Gateway for multi-region/multi-VPC connectivity.
• Link Aggregation Groups (LAG) for redundancy and throughput.
• BFD for fast failover.
• MACsec for encryption at the link layer.

🌐 Real-World Integration with Other AWS Services

Hybrid Enterprise Architecture:

On-premises DC → Direct Connect (Dedicated Line)
→ AWS Direct Connect Gateway
→ Transit Gateway (Hub for multiple VPCs)
→ VPC (US-East) | VPC (EU-West) | VPC (Shared Services)
→ S3 (via Public VIF) → Redshift (Analytics)
→ CloudWatch (Connection Metrics) → Route 53 (Private DNS)

🔝 Back to Table of Contents

AWS Transit Gateway

🔍 Why It Is Used

Transit Gateway acts as a cloud router enabling you to connect thousands of VPCs and on-premises networks through a single central hub. It eliminates the complex peering mesh of individual VPC-to-VPC connections.

⚙️ Functionality

• Hub-and-spoke model for VPC connectivity.
• Connects VPCs, VPNs, Direct Connect, and SD-WAN.
• Route Tables for traffic segmentation.
• Multicast support.
• Transit Gateway Network Manager for global network monitoring.
• Inter-region peering between Transit Gateways.
• Bandwidth up to 50 Gbps per VPC attachment.

🌐 Real-World Integration with Other AWS Services

Enterprise Multi-VPC Architecture:

VPC-Prod → Transit Gateway (Hub)
VPC-Dev → Transit Gateway ← On-premises (Direct Connect/VPN)
VPC-Shared-Services → Transit Gateway
→ Route Tables (Isolate Prod from Dev)
→ Network Manager (Global topology view)
→ CloudWatch (Flow Logs via TGW)

🔝 Back to Table of Contents

AWS Global Accelerator

🔍 Why It Is Used

Global Accelerator improves the performance of global applications by routing user traffic through the AWS global network instead of the public internet. It provides two static IP addresses and directs traffic to optimal endpoints based on health, geography, and routing policies.

⚙️ Functionality

• Two static Anycast IPs for your application.
• Routes over AWS backbone network (not public internet).
• Endpoint groups in multiple AWS regions.
• Weighted routing for A/B testing or gradual deployment.
• Instant regional failover.
• Built-in DDoS protection via Shield Standard.
• Works with ALB, NLB, EC2, and Elastic IPs as endpoints.

🌐 Real-World Integration with Other AWS Services

Globally Distributed Gaming Application:

Players (Global) → Global Accelerator (Static IPs)
→ Nearest AWS Region (Low Latency Routing)
→ NLB → EC2 Game Servers / ECS
→ DynamoDB Global Tables (Player State)
→ ElastiCache (Session Data) → CloudWatch (Latency Metrics)

🔝 Back to Table of Contents

AWS PrivateLink

🔍 Why It Is Used

PrivateLink enables private connectivity between VPCs and AWS services, avoiding public internet exposure. It is the foundation for VPC Interface Endpoints and allows SaaS providers to expose their services privately to customers’ VPCs.

⚙️ Functionality

• VPC Interface Endpoints for 100+ AWS services.
• Endpoint services for sharing NLB-backed services privately.
• Traffic stays within AWS network.
• No need for internet gateways, NAT, or VPN.
• Private DNS for seamless service resolution.
• Security Group control on Interface Endpoints.
• Supported across VPCs, accounts, and AWS Organizations.

🌐 Real-World Integration with Other AWS Services

Private EC2 → VPC Interface Endpoint (PrivateLink)
→ S3 / SQS / SNS / SecretsManager (Private Access)
→ 3rd Party SaaS (via Endpoint Service + NLB)
→ No IGW / NAT Gateway Needed
→ VPC Flow Logs (Traffic Audit)

🔝 Back to Table of Contents

🔐 SECURITY, IDENTITY & COMPLIANCE

AWS IAM

🔍 Why It Is Used

IAM enables you to securely control access to AWS services and resources. It allows you to create and manage users, groups, roles, and permissions — enforcing the principle of least privilege across your entire AWS infrastructure.

⚙️ Functionality

• Users, Groups, and Roles for identity management.
• JSON-based IAM Policies for fine-grained permissions.
• IAM Roles for EC2, Lambda, ECS (no long-term credentials).
• SAML 2.0 and OIDC federation for SSO.
• Multi-Factor Authentication (MFA) enforcement.
• IAM Access Analyzer for identifying over-permissive policies.
• Permission Boundaries for delegated administration.
• Service Control Policies (SCPs) in AWS Organizations.
• Credential reports and access advisors.

🌐 Real-World Integration with Other AWS Services

Least-Privilege Architecture:

Developer (IAM User + MFA) → IAM Role Assumption (Dev Account)
EC2 Instance → IAM Role → S3/DynamoDB/SQS (no keys in code)
Lambda → Execution Role → RDS/SNS/CloudWatch
ECS Task Role → Secrets Manager / S3 (task-level permissions)
SCP (Organization) → Restrict all accounts from disabling CloudTrail

🔝 Back to Table of Contents

Amazon Cognito

🔍 Why It Is Used

Cognito provides user identity and authentication for web and mobile apps. It handles user sign-up, sign-in, MFA, social federation, and temporary AWS credential vending — eliminating the need to build custom auth infrastructure.

⚙️ Functionality

• User Pools: User directory with sign-up, sign-in, JWT token issuance.
• Identity Pools: Federated identity for temporary AWS credentials.
• Social federation: Google, Facebook, Apple, SAML, OIDC.
• Custom Lambda Triggers (pre/post auth, custom messages).
• MFA: TOTP and SMS.
• Adaptive authentication based on risk signals.
• Hosted UI for out-of-the-box authentication pages.
• PKCE flow support for SPAs and mobile apps.

🌐 Real-World Integration with Other AWS Services

Mobile App Authentication:

Mobile User → Cognito User Pool (Sign-in)
→ JWT Token → API Gateway (Cognito Authorizer)
→ Lambda (Business Logic)
→ Cognito Identity Pool → Temporary IAM Credentials
→ S3 (User-specific folder access) → DynamoDB
→ SES / SNS (Verification Emails / SMS OTP)
→ CloudWatch (Auth Event Logs)

🔝 Back to Table of Contents

Amazon GuardDuty

🔍 Why It Is Used

GuardDuty is an intelligent threat detection service that continuously monitors AWS accounts and workloads for malicious activity using ML, anomaly detection, and threat intelligence feeds. It requires no agents or software deployment.

⚙️ Functionality

• Analyzes CloudTrail logs, VPC Flow Logs, DNS logs, EKS Audit Logs.
• Detects: account compromises, credential theft, crypto mining, port scanning, data exfiltration.
• Integration with AWS Organizations for multi-account deployment.
• S3 Protection, EKS Protection, Malware Protection, RDS Protection, Lambda Protection.
• Findings with severity scores sent to Security Hub and EventBridge.
• Automated remediation via Lambda-triggered workflows.

🌐 Real-World Integration with Other AWS Services

Automated Threat Response:

GuardDuty (Threat Detection)
→ EventBridge (Finding Event)
→ Lambda (Auto-Remediation: Isolate EC2, Revoke IAM Credentials)
→ SNS (Alert Security Team) → Security Hub (Centralized View)
→ S3 (Finding Archive) → Athena (Threat Analysis)
→ CloudWatch (Dashboard)

🔝 Back to Table of Contents

Amazon Inspector

🔍 Why It Is Used

Inspector automatically discovers and scans EC2 instances and container images for software vulnerabilities and unintended network exposure. It continuously provides prioritized findings to help you proactively improve security posture.

⚙️ Functionality

• Scans EC2 instances, ECR container images, and Lambda functions.
• Powered by the NVD (National Vulnerability Database) and vendor advisories.
• CVE-based scoring with risk prioritization.
• Continuous, event-driven scanning (not point-in-time).
• Findings sent to Security Hub, EventBridge, and S3.
• Network Reachability analysis for unintended public exposure.
• Integration with Organizations for multi-account management.

🌐 Real-World Integration with Other AWS Services

DevSecOps Pipeline:

CodePipeline → CodeBuild → ECR (Push Image)
→ Inspector (Automatic Scan on Push)
  → High Severity Finding → EventBridge
  → Lambda (Block Deployment) → SNS (Alert Dev Team)
  → Security Hub (Centralized Findings)
→ CloudFormation (Deploy if Clean)

🔝 Back to Table of Contents

Amazon Macie

🔍 Why It Is Used

Macie is a data security service that uses ML to automatically discover, classify, and protect sensitive data (PII, financial data, credentials) in Amazon S3. It helps meet data protection and compliance requirements.

⚙️ Functionality

• Discovers sensitive data: PII, credit cards, AWS keys, healthcare records.
• 75+ managed data identifiers for common sensitive data types.
• Custom data identifiers using regex and keywords.
• Continuous S3 bucket policy monitoring for public access and unencrypted storage.
• Findings exported to Security Hub and EventBridge.
• Organization-wide deployment via AWS Organizations.

🌐 Real-World Integration with Other AWS Services

Data Lake Privacy Governance:

S3 Data Lake → Macie (Continuous Scanning)
→ Findings → EventBridge → Lambda (Tag/Quarantine Objects)
→ Security Hub (Compliance Dashboard)
→ SNS (Alert Data Governance Team)
→ CloudTrail (Audit of Object Access)
→ KMS (Encrypt Discovered Sensitive Data)

🔝 Back to Table of Contents

AWS Shield

🔍 Why It Is Used

Shield provides DDoS (Distributed Denial of Service) protection for AWS applications. Shield Standard is free and automatic; Shield Advanced provides enhanced protection, 24/7 DDoS response team access, and financial protection against scaling costs during attacks.

