← All Certifications Cloud Certifications

Cloud Certification Prep

Study guides, domain breakdowns, and practice questions for AWS, Microsoft Azure, and Google Cloud certifications — from foundational cloud literacy to advanced security and architecture specialisations.

Amazon Web Services

AWS Certifications

AWS certifications span foundational, associate, professional, and specialty levels. The recommended starting point is AWS Cloud Practitioner for non-technical roles, or AWS Solutions Architect – Associate for engineers and developers. All exams are multiple-choice and scenario-based.

AWS certification ladder

Foundational · CLF-C02

AWS Cloud Practitioner

Cloud concepts, AWS core services (EC2, S3, RDS, VPC, IAM), pricing models (on-demand, reserved, spot, savings plans), shared responsibility model, and the AWS Well-Architected Framework pillars. Ideal first cert for non-technical cloud decision-makers and business stakeholders. 90-minute exam, 65 questions.

Associate · SAA-C03

AWS Solutions Architect – Associate

The most popular AWS cert globally. Design resilient, performant, secure, and cost-optimised architectures. Covers VPC design, EC2, ECS, Lambda, S3, RDS, DynamoDB, CloudFront, Route 53, IAM, KMS, and auto scaling. Domains: Design Secure Architectures (30%), Design Resilient Architectures (26%), Design High-Performing Architectures (24%), Design Cost-Optimised Architectures (20%).

Associate · DVA-C02

AWS Developer – Associate

Application deployment on AWS — Lambda functions, API Gateway, DynamoDB, Cognito, CodePipeline, CodeDeploy, SAM (Serverless Application Model), and AWS SDK integration. Covers the full developer workflow on AWS including CI/CD, monitoring (CloudWatch, X-Ray), and containerisation (ECS, ECR).

Associate · SOA-C02

AWS SysOps Administrator – Associate

Operations on AWS — monitoring and alerting (CloudWatch, AWS Config, CloudTrail), cost management, storage management, deployment and provisioning, high availability, and security operations. The only AWS associate exam with a hands-on lab component (AWS console tasks timed during the exam).

Professional · SAP-C02

AWS Solutions Architect – Professional

Advanced architecture design for complex, multi-account AWS environments. Covers AWS Organizations, Service Control Policies (SCPs), Transit Gateway, Direct Connect, advanced IAM, data migration strategies, multi-region disaster recovery, and advanced cost optimisation. 180-minute exam, 75 questions. Recommended: 2+ years AWS architecture experience.

Specialty · SCS-C02

AWS Security – Specialty

Advanced cloud security: IAM policies and permission boundaries, KMS and CloudHSM, VPC security controls (security groups, NACLs, VPC endpoints), GuardDuty, Security Hub, Macie, Inspector, WAF and Shield, AWS Config compliance, CloudTrail log analysis, and incident response in AWS. The security engineer's certification of choice for AWS environments.

Microsoft Azure

Microsoft Azure Certifications

Microsoft's role-based certification framework covers fundamentals, associate, and expert tracks across administration, development, AI, data, and security. The AZ-900 is the foundational starting point; the SC-series certs are the security specialist track.

Fundamentals · AZ-900

Azure Fundamentals

Cloud computing concepts, Azure services overview, core architectural components (regions, availability zones, resource groups, subscriptions), Azure pricing, SLAs, and the Azure Well-Architected Framework. Non-technical friendly — 45 minutes, 40–60 questions.

Fundamentals · SC-900

Security, Compliance & Identity Fundamentals

Foundational security concepts, Microsoft Entra ID (formerly Azure AD) basics, Microsoft Defender for Cloud overview, Microsoft Sentinel basics, Microsoft Purview compliance, and the shared responsibility model. Entry-level for non-technical security and compliance stakeholders.

Associate · AZ-104

Azure Administrator

Manage Azure subscriptions and governance, implement and manage storage, deploy and manage Azure compute resources, configure and manage virtual networking, and monitor and maintain Azure resources. Key skills: Azure Policy, RBAC, VNet peering, NSG rules, Azure Monitor, and Azure Backup. 100-120 minutes, 40–60 questions.