⚙️ Functionality

• Standard: Protects against L3/L4 DDoS attacks automatically, no cost.
• Advanced: Protects CloudFront, Route 53, ELB, EC2, Global Accelerator.
• Real-time attack visibility and notifications.
• AWS Shield Response Team (SRT) for 24/7 expert support.
• DDoS cost protection for scaling events.
• Advanced reporting and post-attack analysis.
• Integration with AWS WAF for L7 protection.

🌐 Real-World Integration with Other AWS Services

DDoS-Protected Web Application:

Attackers (DDoS) → Route 53 (DNS Flood Protection)
→ CloudFront (L3/L4/L7 Edge Protection)
→ Shield Advanced + WAF (Rate Limiting, Geo-blocking)
→ ALB (L7 Attack Mitigation) → EC2/ECS App
→ CloudWatch (Attack Metrics) → SNS (SRT Alert)
→ Shield Response Team (Manual Intervention)

🔝 Back to Table of Contents

AWS WAF

🔍 Why It Is Used

WAF protects web applications from common web exploits (SQL injection, XSS, OWASP Top 10) that could affect availability, compromise security, or consume excessive resources. It allows creating custom rules to control which traffic to allow or block.

⚙️ Functionality

• Web ACLs with Rules and Rule Groups.
• AWS Managed Rule Groups (OWASP, Bot Control, Known Bad Inputs).
• Rate-based rules for DDoS mitigation.
• Geo-blocking and IP set rules.
• Bot Control for managing bot traffic.
• CAPTCHA integration.
• Fraud Control for account takeover and login protection.
• Real-time metrics and sampled requests.
• Deploy on CloudFront, ALB, API Gateway, AppSync, Cognito.

🌐 Real-World Integration with Other AWS Services

Secure API Platform:

Clients → CloudFront → WAF (OWASP Rules + Rate Limiting)
→ API Gateway → Lambda → DynamoDB
ALB → WAF (Bot Control + IP Blocking)
→ EC2/ECS App Servers
→ Firewall Manager (Centralize WAF across Org accounts)
→ CloudWatch (WAF Blocked Request Metrics)
→ Kinesis Firehose → S3 (WAF Logs Analysis)

🔝 Back to Table of Contents

AWS KMS

🔍 Why It Is Used

KMS makes it easy to create and manage cryptographic keys and control their use across AWS services and applications. It provides a secure, centralized key management solution, ensuring encrypted data is accessible only to authorized users.

⚙️ Functionality

• Customer Managed Keys (CMK) and AWS Managed Keys.
• Symmetric (AES-256) and asymmetric (RSA, ECC) key types.
• Automatic annual key rotation.
• Key Policies and IAM for access control.
• Envelope encryption for large data encryption.
• Multi-Region Keys for cross-region decryption.
• CloudHSM integration for FIPS 140-2 Level 3 compliance.
• Audit all key usage via CloudTrail.

🌐 Real-World Integration with Other AWS Services

End-to-End Encrypted Data Platform:

S3 (SSE-KMS) → KMS CMK (Encryption/Decryption)
RDS (Encrypted volumes via KMS)
EBS (Encrypted storage via KMS)
Secrets Manager (KMS-encrypted secrets)
Lambda (KMS Decrypt call to access encrypted config)
CloudTrail (Logs all KMS API calls)
→ IAM/Key Policy (Who can use the key)

🔝 Back to Table of Contents

AWS Secrets Manager

🔍 Why It Is Used

Secrets Manager helps you protect access to applications, services, and IT resources by enabling rotation, management, and retrieval of database credentials, API keys, and other secrets throughout their lifecycle — eliminating hardcoded credentials.

⚙️ Functionality

• Stores and manages database credentials, API keys, OAuth tokens.
• Automatic secret rotation for RDS, Aurora, Redshift, DocumentDB.
• Lambda-based custom rotation for other secret types.
• Fine-grained IAM access control per secret.
• Encryption via KMS.
• Secret versioning (AWSCURRENT, AWSPREVIOUS, AWSPENDING).
• Cross-account secret sharing.
• Audit via CloudTrail.

🌐 Real-World Integration with Other AWS Services

Zero-Credential Application Deployment:

Lambda / ECS / EC2 → IAM Role
→ Secrets Manager API (GetSecretValue)
→ KMS (Decryption) → Returns DB Password
→ Lambda Rotation Function (30-day auto rotation)
→ RDS / Aurora (Password Update)
→ CloudTrail (Secret Access Audit)
→ CloudWatch Alarms (Unauthorized Access Alerts)

🔝 Back to Table of Contents

AWS Certificate Manager

🔍 Why It Is Used

ACM handles the provisioning, management, and renewal of SSL/TLS certificates for AWS services. It eliminates the manual process of purchasing, uploading, and renewing certificates.

⚙️ Functionality

• Free public SSL/TLS certificates for AWS services.
• Automatic renewal before expiration.
• Deploy to CloudFront, ALB, API Gateway, AppSync.
• Import third-party certificates.
• Private CA (ACM Private CA) for internal certificates.
• Certificate transparency logging.
• Wildcard and multi-domain (SAN) certificates.

🌐 Real-World Integration with Other AWS Services

Route 53 (Domain) → ACM (Certificate Issuance via DNS Validation)
→ CloudFront (HTTPS with custom domain)
→ ALB (HTTPS Listener with ACM certificate)
→ API Gateway (Custom domain with ACM cert)
→ ACM Private CA → ECS/EKS Internal TLS
→ CloudWatch (Certificate expiry monitoring)

🔝 Back to Table of Contents

AWS Security Hub

🔍 Why It Is Used

Security Hub provides a comprehensive view of security alerts and compliance status across AWS accounts. It aggregates, organizes, and prioritizes security findings from multiple AWS services and partner tools in one place.

⚙️ Functionality

• Aggregates findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager.
• Security standards: CIS AWS Foundations, AWS Foundational Security, PCI DSS, NIST.
• Automated compliance checks (hundreds of controls).
• Custom insights for tracking security trends.
• EventBridge integration for automated remediation.
• Cross-account and cross-region finding aggregation.
• Integrations with 70+ third-party security tools.

🌐 Real-World Integration with Other AWS Services

GuardDuty + Inspector + Macie + Config
→ Security Hub (Centralized Findings + Compliance)
→ EventBridge → Lambda (Automated Remediation)
→ SNS (Security Team Notifications)
→ S3 (Finding Archive) → Athena (Security Analytics)
→ QuickSight (Security Posture Dashboard)
→ Ticket System (JIRA/ServiceNow via Lambda)

🔝 Back to Table of Contents

📊 ANALYTICS SERVICES

Amazon Athena

🔍 Why It Is Used

Athena is an interactive query service that makes it easy to analyze data in S3 using standard SQL. It is serverless — there is no infrastructure to set up or manage, and you pay only for the queries you run ($5 per TB scanned).

⚙️ Functionality

• Query S3 data using standard ANSI SQL.
• Supports CSV, JSON, ORC, Parquet, Avro formats.
• Federated Queries to RDS, DynamoDB, CloudWatch, on-premises.
• Athena for Apache Spark (notebook-based analytics).
• Query result caching.
• Workgroups for cost and access control.
• Integration with AWS Glue Data Catalog (schema management).
• Performance optimization via partitioning and columnar formats.

🌐 Real-World Integration with Other AWS Services

Data Lake Analytics:

CloudTrail / ALB Logs / VPC Flow Logs → S3 (Data Lake)
→ Glue Crawler (Schema Discovery) → Glue Data Catalog
→ Athena (SQL Queries) → QuickSight (Dashboards)
→ Workgroups (Cost Control per Team)
→ Lake Formation (Column-level access control)
→ S3 (Query Results) → EventBridge (Scheduled Queries)

🔝 Back to Table of Contents

Amazon EMR

🔍 Why It Is Used

EMR is a managed big data platform for processing vast amounts of data using open-source frameworks like Apache Spark, Hadoop, Hive, Presto, and Flink. It simplifies deploying and managing these frameworks on elastic, scalable clusters.

⚙️ Functionality

• Supports Spark, Hadoop, Hive, HBase, Presto, Flink, Pig, and more.
• EC2, EKS, and Serverless deployment options.
• EMRFS for S3 as the data layer (decoupled from compute).
• Auto Scaling and Spot Instance support (up to 80% cost savings).
• EMR Studio for notebook-based development.
• Security: Kerberos, Lake Formation, encryption at rest/in transit.
• Step-based job submission for workflow automation.

🌐 Real-World Integration with Other AWS Services

Large-Scale ETL Pipeline:

S3 (Raw Data) → EMR (Spark ETL Cluster)
→ S3 (Processed Data / Parquet) → Redshift (Load)
→ Glue Data Catalog (Schema Registration)
→ Athena (Ad-hoc queries on S3 results)
→ CloudWatch (Cluster Metrics) → Step Functions (Orchestration)
→ Spot Instances (Cost Optimization)

🔝 Back to Table of Contents

Amazon Kinesis

🔍 Why It Is Used

Kinesis enables real-time collection, processing, and analysis of streaming data at any scale. It is the AWS platform for real-time data pipelines — from clickstreams and IoT telemetry to log aggregation and financial transactions.

⚙️ Functionality

• Kinesis Data Streams: Real-time data streaming (sub-second latency).
• Kinesis Data Firehose: Managed delivery to S3, Redshift, OpenSearch, Splunk.
• Kinesis Data Analytics: SQL/Flink-based real-time stream processing.
• Kinesis Video Streams: Streaming video for ML/analytics.
• Shards for parallel processing (1 MB/s in, 2 MB/s out per shard).
• Retention: 24 hours to 365 days.
• Fan-out to multiple Lambda consumers.