Associate · AZ-500

Azure Security Engineer

The core Azure security certification. Domains: Manage Identity and Access (25–30%), Secure Networking (20–25%), Secure Compute, Storage, and Databases (20–25%), Manage Security Operations (25–30%). Key areas: Microsoft Entra ID PIM, Conditional Access, Defender for Cloud, Microsoft Sentinel, Key Vault, Private Endpoints, and DDoS Protection.

Associate · SC-200

Microsoft Security Operations Analyst

SOC analyst certification for the Microsoft security stack. Covers Microsoft Sentinel (workspace design, analytics rules, workbooks, playbooks/SOAR), Microsoft Defender XDR (Defender for Endpoint, Office 365, Identity, Cloud Apps), and threat hunting with KQL. Strong KQL query writing is essential for this exam.

Associate · SC-300

Microsoft Identity and Access Administrator

Microsoft Entra ID (Azure AD) deep dive: user and group management, Conditional Access policies, Privileged Identity Management (PIM), Microsoft Entra ID Governance, External Identities (B2B, B2C), enterprise application SSO (SAML, OIDC), and authentication method management including FIDO2 and passwordless.

Expert · AZ-305

Azure Solutions Architect Expert

Advanced architecture: identity and governance (management groups, Azure Policy, Blueprints), data storage solutions, business continuity (site recovery, backup, multi-region HA), infrastructure design (hub-and-spoke, Virtual WAN), application architecture, and migration strategies. Co-prerequisite: AZ-104.

Expert · SC-100

Microsoft Cybersecurity Architect

Senior-level security architecture across Microsoft security technologies. Covers Zero Trust strategy, GRC integration with Microsoft compliance tools, security posture management, threat modelling, and designing security for hybrid and multi-cloud scenarios using Microsoft security frameworks. Requires an associate-level security cert as prerequisite.

Google Cloud

Google Cloud Certifications

Google Cloud certifications are known for being scenario-heavy and requiring deep practical knowledge of GCP architecture patterns. The Associate Cloud Engineer is the recommended entry point for technical roles.

Foundational · Cloud Digital Leader

Cloud Digital Leader

Non-technical cloud literacy certification covering Google Cloud capabilities, data and AI products, infrastructure modernisation, and business transformation use cases. Suitable for business decision-makers and non-engineers beginning cloud adoption.

Associate · ACE

Associate Cloud Engineer

Deploy applications, monitor operations, and manage enterprise solutions using Google Cloud. Key services: Compute Engine, GKE (Google Kubernetes Engine), Cloud Run, Cloud Storage, Cloud SQL, BigQuery, Cloud IAM, VPC networking, and Cloud Monitoring. 2-hour exam, ~50 questions. Strong gcloud CLI knowledge required.

Professional · Cloud Architect

Professional Cloud Architect

Design, develop, and manage robust, secure, scalable, and dynamic GCP solutions. The most widely held Google Cloud professional cert. Covers solution design, security and compliance, HA and DR, and cost optimisation across all major GCP services. Known for complex scenario-based case study questions.

Professional · Cloud Security Engineer

Professional Cloud Security Engineer

Security architecture for Google Cloud: Cloud IAM (custom roles, service accounts, Workload Identity Federation), VPC security (firewall rules, Private Google Access, VPC Service Controls), encryption (CMEK, CSEK, Cloud HSM), BeyondCorp/Zero Trust (Identity-Aware Proxy, Certificate Authority Service), and Security Command Centre.

Professional · Cloud DevOps Engineer

Professional Cloud DevOps Engineer

Site reliability engineering on GCP: Cloud Build, Cloud Deploy, Artifact Registry, GKE operations, Cloud Monitoring and Logging, Service Level Objective design, error budgets, and incident management using Google Cloud Operations Suite.

Professional · Cloud Network Engineer

Professional Cloud Network Engineer

Advanced GCP networking: VPC design, Shared VPC, VPC peering, Cloud Interconnect, Cloud VPN, Cloud CDN, Cloud Load Balancing (HTTP/S, SSL, TCP/UDP), Cloud Armor, Private Service Connect, and hybrid connectivity architecture.

AWS SAA-C03 and AZ-500 sample questions

Practice Questions — Cloud Certifications

1. (AWS SAA-C03) A company needs to store financial audit logs for 7 years. The logs are rarely accessed after the first 30 days but must be retrievable within 12 hours if needed. Which is the MOST cost-effective storage solution?