🌐 Real-World Integration with Other AWS Services

Real-Time Clickstream Analytics:

Web App → Kinesis Data Streams (Clickstream)
→ Lambda (Real-time Enrichment) → DynamoDB (Live Counters)
→ Kinesis Firehose → S3 (Data Lake)
→ Glue / Athena (Batch Analysis)
→ Kinesis Data Analytics (Flink: Real-time Aggregations)
→ OpenSearch (Real-time Search Dashboard)
→ QuickSight (BI Reporting)

🔝 Back to Table of Contents

AWS Glue

🔍 Why It Is Used

Glue is a serverless data integration service that makes it easy to discover, prepare, move, and integrate data from multiple sources. It eliminates the undifferentiated heavy lifting of ETL (Extract, Transform, Load) infrastructure management.

⚙️ Functionality

• Glue Data Catalog: Centralized metadata repository (Hive metastore compatible).
• Glue Crawlers: Automatically discover schema from S3, RDS, Redshift.
• Glue ETL Jobs: Spark-based visual and code-based data transformations.
• Glue Studio: Visual ETL job builder.
• Glue DataBrew: No-code data preparation for analysts.
• Glue Elastic Views: Materialize SQL views across data stores.
• Supports Python, Scala, and Spark Streaming.
• Job bookmarks for incremental processing.

🌐 Real-World Integration with Other AWS Services

Data Lake ETL Pipeline:

S3 (Raw CSV/JSON) → Glue Crawler (Schema Discovery)
→ Glue Data Catalog → Glue ETL Job (Spark)
→ S3 (Processed Parquet) → Athena (Query via Catalog)
→ Redshift (Load via COPY) → QuickSight (Reports)
→ EventBridge (Schedule) → CloudWatch (Job Metrics)
→ Lake Formation (Access Control on Catalog)

🔝 Back to Table of Contents

Amazon QuickSight

🔍 Why It Is Used

QuickSight is a cloud-native, fully managed BI service that enables everyone in your organization to understand data through interactive dashboards, charts, and ML-powered insights. It scales from 10 to 10,000+ users without infrastructure management.

⚙️ Functionality

• SPICE (Super-fast, Parallel, In-memory Calculation Engine) for fast query performance.
• 30+ visualization types: charts, maps, pivot tables, waterfall, funnel.
• ML Insights: anomaly detection, forecasting, narrative insights.
• Embedded analytics with easy SDK integration.
• Row-level and column-level security.
• Connects to S3, Athena, Redshift, RDS, Aurora, Timestream, and 3rd-party sources.
• Paginated reports for operational reporting.
• Q (natural language Q&A for data).

🌐 Real-World Integration with Other AWS Services

Executive Analytics Dashboard:

Redshift (DW) + Athena (Data Lake) + RDS (Operational DB)
→ QuickSight SPICE (Data Import / Direct Query)
→ QuickSight Dashboards (Sales, Finance, Operations)
→ QuickSight ML (Forecasting next quarter revenue)
→ Embedded in Internal Web Portal (SDK)
→ S3 (QuickSight export to PDF/CSV)
→ CloudWatch (QuickSight usage metrics)

🔝 Back to Table of Contents

AWS Lake Formation

🔍 Why It Is Used

Lake Formation simplifies building, securing, and managing a data lake. It handles the undifferentiated work of collecting, cleaning, cataloging, and securing data so that analysis can begin in days rather than months.

⚙️ Functionality

• Centralized access control: database, table, column, row, and cell level.
• Data ingestion from databases, S3, streaming sources.
• Built on Glue Data Catalog.
• Row-level security and column masking.
• Cross-account and cross-region data sharing.
• Governed Tables with ACID transactions (S3-backed).
• Tag-based access control (LF-Tags).
• Audit logs for all data access.

🌐 Real-World Integration with Other AWS Services

S3 (Data Lake) → Glue Crawlers → Glue Data Catalog
→ Lake Formation (Permissions Governance)
→ Athena (Query with LF Column Masking)
→ Redshift Spectrum (Cross-account query)
→ EMR (Spark jobs with LF permissions)
→ QuickSight (Authorized dashboards)
→ CloudTrail (Data Access Audit)

🔝 Back to Table of Contents

Amazon MSK

🔍 Why It Is Used

MSK is a fully managed Apache Kafka service, removing the operational complexity of running and scaling Kafka clusters. It is ideal for building real-time streaming data pipelines and applications compatible with the Kafka ecosystem.

⚙️ Functionality

• Fully managed Apache Kafka (open-source compatible).
• Automated broker provisioning, patching, and monitoring.
• MSK Serverless for automatic scaling.
• MSK Connect for Kafka Connect connectors.
• Multi-AZ high availability.
• TLS encryption in transit, KMS at rest.
• Integration with Kinesis Data Analytics (Flink) for stream processing.
• MSK Replicator for cross-region replication.

🌐 Real-World Integration with Other AWS Services

Event-Driven Microservices:

Producers (ECS Microservices) → MSK (Kafka Topics)
→ Lambda (Kafka Trigger) → DynamoDB (State Updates)
→ Kinesis Data Analytics (Flink Stream Processing)
→ S3 (MSK Connect Sink) → Redshift (Analytics)
→ CloudWatch (Broker Metrics) → VPC (Private Kafka Cluster)

🔝 Back to Table of Contents

Amazon OpenSearch Service

🔍 Why It Is Used

OpenSearch Service is a managed search and analytics engine for use cases such as application search, log analytics, observability, and website search. It supports OpenSearch and Elasticsearch APIs.

⚙️ Functionality

• OpenSearch and Elasticsearch-compatible APIs.
• Full-text search with relevance scoring.
• Dashboards (formerly Kibana) for visualization.
• Index-level access control with fine-grained security.
• Multi-AZ with automated snapshots.
• OpenSearch Serverless for on-demand scalability.
• ML features: anomaly detection, semantic search, neural search.
• Integration with Kinesis Firehose, Lambda, CloudWatch Logs.

🌐 Real-World Integration with Other AWS Services

Log Analytics Platform (ELK-like):

EC2 / ECS Apps → CloudWatch Logs
→ Lambda (Log Processor) / Kinesis Firehose
→ OpenSearch Service (Index & Search)
→ OpenSearch Dashboards (Log Visualization)
→ Alerts → SNS → PagerDuty (On-call)
→ S3 (Log Archive via Snapshot/Firehose)

🔝 Back to Table of Contents

🤖 MACHINE LEARNING & AI

Amazon SageMaker

🔍 Why It Is Used

SageMaker is a fully managed platform for building, training, and deploying ML models at scale. It covers the entire ML lifecycle from data labeling to model deployment, removing the heavy lifting from each step.

⚙️ Functionality

• Studio: Integrated IDE for all ML development.
• Data Wrangler: No-code data preparation.
• Ground Truth: Data labeling service.
• Experiments: Track and compare ML experiments.
• Training: Distributed training on managed compute.
• Hyperparameter Tuning: Automatic model optimization.
• Model Registry: Versioned model catalog.
• Endpoints: Real-time and batch inference deployment.
• Pipelines: CI/CD for ML workflows.
• SageMaker Canvas: No-code ML for business analysts.
• Clarify: Bias detection and explainability.
• Feature Store: Centralized feature storage.

🌐 Real-World Integration with Other AWS Services

End-to-End MLOps Pipeline:

S3 (Training Data) → SageMaker Data Wrangler (Prep)
→ Feature Store → SageMaker Training (Distributed)
→ Model Registry → Approval Gate (Lambda)
→ SageMaker Endpoint (Deployment)
→ API Gateway → Lambda → SageMaker InvokeEndpoint
→ CloudWatch (Model Drift Monitoring)
→ CodePipeline (MLOps CI/CD)
→ Redshift (Feature Engineering Source)

🔝 Back to Table of Contents

Amazon Rekognition

🔍 Why It Is Used

Rekognition provides pre-trained computer vision capabilities for image and video analysis without needing ML expertise. It identifies objects, people, text, scenes, and activities, and detects inappropriate content.

⚙️ Functionality

• Object and scene detection.
• Facial analysis: detection, comparison, search in collections.
• Text detection in images (OCR).
• Content moderation (unsafe content detection).
• Celebrity recognition.
• Custom Labels for domain-specific object detection.
• PPE (Personal Protective Equipment) detection.
• Video analysis with Streaming and Stored video APIs.

🌐 Real-World Integration with Other AWS Services

Content Moderation Platform:

User Image Upload → S3
→ S3 Event → Lambda
→ Rekognition (Moderation Check + Label Detection)
→ DynamoDB (Store Analysis Results)
→ SNS (Alert on Unsafe Content) → SQS (Review Queue)
→ Step Functions (Human Review Workflow)
→ CloudWatch (Moderation Metrics)

🔝 Back to Table of Contents

Amazon Comprehend

🔍 Why It Is Used

Comprehend is a natural language processing (NLP) service that uses ML to extract insights from text — detecting sentiment, entities, key phrases, language, and relationships in unstructured text without ML expertise.

⚙️ Functionality

• Entity recognition (people, places, organizations, dates).
• Sentiment analysis (positive, negative, neutral, mixed).
• Key phrase extraction.
• Language detection (100+ languages).
• PII (Personally Identifiable Information) detection and redaction.
• Custom Classification and Custom Entity Recognition.
• Events Detection for financial/legal documents.
• Topic Modeling for document clusters.

🌐 Real-World Integration with Other AWS Services

Customer Feedback Analysis:

Customer Reviews → S3 (Batch Text Files)
→ Comprehend Batch Analysis (Sentiment + Entities)
→ S3 (Results) → Athena (Query)
→ QuickSight (Sentiment Dashboard)
→ Real-time: SQS → Lambda → Comprehend → DynamoDB
→ SNS (Alert on Negative Sentiment Spikes)

🔝 Back to Table of Contents

Amazon Polly

🔍 Why It Is Used

Polly turns text into lifelike speech using deep learning, enabling applications to speak to users. It supports dozens of languages and voices, and is used for voice assistants, accessibility features, content narration, and more.

⚙️ Functionality

• 60+ lifelike voices in 30+ languages.
• Neural Text-to-Speech (NTTS) for near-human quality.
• SSML (Speech Synthesis Markup Language) for pronunciation control.
• Brand Voice for custom voice creation.
• Lexicons for custom word pronunciation.
• Real-time streaming or S3 output (MP3, OGG, PCM).
• Speech Marks for word-level timestamp synchronization.

🌐 Real-World Integration with Other AWS Services

E-Learning Platform:

Content Text → Lambda → Polly (Text-to-Speech)
→ S3 (Audio Files) → CloudFront (Delivery)
→ DynamoDB (Voice/Lesson Metadata)
→ Lex (Voice Chatbot) → Polly (Responses)
→ Transcribe (User Speech) → Lambda → Polly (Reply)

🔝 Back to Table of Contents

Amazon Transcribe

🔍 Why It Is Used

Transcribe converts audio speech to text automatically, enabling transcription of call center audio, meeting recordings, media, and real-time voice streams. It powers accessibility, content indexing, and voice analytics applications.

⚙️ Functionality

• Batch and real-time streaming transcription.
• Speaker identification (diarization).
• Custom Vocabulary for domain-specific terms.
• Custom Language Models for specialized speech.
• PII redaction in transcripts.
• Automatic punctuation and formatting.
• 100+ language/dialect support.
• Transcribe Call Analytics with sentiment and topic detection.

🌐 Real-World Integration with Other AWS Services

Contact Center Intelligence:

Call Recording → S3 → Lambda → Transcribe (Batch)
→ S3 (Transcript) → Comprehend (Sentiment Analysis)
→ DynamoDB (Call Records) → QuickSight (Analytics Dashboard)
→ Real-time: Kinesis Video → Transcribe Streaming
→ Lambda (Live Alert on Negative Sentiment)
→ SNS (Supervisor Alert)

🔝 Back to Table of Contents

Amazon Translate

🔍 Why It Is Used

Translate provides fast, high-quality neural machine translation for enabling cross-lingual communication in applications, content localization, and batch document translation.

⚙️ Functionality

• 75+ language pairs.
• Real-time and batch translation.
• Custom Terminology for domain-specific vocabulary (e.g., brand names).
• Parallel Data for custom translation models.
• Active Custom Translation (ACT) to improve with your data.
• Profanity masking.
• Formality control (formal/informal tone).

🌐 Real-World Integration with Other AWS Services

Global Customer Support Platform:

Customer Message (Any Language) → Lambda
→ Comprehend (Detect Language)
→ Translate (To English) → Comprehend (Sentiment)
→ Agent Dashboard (English Response) → Translate (Back to Customer Language)
→ Polly (Voice in Customer Language)
→ DynamoDB (Conversation History) → S3 (Batch Translations)

🔝 Back to Table of Contents

Amazon Lex

🔍 Why It Is Used

Lex provides AI-powered conversational interface functionality (chatbots and voicebots) using the same deep learning technology as Amazon Alexa. It enables building, deploying, and scaling bots for customer service, HR, and operations automation.

⚙️ Functionality

• ASR (Automatic Speech Recognition) + NLU (Natural Language Understanding).
• Intent detection and slot filling for structured conversations.
• Multi-turn conversation context management.
• Built-in integration with Lambda for fulfillment.
• Omnichannel deployment: web chat, mobile, Alexa, Slack, Facebook, Twilio.
• Visual conversation flow builder.
• Sentiment analysis per utterance.
• Streaming conversations for real-time interaction.

🌐 Real-World Integration with Other AWS Services

Bank Customer Service Bot:

Customer (Voice/Chat) → Lex Bot
→ Lambda (Fulfillment: Query Account Balance from DynamoDB)
→ Cognito (Identity Verification)
→ DynamoDB (Account/Transaction Data)
→ Polly (Voice Response) → Transcribe (Voice Input)
→ Connect (Contact Center Integration)
→ CloudWatch (Bot Performance Metrics)
→ SNS (Escalate to Human Agent)

🔝 Back to Table of Contents

Amazon Forecast

🔍 Why It Is Used

Forecast is a fully managed ML service for accurate time-series forecasting using the same technology used by Amazon.com. It combines time-series data with related variables (holidays, promotions, weather) for up to 50% more accurate predictions.

⚙️ Functionality

• AutoML for automatic algorithm selection (DeepAR+, NPTS, Prophet, ETS, ARIMA).
• Incorporates related data (item metadata, supplementary features).
• Probabilistic forecasts (P10, P50, P90).
• Explainability via Forecast Explainability feature.
• Predicts up to 500 time series.
• Imports data from S3.

🌐 Real-World Integration with Other AWS Services

Retail Inventory Forecasting:

S3 (Historical Sales Data + Metadata)
→ Forecast (Train Model, Generate Predictions)
→ S3 (Forecast Export) → Athena (Query Forecasts)
→ QuickSight (Inventory Planning Dashboard)
→ Lambda (Automated PO Generation based on Forecast)
→ DynamoDB (Store Forecast Results) → SNS (Low Stock Alert)

🔝 Back to Table of Contents

Amazon Personalize

🔍 Why It Is Used

Personalize enables developers to build real-time personalization and recommendation systems using the same ML technology used by Amazon.com. No ML expertise required — just provide data and get personalized recommendations via API.

⚙️ Functionality

• User-personalization, Similar Items, Personalized Ranking.
• Real-time event tracking for immediate recommendation updates.
• Contextual recommendations (device, time, location).
• A/B testing with campaign variants.
• Filters to exclude categories or previously purchased items.
• Batch recommendations export to S3.
• Pre-built recipes for e-commerce, media, and retail.

🌐 Real-World Integration with Other AWS Services

E-Commerce Recommendation System:

S3 (User Interaction Data: Clicks, Purchases)
→ Personalize (Model Training + Real-time Inference)
→ API Gateway → Lambda → Personalize GetRecommendations
→ DynamoDB (Product Catalog) → React Frontend (Show Recs)
→ Kinesis (Real-time Event Tracking to Personalize)
→ Pinpoint (Personalized Email/Push Campaigns)
→ CloudWatch (Recommendation Click-Through Rate)

🔝 Back to Table of Contents

Amazon Textract

🔍 Why It Is Used

Textract automatically extracts text and structured data (tables, forms, key-value pairs) from scanned documents — going beyond simple OCR to understand document structure and context. It powers document processing automation.

⚙️ Functionality

• Text detection (OCR) from PDFs, images.
• Form extraction (key-value pairs from forms).
• Table extraction with structure preservation.
• Query-based extraction for specific fields.
• Signature detection.
• Analyze Expense for invoice/receipt processing.
• Analyze ID for identity document extraction.
• Async and sync APIs.

🌐 Real-World Integration with Other AWS Services

Automated Invoice Processing:

Invoice Email → SES → Lambda → S3 (Invoice Storage)
→ Textract (Extract Fields: Vendor, Amount, Date)
→ Lambda (Validation & Enrichment)
→ DynamoDB (Invoice Records) → RDS (ERP System)
→ Comprehend (Sentiment/Classification)
→ SNS (Approval Workflow Notification)
→ Step Functions (Multi-step Approval Process)

🔝 Back to Table of Contents

Amazon Bedrock

🔍 Why It Is Used

Bedrock is a fully managed service that makes foundation models (FMs) from Amazon and leading AI companies accessible via an API, enabling you to build generative AI applications without managing infrastructure.

⚙️ Functionality

• Access to FMs: Claude (Anthropic), Llama (Meta), Mistral, Titan (Amazon), Stable Diffusion.
• Fine-tuning models with your own data.
• Retrieval Augmented Generation (RAG) via Knowledge Bases.
• Agents for multi-step reasoning and tool use.
• Model evaluation for benchmarking.
• Guardrails for responsible AI (content filtering, PII redaction).
• Prompt Management and Flow for orchestration.
• Serverless — pay per API call.

🌐 Real-World Integration with Other AWS Services

Enterprise AI Assistant (RAG):

Company Documents → S3 → Bedrock Knowledge Base
→ OpenSearch Serverless (Vector Store)
→ Bedrock Agent (Claude FM + Knowledge Base)
→ Lambda (Custom Tools for Bedrock Agent)
→ API Gateway → Web Application
→ DynamoDB (Conversation History)
→ CloudWatch (Usage Metrics + Cost Tracking)
→ Guardrails (Content Filtering)

🔝 Back to Table of Contents

💬 MESSAGING & INTEGRATION

Amazon SNS

🔍 Why It Is Used

SNS is a fully managed pub/sub messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. It enables decoupled, event-driven architectures where one message triggers multiple subscribers simultaneously.

⚙️ Functionality

• Topics as message channels; Subscriptions as consumers.
• Protocols: SQS, Lambda, HTTP/HTTPS, email, SMS, mobile push (APNS, FCM, ADM).
• Fan-out pattern: one message to many subscribers.
• FIFO Topics for ordered, deduplicated messaging.
• Message filtering with subscription filter policies.
• Message encryption (SSE-SQS, SSE-KMS).
• Dead-letter queues for failed deliveries.
• Up to 12.5 million subscriptions per topic.

🌐 Real-World Integration with Other AWS Services

Order Processing System:

Order Service → SNS Topic (order.placed)
→ SQS Queue (Inventory Service) → Lambda (Update Stock)
→ SQS Queue (Billing Service) → Lambda (Charge Card)
→ SQS Queue (Notification Service) → Lambda → SES (Email)
→ Lambda (Fraud Check) → CloudWatch (Order Metrics)

🔝 Back to Table of Contents

Amazon SQS

🔍 Why It Is Used

SQS is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. It eliminates the complexity of managing message-oriented middleware.

⚙️ Functionality

• Standard Queues: at-least-once delivery, nearly unlimited throughput.
• FIFO Queues: exactly-once processing, ordered delivery, 3,000 TPS.
• Dead Letter Queues (DLQ) for failed message handling.
• Long polling to reduce empty receives.
• Message retention: 1 minute to 14 days.
• Visibility timeout for in-flight message processing.
• Batch send, receive, delete operations.
• SSE with KMS encryption.
• Lambda Event Source Mapping.

🌐 Real-World Integration with Other AWS Services

Image Processing Pipeline:

S3 Upload → SNS → SQS Queue (Image Processing)
→ Lambda (Poll SQS) → EC2 Worker (Heavy Processing)
→ S3 (Processed Image) → DynamoDB (Metadata)
→ SNS → SQS DLQ (Failed messages) → CloudWatch (Queue Depth Alarm)
→ Auto Scaling (Scale workers based on queue depth)

🔝 Back to Table of Contents

Amazon EventBridge

🔍 Why It Is Used

EventBridge is a serverless event bus that connects applications using events. It enables event-driven architecture by routing events between AWS services, SaaS applications, and custom applications — with powerful filtering, routing, and transformation capabilities.

⚙️ Functionality

• Default event bus (AWS service events) + custom event buses.
• 90+ AWS service event sources (EC2, S3, RDS, CodePipeline…).
• 20+ SaaS integrations (Zendesk, PagerDuty, Salesforce, GitHub).
• Content-based event filtering and transformation.
• Schema Registry for event structure discovery.
• EventBridge Pipes for point-to-point event pipelines with enrichment.
• EventBridge Scheduler for cron and rate-based scheduling.
• Archive and replay of events.

🌐 Real-World Integration with Other AWS Services

Event-Driven Microservices Platform:

EC2 State Change → EventBridge (Default Bus)
→ Rule: Instance Terminated → Lambda (Cleanup Resources)
→ Rule: Instance Started → SSM (Run Patch Script)

CodePipeline Failure → EventBridge
→ Rule → SNS (Alert Dev Team) → Jira (Create Ticket via Lambda)

Custom Business Event → EventBridge (Custom Bus)
→ Rule: order.confirmed → SQS (Fulfillment Queue)
→ Rule: order.shipped → Lambda → SES (Customer Email)

🔝 Back to Table of Contents

Amazon MQ

🔍 Why It Is Used

Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ. It enables you to migrate existing applications that use standard messaging protocols (AMQP, MQTT, OpenWire, STOMP) to the cloud without rewriting code.

⚙️ Functionality

• Supports Apache ActiveMQ and RabbitMQ.
• Industry-standard APIs: JMS, NMS, AMQP, STOMP, MQTT, WebSocket.
• Active/standby for high availability.
• Storage backed by Amazon EFS (ActiveMQ) or EBS.
• Encryption in transit and at rest.
• VPC deployment for security.
• CloudWatch integration for metrics.

🌐 Real-World Integration with Other AWS Services

Legacy Application Migration:

On-premises App (JMS) → Direct Connect/VPN
→ Amazon MQ (ActiveMQ Broker in VPC)
→ Consumer EC2/ECS Services (JMS Clients)
→ CloudWatch (Queue Depth, Consumer Count)
→ SNS (Alert on Dead Letter Queue)
→ Lambda (AMQP Consumer via Custom Integration)

🔝 Back to Table of Contents

Amazon SES

🔍 Why It Is Used

SES is a cost-effective, scalable email service for sending transactional, marketing, and bulk emails. It provides a reliable email sending infrastructure with high deliverability, used by thousands of applications worldwide.

⚙️ Functionality

• Send and receive emails at scale.
• Transactional (one-to-one) and bulk (newsletters) sending.
• DKIM, SPF, and DMARC configuration for deliverability.
• Email templates with variable substitution.
• Dedicated IPs for sending reputation management.
• Suppression list management.
• Event notifications (bounces, complaints, deliveries) to SNS.
• Virtual Deliverability Manager for reputation insights.
• SES Mail Manager for inbound email processing.

🌐 Real-World Integration with Other AWS Services

E-Commerce Email System:

Order Confirmed → Lambda → SES (Order Confirmation Email)
Cognito Sign-up → SES (Verification Email)
Scheduled Marketing → Lambda (Cron) → SES Bulk Send
→ SES Events (Bounces/Complaints) → SNS → Lambda
→ DynamoDB (Update Suppression List)
→ CloudWatch (Delivery Rate, Bounce Rate)
→ S3 (Email Template Storage)

🔝 Back to Table of Contents

AWS Step Functions

🔍 Why It Is Used

Step Functions is a serverless orchestration service for coordinating multiple AWS services into scalable workflows using visual state machines. It handles retries, error handling, and parallel execution — eliminating complex custom orchestration code.

⚙️ Functionality

• Visual workflow designer (Amazon States Language JSON/YAML).
• Standard Workflows: long-running (up to 1 year), at-least-once.
• Express Workflows: high-volume (100,000 TPS), at-least-once.
• Built-in error handling: Catch, Retry with backoff.
• Parallel and Map states for parallel execution.
• 220+ AWS service integrations (optimistic and callback patterns).
• Human approval steps (waitForTaskToken).
• Execution history and visual debugging.

🌐 Real-World Integration with Other AWS Services

Order Fulfillment Workflow:

Order Created → EventBridge → Step Functions (Workflow)
→ State 1: Lambda (Validate Order)
→ State 2: Lambda (Reserve Inventory / DynamoDB)
→ State 3: Lambda (Process Payment / Stripe API)
→ State 4 (Parallel): Lambda (Notify Customer / SES)
                     + Lambda (Update Warehouse / SQS)
→ State 5: Lambda (Ship Order)
→ Error Handler: Lambda (Rollback + Notify)
→ CloudWatch (Execution Metrics) → X-Ray (Tracing)

🔝 Back to Table of Contents

Amazon AppFlow

🔍 Why It Is Used

AppFlow is a fully managed integration service for securely transferring data between AWS services and SaaS applications (Salesforce, ServiceNow, Slack, Google Analytics, SAP, and more) without writing code.

⚙️ Functionality

• 50+ pre-built connectors for SaaS apps.
• Bidirectional data flow: SaaS → AWS and AWS → SaaS.
• On-demand, scheduled, or event-triggered flows.
• Data transformation: filtering, mapping, merging, masking.
• Private connectivity via PrivateLink.
• Encryption in transit and at rest.
• Data validation and error handling.

🌐 Real-World Integration with Other AWS Services

Salesforce (CRM) → AppFlow → S3 (Data Lake)
→ Glue (Transform) → Redshift (Analytics)
→ QuickSight (CRM Analytics Dashboard)
ServiceNow → AppFlow → S3 → Athena (Support Ticket Analysis)
Slack → AppFlow → S3 → Comprehend (Team Sentiment)

🔝 Back to Table of Contents

🛠️ DEVELOPER TOOLS

AWS CodeCommit

🔍 Why It Is Used

CodeCommit is a fully managed, private Git repository service hosted on AWS. It eliminates the need to manage your own source control servers, providing highly available, scalable, and secure code repositories integrated with the AWS ecosystem.

⚙️ Functionality

• Fully managed private Git repositories.
• Unlimited repository size.
• Encryption at rest (KMS) and in transit (HTTPS/SSH).
• IAM-based access control (no SSH key servers to manage).
• Pull requests, code reviews, and branch protection.
• Triggers and notifications to SNS/Lambda on repository events.
• Cross-account repository access.
• Integration with CodePipeline, CodeBuild, CodeGuru.

🌐 Real-World Integration with Other AWS Services

CI/CD Pipeline:

Developer → CodeCommit (Push Code)
→ EventBridge (Push Event) → CodePipeline (Trigger)
→ CodeBuild (Build & Test) → ECR (Push Image)
→ CodeDeploy (Deploy to EC2/ECS/Lambda)
→ SNS (Build Status Notifications) → CloudWatch (Pipeline Metrics)
→ CodeGuru (Code Review on PRs)

🔝 Back to Table of Contents

AWS CodeBuild

🔍 Why It Is Used

CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces deployment artifacts. It scales automatically and eliminates the need to manage your own Jenkins or CI servers.

⚙️ Functionality

• Fully managed build environment (no servers to manage).
• Pre-built environments: Ubuntu, Amazon Linux, Windows.
• Custom Docker build environments via ECR.
• buildspec.yml defines build steps.
• Caching: S3 and local (for faster builds).
• Concurrent builds with auto-scaling.
• VPC support for accessing private resources during build.
• Batch builds for parallelizing build phases.
• Reports: Unit test, code coverage, integration test results.

🌐 Real-World Integration with Other AWS Services

Build & Test Pipeline:

CodeCommit/GitHub → CodePipeline → CodeBuild
→ Install Dependencies → Run Unit Tests
→ Run Security Scan (SAST) → Build Docker Image
→ Push to ECR → Artifacts to S3
→ Test Reports → CloudWatch (Build Metrics)
→ SNS (Build Pass/Fail Notification)
→ Secrets Manager (Build-time credentials)

🔝 Back to Table of Contents

AWS CodeDeploy

🔍 Why It Is Used

CodeDeploy automates application deployments to EC2, on-premises servers, Lambda, and ECS. It eliminates the need for error-prone manual updates and minimizes downtime with rolling and blue/green deployment strategies.

⚙️ Functionality

• Deployment platforms: EC2/on-premises, Lambda, ECS.
• Deployment strategies: In-Place, Blue/Green, Canary, Linear.
• Lifecycle hooks for custom pre/post deployment scripts.
• appspec.yml defines deployment configuration.
• Automatic rollback on CloudWatch alarms.
• Deployment groups for targeting instance sets.
• Integration with ELB for traffic shifting in blue/green.
• Deployment history and audit trail.

🌐 Real-World Integration with Other AWS Services

Blue/Green Deployment:

CodePipeline → CodeBuild (Build) → S3 (Artifact)
→ CodeDeploy (Blue/Green Deployment)
→ ALB (Shift 10% Traffic to Green)
→ CloudWatch (Monitor Error Rate)
→ Automatic Rollback (On 5xx Alarm)
→ SNS (Deployment Status Notification)
→ Lambda Deployment (Canary: 10% → 100%)

🔝 Back to Table of Contents

AWS CodePipeline

🔍 Why It Is Used

CodePipeline is a fully managed continuous delivery service that automates the build, test, and deploy phases of the release process. It enables fast, reliable application and infrastructure updates at any cadence.

⚙️ Functionality

• Visual pipeline with Stages and Actions.
• Source integrations: CodeCommit, GitHub, ECR, S3, Bitbucket.
• Build: CodeBuild, Jenkins.
• Deploy: CodeDeploy, ECS, EKS, CloudFormation, Elastic Beanstalk, Lambda.
• Manual approval actions.
• Parallel actions within a stage.
• Pipeline variables for dynamic configurations.
• EventBridge integration for event-triggered pipelines.
• Cross-account and cross-region actions.

🌐 Real-World Integration with Other AWS Services

Full CI/CD Pipeline:

GitHub Push → CodePipeline Source Stage
→ CodeBuild (Compile + Unit Tests)
→ Manual Approval (SNS Notification)
→ CodeBuild (Integration Tests)
→ CloudFormation (Deploy Infrastructure)
→ CodeDeploy (Deploy Application)
→ CloudWatch (Post-deployment monitoring)
→ SNS (Success/Failure Notification) → X-Ray (Tracing)

🔝 Back to Table of Contents

AWS Cloud9

🔍 Why It Is Used

Cloud9 is a cloud-based IDE that lets you write, run, and debug code from a browser. It comes pre-configured with essential tools for popular programming languages and provides direct terminal access to AWS services.

⚙️ Functionality

• Browser-based IDE (no local setup required).
• Pre-installed: AWS CLI, Node.js, Python, PHP, Ruby, Go, C++.
• Terminal with pre-authenticated AWS access.
• Real-time collaborative editing.
• Built-in debugger for Lambda functions.
• Direct integration with CodeCommit and CodePipeline.
• Runs on EC2 (auto-hibernate to save costs) or SSH to existing servers.

🌐 Real-World Integration with Other AWS Services

Developer → Cloud9 (Browser IDE)
→ Terminal: AWS CLI for S3, EC2, Lambda operations
→ Direct Lambda Debugging (Step-through execution)
→ CodeCommit (Git push from Cloud9)
→ CodePipeline (Trigger build on push)
→ SAM CLI (Local Lambda testing in Cloud9)
→ CloudWatch Logs (View application logs)

🔝 Back to Table of Contents

AWS X-Ray

🔍 Why It Is Used

X-Ray helps developers analyze and debug production distributed applications — providing end-to-end tracing of requests as they travel through microservices, Lambda functions, databases, and external APIs. It identifies performance bottlenecks and error sources.

⚙️ Functionality

• Distributed tracing with Trace IDs across services.
• Service Map showing dependencies and performance.
• Segments and Subsegments for detailed timing.
• Annotations and Metadata for custom trace data.
• Sampling rules to control trace volume.
• Insights for automatic anomaly detection.
• Integration with EC2, ECS, Lambda, API Gateway, SNS, SQS, DynamoDB.
• X-Ray SDK for popular languages (Java, Python, Node.js, .NET, Go).

🌐 Real-World Integration with Other AWS Services

Debugging Latency in Serverless App:

API Gateway (Trace Start) → Lambda (Trace Segment)
→ DynamoDB (Subsegment: 50ms) → S3 (Subsegment: 100ms)
→ External API (Subsegment: 500ms — Bottleneck!)
→ X-Ray Service Map (Visual flow + latency breakdown)
→ X-Ray Insights (Auto-detects latency anomalies)
→ CloudWatch (X-Ray metrics integration)

🔝 Back to Table of Contents

AWS CloudShell

🔍 Why It Is Used

CloudShell is a browser-based shell environment pre-authenticated with your AWS credentials, available directly from the AWS Console. It enables developers and admins to run AWS CLI commands instantly without local setup.

⚙️ Functionality

• Pre-authenticated with Console IAM credentials.
• Pre-installed: AWS CLI v2, Python, Node.js, git, jq, pip, npm.
• 1 GB persistent storage per region.
• Multiple concurrent shell sessions.
• File upload/download capability.
• Available in most AWS regions from the console toolbar.
• Runs in a managed compute environment (no cost).

🌐 Real-World Integration with Other AWS Services

AWS Console → CloudShell (Instant Access)
→ AWS CLI → S3 (ls, cp, sync operations)
→ AWS CLI → EC2 (describe-instances, start/stop)
→ AWS CLI → Lambda (invoke, update-function-code)
→ AWS CLI → CloudFormation (deploy stacks)
→ boto3 (Python scripting against any AWS service)

🔝 Back to Table of Contents

Amazon CodeGuru

🔍 Why It Is Used

CodeGuru provides intelligent recommendations for improving code quality and identifying an application’s most expensive lines of code. It uses ML trained on millions of code reviews and application performance data from Amazon.

⚙️ Functionality

• CodeGuru Reviewer: Automated code review using ML.
  • Detects bugs, security vulnerabilities, resource leaks.
  • Supports Java and Python.
  • Integrates with CodeCommit, GitHub, Bitbucket, GitLab.
• CodeGuru Profiler: Identifies performance bottlenecks.
  • CPU and latency profiling for running applications.
  • Flame graphs for hotspot visualization.
  • Lambda, EC2, ECS, on-premises support.
• CodeGuru Security: Detects security vulnerabilities in code (SAST).

🌐 Real-World Integration with Other AWS Services

Developer creates PR → CodeCommit/GitHub
→ CodeGuru Reviewer (Automated Code Review)
→ Annotations on PR (Bug/Security findings)
→ EC2/Lambda (Production App)
→ CodeGuru Profiler Agent (Runtime Performance)
→ CloudWatch (Profiling Anomaly Alerts)
→ SNS (Critical Finding Notifications)

🔝 Back to Table of Contents

📋 MANAGEMENT & GOVERNANCE

Amazon CloudWatch

🔍 Why It Is Used

CloudWatch is the AWS observability platform for monitoring, logging, and alerting. It collects metrics, logs, and traces from virtually all AWS services and custom applications, providing a unified view of operational health.

⚙️ Functionality

• Metrics: Time-series performance data from 70+ AWS services.
• Logs: Centralized log collection, retention, and analysis (Log Insights).
• Alarms: Threshold-based alerts with Auto Scaling and SNS actions.
• Dashboards: Custom metric visualization.
• Events/EventBridge: React to state changes and schedules.
• ServiceLens: Observability for microservices (with X-Ray).
• Container Insights: Metrics for ECS, EKS, Kubernetes.
• Lambda Insights: Enhanced Lambda monitoring.
• Anomaly Detection: ML-based metric anomaly alerts.
• Synthetics: Canary testing for APIs and endpoints.

🌐 Real-World Integration with Other AWS Services

Full-Stack Observability:

EC2 / ECS / Lambda → CloudWatch Metrics (CPU, Memory, Errors)
Application Logs → CloudWatch Logs (Structured Logging)
→ CloudWatch Log Insights (Query & Analyze Logs)
→ CloudWatch Alarms → SNS (PagerDuty Alert)
                    → Auto Scaling (Scale EC2 fleet)
                    → Lambda (Automated remediation)
→ CloudWatch Dashboard (NOC View)
→ CloudWatch Synthetics (API Heartbeat Canaries)
→ X-Ray + ServiceLens (Distributed Tracing View)

🔝 Back to Table of Contents

AWS CloudTrail

🔍 Why It Is Used

CloudTrail records API calls and account activity across your AWS infrastructure. It provides a complete audit trail for security analysis, compliance, operational troubleshooting, and detecting unauthorized activity.

⚙️ Functionality

• Records all AWS Management API calls (who, what, when, from where).
• Management Events: control plane (create, delete, modify resources).
• Data Events: S3 object-level, Lambda invocations, DynamoDB operations.
• Insights: detects unusual write API activity patterns.
• 90-day event history in console; indefinite retention in S3.
• Multi-region and organization-wide trails.
• Log file validation for tamper detection.
• Integration with CloudWatch Logs and EventBridge.

🌐 Real-World Integration with Other AWS Services

Security Audit & Compliance:

All AWS API Calls → CloudTrail Logs → S3 (Long-term Archive)
→ CloudWatch Logs (Real-time Analysis)
→ CloudWatch Alarm (Root Login Alert) → SNS (Security Team)
→ EventBridge (Unauthorized IAM Change) → Lambda (Rollback)
→ Athena (SQL Queries on CloudTrail Logs for Investigation)
→ Security Hub (Compliance Evidence)
→ Macie (Scan CloudTrail Logs for PII)

🔝 Back to Table of Contents

AWS CloudFormation

🔍 Why It Is Used

CloudFormation enables you to model and provision AWS resources using code (JSON or YAML templates). It treats infrastructure the same way developers treat application code — allowing version control, repeatability, and automated deployment of entire environments.

⚙️ Functionality

• Declarative JSON/YAML templates for 700+ AWS resource types.
• Stacks: logical grouping of AWS resources.
• Change Sets: preview changes before applying.
• StackSets: deploy across multiple accounts and regions.
• Nested Stacks: reusable template components.
• Drift Detection: identify manual changes from desired state.
• CloudFormation Registry: 3rd-party resource types.
• Dynamic References: SSM Parameter Store, Secrets Manager.
• Rollback on failure.
• CloudFormation Guard for policy validation.

🌐 Real-World Integration with Other AWS Services

Infrastructure-as-Code Deployment:

Git (CloudFormation Templates) → CodePipeline
→ CloudFormation Change Set (Preview)
→ Manual Approval → CloudFormation Deploy
→ Creates: VPC + Subnets + EC2 + RDS + ALB + Lambda + IAM
→ Outputs → SSM Parameter Store (Shared across stacks)
→ CloudWatch (Stack Event Monitoring)
→ Config (Track drift from declared state)
→ SNS (Stack status notifications)

🔝 Back to Table of Contents

AWS Config

🔍 Why It Is Used

Config continuously monitors and records AWS resource configurations and evaluates them against desired configurations using rules. It provides a detailed view of configuration changes, compliance status, and relationships between resources for governance and compliance.

⚙️ Functionality

• Continuous recording of resource configuration changes.
• Config Rules: AWS-managed (200+) and custom (Lambda-based).
• Compliance timeline showing when a resource became non-compliant.
• Configuration snapshots and history.
• Relationship tracking (which EC2 uses which Security Group).
• Conformance Packs for compliance frameworks (CIS, PCI DSS, HIPAA).
• Remediation actions via SSM Automation.
• Multi-account, multi-region aggregation.

🌐 Real-World Integration with Other AWS Services

Compliance Automation:

AWS Config (Continuous Recording) → Config Rules
→ Non-compliant: S3 Bucket Publicly Accessible
→ SNS (Alert Security Team)
→ Lambda (Auto-remediate: Block public access)
→ SSM Automation (Standard remediations)
→ Security Hub (Compliance findings)
→ CloudTrail (What changed and when)
→ Athena (Query Config history)

🔝 Back to Table of Contents

AWS Systems Manager

🔍 Why It Is Used

Systems Manager provides a unified interface for viewing and controlling AWS infrastructure. It enables operational management of EC2, on-premises servers, and edge devices at scale — without requiring SSH/RDP access.

⚙️ Functionality

• Session Manager: Browser/CLI SSH-less shell access (no bastion host needed).
• Parameter Store: Secure hierarchical storage for config data and secrets.
• Patch Manager: Automated OS patching.
• Run Command: Execute scripts across fleets.
• Automation: Runbooks for operational tasks.
• Inventory: Collect metadata from managed instances.
• OpsCenter: Aggregate and resolve operational issues.
• Fleet Manager: Browser-based server management.
• Distributor: Package deployment.

🌐 Real-World Integration with Other AWS Services

Fleet Operations Management:

EC2 Fleet (SSM Agent) → Systems Manager
→ Session Manager (No SSH / No Bastion Host needed)
→ Patch Manager (Auto-patch via EventBridge schedule)
→ Run Command (Execute scripts on 1000+ instances)
→ Parameter Store → Lambda (Config lookup)
                  → CloudFormation (Dynamic references)
→ OpsCenter → EventBridge (Auto-create OpsItems on alarms)
→ CloudWatch (SSM Compliance Metrics)
→ Config (Verify patch compliance)

🔝 Back to Table of Contents

AWS Trusted Advisor

🔍 Why It Is Used

Trusted Advisor inspects your AWS environment and provides real-time recommendations to help you reduce costs, increase performance, improve security, enhance fault tolerance, and stay within service limits — following AWS best practices.

⚙️ Functionality

• Automated checks across 5 categories: Cost, Performance, Security, Fault Tolerance, Service Limits.
• Priority recommendations for highest-impact issues.
• Security: detects open S3 buckets, unrestricted security group ports, MFA not enabled on root.
• Cost: detects idle EC2, underutilized EBS, unused Elastic IPs.
• Fault Tolerance: Multi-AZ checks for RDS, ELB, S3 versioning.
• Service Limits: warns before hitting account quotas.
• EventBridge integration for automated response.

🌐 Real-World Integration with Other AWS Services

Trusted Advisor (Weekly Checks)
→ Security Finding: Open SG Port 22 → SNS (Alert) → Lambda (Revoke Rule)
→ Cost Finding: Idle EC2 → SNS (Cost Team Alert)
→ Fault Tolerance: No Multi-AZ RDS → Ticket (Lambda → ServiceNow)
→ Service Limits: 80% of EC2 quota → SNS (Ops Alert) → Request Limit Increase
→ CloudWatch (TA Check Status Metrics) → Dashboard

🔝 Back to Table of Contents

AWS Control Tower

🔍 Why It Is Used

Control Tower automates the setup and governance of a secure, multi-account AWS environment (Landing Zone) based on AWS best practices. It provides a centralized way to manage compliance and policies across an AWS Organization.

⚙️ Functionality

• Landing Zone: automated, secure multi-account environment.
• Account Factory: self-service account provisioning.
• Guardrails: preventive (SCPs) and detective (Config rules) governance.
• Mandatory guardrails: always enforced (MFA, CloudTrail, etc.).
• Optional guardrails: selectable policies.
• Dashboard: organization-wide compliance visibility.
• Account Factory for Terraform (AFT) for IaC account provisioning.

🌐 Real-World Integration with Other AWS Services

Enterprise Landing Zone:

Control Tower → AWS Organizations (Account Structure)
→ Management Account → Log Archive Account → Audit Account
→ SCP Guardrails (Prevent disable CloudTrail/GuardDuty)
→ Account Factory → Provision Dev/Prod Accounts on-demand
→ Config Conformance Packs (CIS benchmark checks)
→ CloudTrail (Org-wide audit trail to Log Archive S3)
→ GuardDuty (Org-wide threat detection)
→ Security Hub (Centralized compliance view)

🔝 Back to Table of Contents

AWS Organizations

🔍 Why It Is Used

Organizations enables central management of multiple AWS accounts, with consolidated billing, policy-based access control, and account grouping. It is the foundation for all enterprise multi-account strategies.

⚙️ Functionality

• Hierarchical account structure: Root → OUs → Accounts.
• Service Control Policies (SCPs): maximum permission boundaries for accounts.
• Consolidated Billing: single bill across all accounts with volume discounts.
• Delegated Administrator: assign account-level management.
• AWS Resource Access Manager (RAM): share resources across accounts.
• Tag policies: enforce consistent tagging.
• Backup policies: enforce backup plans org-wide.
• AI Services Opt-out policies.
• Management Account: master billing and governance account.

🌐 Real-World Integration with Other AWS Services

Enterprise Multi-Account Strategy:

Management Account → Organizations (Master)
→ OU: Security (GuardDuty, Security Hub, CloudTrail aggregation)
→ OU: Infrastructure (Shared VPC, Transit Gateway, Direct Connect)
→ OU: Workloads
  → OU: Production → Prod-App1 Account, Prod-App2 Account
  → OU: Development → Dev Accounts
SCP: Deny disabling GuardDuty in all accounts
SCP: Restrict regions to us-east-1, eu-west-1 only
RAM: Share Transit Gateway across all accounts

🔝 Back to Table of Contents

AWS CDK

🔍 Why It Is Used

CDK lets you define cloud infrastructure using familiar programming languages (TypeScript, Python, Java, C#, Go) instead of YAML/JSON. It generates CloudFormation templates, bringing software engineering practices (reuse, testing, abstraction) to infrastructure code.

⚙️ Functionality

• Define infrastructure in TypeScript, Python, Java, C#, Go.
• Constructs: L1 (CloudFormation resources), L2 (opinionated resources), L3 (patterns).
• CDK Pipelines for CI/CD of CDK applications.
• CDK Nag for security best practice validation.
• cdk diff, cdk deploy, cdk synth CLI commands.
• Generates CloudFormation templates automatically.
• CDK Aspects for policy enforcement across stacks.
• Projen for CDK project bootstrapping.

🌐 Real-World Integration with Other AWS Services

CDK App (TypeScript/Python) → cdk synth
→ CloudFormation Template → cdk deploy
→ Creates: VPC, ECS Cluster, ALB, RDS, Lambda, IAM Roles
→ CDK Pipelines → CodePipeline (Auto deploy on Git push)
→ CloudFormation StackSets (Multi-region deployment)
→ CDK Nag (Security scan before deploy)
→ CloudWatch (Monitor deployed resources)

🔝 Back to Table of Contents

📡 IoT SERVICES

AWS IoT Core

🔍 Why It Is Used

IoT Core lets connected devices interact with AWS cloud applications and other devices reliably and securely at massive scale (billions of devices). It manages device connections and routes messages to the right AWS services without managing servers.

⚙️ Functionality

• MQTT, HTTPS, WebSocket, LoRaWAN connectivity.
• Device Registry for managing device metadata.
• Device Shadow for virtual state representation (offline/online sync).
• Rules Engine: SQL-like rules routing messages to 10+ AWS services.
• Authentication: X.509 certificates, AWS SigV4, custom authorizers.
• Fleet Indexing for device search and aggregation.
• Jobs for remote device management and OTA updates.
• IoT Defender for device security monitoring.
• IoT Events for state-machine event detection.

🌐 Real-World Integration with Other AWS Services

Smart Building IoT System:

IoT Sensors (MQTT) → IoT Core (Rules Engine)
→ Kinesis (High-throughput data stream)
→ Lambda (Alert on threshold breach)
→ Timestream (Time-series sensor data)
→ S3 (Raw data archive) → Athena (Historical analysis)
→ SNS (Alert on anomaly) → DynamoDB (Device Shadow state)
→ Grafana → Timestream (Real-time dashboard)
→ IoT Greengrass (Local edge processing)

🔝 Back to Table of Contents

AWS IoT Greengrass

🔍 Why It Is Used

Greengrass extends AWS capabilities to edge devices, enabling local compute, ML inference, data caching, and messaging when connectivity is intermittent or latency must be minimized. It brings cloud intelligence to the device.

⚙️ Functionality

• Run Lambda functions and Docker containers at the edge.
• Local MQTT messaging between edge devices.
• Machine learning inference (SageMaker models) at edge.
• OTA (Over-the-Air) component updates.
• Local data processing and caching.
• Synchronize device state with IoT Core when online.
• Greengrass Components for modular deployments.
• Stream Manager for local data buffering and S3 export.

🌐 Real-World Integration with Other AWS Services

Industrial Edge ML:

Factory Camera → Greengrass (Edge Device)
→ Local Lambda (Image Preprocessing)
→ SageMaker Model (Defect Detection Inference — Local)
→ Local DynamoDB Sync → IoT Core (When Online)
→ S3 (Defect Image Upload) → SageMaker (Model Retraining)
→ CloudWatch (Edge Device Metrics)
→ IoT Core Jobs (Deploy Updated ML Model to Fleet)

🔝 Back to Table of Contents

AWS IoT Analytics

🔍 Why It Is Used

IoT Analytics is a fully managed service for running sophisticated analytics on massive volumes of IoT data. It handles the complex pre-processing steps (filtering, enriching, transforming) required for IoT data before analytics.

⚙️ Functionality

• Channels: ingest IoT data from IoT Core.
• Pipelines: transform, filter, and enrich data.
• Data Stores: time-optimized storage for processed IoT data.
• Datasets: SQL and containerized ML queries.
• Integration with SageMaker for ML on IoT data.
• QuickSight for IoT data visualization.
• Scheduled and on-demand dataset content generation.

🌐 Real-World Integration with Other AWS Services

IoT Devices → IoT Core → IoT Analytics Channel
→ Pipeline (Filter Noise, Enrich with Device Metadata)
→ Data Store (Processed IoT Data)
→ Dataset (SQL: Temperature by Device per Hour)
→ SageMaker (Predictive Maintenance Model)
→ QuickSight (IoT Analytics Dashboard)
→ Lambda (Anomaly Alert on Dataset Refresh)

🔝 Back to Table of Contents

AWS IoT SiteWise

🔍 Why It Is Used

SiteWise is a managed service for collecting, organizing, and analyzing industrial equipment data at scale. It models industrial operations hierarchically and calculates real-time metrics (OEE, availability, quality) from equipment data.

⚙️ Functionality

• Asset models for representing industrial equipment hierarchy.
• SiteWise Edge gateway for on-premises data collection (OPC-UA, Modbus).
• Built-in metrics: sum, average, standard deviation.
• SiteWise Monitor: web portal for operational dashboards.
• Alarms on equipment thresholds.
• Integration with IoT Core for data routing.
• Bulk data export to S3 for ML and analytics.

🌐 Real-World Integration with Other AWS Services

Industrial Equipment (OPC-UA) → SiteWise Edge Gateway
→ IoT SiteWise (Asset Models + Metrics)
→ IoT Core (Data routing)
→ Timestream / S3 (Time-series archival)
→ SageMaker (Predictive Maintenance)
→ QuickSight / SiteWise Monitor (OEE Dashboards)
→ SNS (Equipment Threshold Alarms)

🔝 Back to Table of Contents

🚀 MIGRATION & TRANSFER

AWS Migration Hub

🔍 Why It Is Used

Migration Hub provides a single location to track the progress of application migrations across multiple AWS and partner migration tools. It gives visibility into all migrations so you can choose the right tools without tracking progress in spreadsheets.

⚙️ Functionality

• Centralized migration tracking dashboard.
• Integrates with Application Discovery Service (ADS).
• Tracks migrations from Server Migration Service, DMS, CloudEndure.
• Migration Strategy Recommendations.
• Migration Hub Orchestrator for automated migration workflows.
• Journey mapping: discover → assess → mobilize → migrate → operate.

🌐 Real-World Integration with Other AWS Services

On-premises (Application Discovery Service → Inventory)
→ Migration Hub (Assess: Right-size recommendations)
→ Server Migration Service (Lift-and-shift VMs to EC2)
→ DMS (Migrate databases to RDS/Aurora)
→ Migration Hub (Track progress centrally)
→ CloudFormation (Rebuild infrastructure)
→ CloudEndure Migration (Continuous replication)

🔝 Back to Table of Contents

AWS DMS

🔍 Why It Is Used

DMS helps you migrate databases to AWS quickly and securely. The source database remains fully operational during migration, minimizing downtime for applications that rely on the database.

⚙️ Functionality

• Homogeneous: Oracle → RDS Oracle, MySQL → RDS MySQL.
• Heterogeneous (with Schema Conversion Tool): Oracle → Aurora PostgreSQL.
• Full Load + Change Data Capture (CDC) for live migration.
• Replication Instance managed by AWS.
• Schema Conversion Tool (SCT) for heterogeneous migrations.
• Data validation to ensure source and target match.
• Supports: Oracle, SQL Server, MySQL, PostgreSQL, MongoDB, Redshift, S3, DynamoDB, and more.
• Ongoing replication for data synchronization.

🌐 Real-World Integration with Other AWS Services

Database Migration to Aurora:

Oracle DB (On-premises) → SCT (Schema Conversion)
→ DMS Replication Instance (Full Load + CDC)
→ Aurora PostgreSQL (Target)
→ CloudWatch (Replication Lag Monitoring)
→ SNS (Replication Error Alerts)
→ DMS Validation (Row counts, data integrity)
→ Migration Hub (Progress Tracking)
→ VPC / Direct Connect (Secure migration network)

🔝 Back to Table of Contents

AWS Snowball

🔍 Why It Is Used

Snowball provides physical data transfer devices for migrating large amounts of data to AWS when network transfer would be too slow, too expensive, or impractical. It is ideal for multi-terabyte to exabyte-scale migrations.

⚙️ Functionality

• Snowball Edge Storage Optimized: 80 TB, data transfer + edge compute.
• Snowball Edge Compute Optimized: 42 TB, strong compute for edge ML.
• Snowcone: 8 TB, ultra-portable for remote/harsh locations.
• Snowmobile: 100 PB, truck-mounted for exabyte migrations.
• AES-256 encryption with KMS.
• Tamper-resistant, ruggedized enclosures.
• Run EC2 instances and Lambda on Snowball Edge.
• E-ink shipping label for automatic routing.

🌐 Real-World Integration with Other AWS Services

Petabyte Data Center Migration:

On-premises Data Center → Snowball Edge (80 TB devices)
→ Copy TBs of Data (Encrypted AES-256 with KMS)
→ Ship to AWS → Data Imported to S3
→ Glue (ETL Processing) → Redshift (Analytics)
→ CloudTrail (Transfer audit) → S3 Versioning (Data protection)
→ Migration Hub (Progress tracking)

🔝 Back to Table of Contents

AWS DataSync

🔍 Why It Is Used

DataSync is an online data transfer service that automates and accelerates copying data between on-premises storage and AWS storage services. It transfers up to 10× faster than open-source tools and handles scheduling, monitoring, and data integrity validation automatically.

⚙️ Functionality

• Transfers NFS, SMB, HDFS, self-managed object storage to/from S3, EFS, FSx.
• Automatic data validation (checksums).
• Scheduling: hourly, daily, weekly, or custom cron.
• Bandwidth throttling.
• Agent deployed on-premises (VM or Snowcone).
• Task Reports for transfer auditing.
• End-to-end encryption (TLS in transit, SSE at rest).

🌐 Real-World Integration with Other AWS Services

Hybrid File Migration:

On-premises NFS Server → DataSync Agent
→ Direct Connect / Internet (TLS encrypted)
→ S3 / EFS / FSx for Windows (Destination)
→ CloudWatch (Transfer Speed, Files Transferred)
→ SNS (Task completion or failure notification)
→ EventBridge (Trigger post-migration Lambda)

🔝 Back to Table of Contents

💰 COST MANAGEMENT

AWS Cost Explorer

🔍 Why It Is Used

Cost Explorer provides an interactive interface for visualizing, understanding, and managing AWS costs and usage over time. It helps identify cost trends, cost drivers, and opportunities for optimization.

⚙️ Functionality

• Visualize costs by service, account, region, tag, usage type.
• 12 months of historical data, up to 12 months forecasting.
• RI/Savings Plans utilization and coverage reports.
• Cost anomaly detection with automated alerts.
• Right-sizing recommendations for EC2.
• Granular data: hourly granularity (12 months).
• API access for custom cost analytics.
• Linked account cost breakdown in Organizations.

🌐 Real-World Integration with Other AWS Services

All AWS Services → Cost & Usage Report → S3
→ Athena (SQL queries on detailed billing data)
→ QuickSight (Custom cost dashboards)
→ Cost Explorer API → Lambda (Custom cost reports)
→ Cost Anomaly Detection → SNS (Alert FinOps team)
→ AWS Budgets (Automated cost control actions)
→ Organizations (Cross-account cost visibility)

🔝 Back to Table of Contents

AWS Budgets

🔍 Why It Is Used

AWS Budgets lets you set custom cost and usage budgets that alert you when you exceed or are forecasted to exceed a threshold. It enables proactive cost governance with automated alerting and even automated actions to prevent overspending.

⚙️ Functionality

• Budget types: Cost, Usage, RI Coverage/Utilization, Savings Plans.
• Alert thresholds: actual or forecasted, % or absolute.
• Multiple notifications per budget.
• Budget Actions: automatically apply IAM policies, SCPs, or stop EC2/RDS when over budget.
• Reports: scheduled PDF/CSV budget snapshots.
• Budgets Dashboard for portfolio view.
• Integration with Chatbot for Slack/Chime notifications.

🌐 Real-World Integration with Other AWS Services

FinOps Cost Governance:

AWS Budgets (Monthly $10,000 Cost Budget)
→ Alert at 80%: SNS → Email / Slack (via Chatbot)
→ Alert at 100%: SNS → Lambda (Tag alert to resources)
→ Budget Action at 100%: Apply SCP (Deny EC2 launches)
→ Budget Action: Stop Dev EC2 Instances (SSM)
→ Cost Explorer (Analyze what drove overage)
→ Organizations (Per-account / per-OU budgets)

🔝 Back to Table of Contents

📖 Quick Reference Summary

📌 Note: AWS continuously releases new services and updates existing ones. Always refer to the official AWS documentation for the most current information.

🔝 Back to Table of Contents