  • A) Amazon S3 Standard throughout the retention period
  • B) Amazon S3 Standard for 30 days, then transition to S3 Glacier Flexible Retrieval
  • C) Amazon S3 Standard for 30 days, then transition to S3 Glacier Instant Retrieval
  • D) Amazon EBS gp3 volume with automated snapshots
Answer: B S3 Glacier Flexible Retrieval offers the lowest storage cost for rarely accessed archival data and supports retrieval within 1–12 hours (bulk) or 3–5 hours (standard). S3 Instant Retrieval (C) is more expensive per GB and is designed for millisecond retrieval — unnecessary here. S3 Standard (A) is far more expensive for 7-year retention. EBS (D) is block storage, not designed for audit log archival.

2. (AZ-500) A security engineer needs to ensure that Azure Key Vault secrets can only be accessed by a specific Azure VM and not by any other identities. Which approach provides the MOST secure and maintainable solution?

  • A) Store the Key Vault access key in the VM's environment variables
  • B) Assign a system-assigned managed identity to the VM and grant it Key Vault Secrets User role
  • C) Create a service principal with a client secret and configure the VM to use it for authentication
  • D) Configure a Key Vault access policy allowing all VMs in the resource group
Answer: B System-assigned managed identity is the correct answer. It creates an identity tied to the VM lifecycle (deleted when the VM is deleted), requires no credential management, and integrates natively with Azure RBAC. Granting Key Vault Secrets User role (RBAC) on the specific vault is the modern recommended approach over access policies. Service principals (C) require managing and rotating client secrets. Environment variables (A) expose credentials. Resource group-wide policies (D) violate least privilege.

3. (AWS SAA-C03) An application running on EC2 instances needs to access an S3 bucket in the same account. The security team requires that no traffic traverse the public internet. Which solution fulfils this requirement?

  • A) Configure the S3 bucket with a public bucket policy
  • B) Enable S3 Transfer Acceleration
  • C) Create a VPC Gateway Endpoint for S3 and update the route table
  • D) Use an AWS Direct Connect connection to route S3 traffic
Answer: C A VPC Gateway Endpoint for S3 allows EC2 instances to access S3 using private AWS network paths — traffic never traverses the public internet. It requires adding a route table entry pointing S3 traffic to the gateway endpoint. Direct Connect (D) is for on-premises connectivity, not VPC-to-S3. Transfer Acceleration (B) routes through CloudFront edge locations — still crosses the internet.
Recommended learning paths

Cloud Certification Study Paths

AWS Security Path

  1. AWS Cloud Practitioner (CLF-C02) — 4 weeks
  2. AWS Solutions Architect – Associate (SAA-C03) — 10 weeks
  3. AWS Security – Specialty (SCS-C02) — 12 weeks

Azure Security Path

  1. AZ-900 Azure Fundamentals — 2–3 weeks
  2. AZ-104 Azure Administrator — 10 weeks
  3. AZ-500 Azure Security Engineer — 8 weeks
  4. SC-100 Cybersecurity Architect — 12 weeks (optional)

Google Cloud Path

  1. Associate Cloud Engineer — 10 weeks
  2. Professional Cloud Architect — 12 weeks
  3. Professional Cloud Security Engineer — 10 weeks

Free study resources

Study tools · Active recall · AWS / Azure

Flashcards & Term-Matching Game

Active recall beats passive reading for long-term retention. Use the flashcards to drill definitions and the matching game to reinforce connections between concepts. Shuffle to mix domains and reset to start fresh. Keyboard navigation supported on flashcards.

Flashcard Deck — Key Terms

Loading flashcards… ensure JavaScript is enabled.

Term-Matching Game

Click a term on the left, then click its matching definition on the right. Correct pairs lock in green; wrong pairs flash red. Complete all pairs to advance to the next round.

Loading matching game… ensure JavaScript is enabled.

Speed Round — True or False

You have 10 seconds per statement. Answer TRUE or FALSE before the timer runs out. Build a combo multiplier for consecutive correct answers and beat your session high score.

Loading speed round… ensure JavaScript is enabled.

Fill in the Blank

Read the clue and type the missing term. One typo is forgiven for longer answers. Use the hint button if you're stuck — but it costs half the question's points.

Loading fill-in-the-blank… ensure JavaScript is enabled.

Domain Sprint — Categorise the Term

A term appears — click the correct exam domain it belongs to. Correct selections score 100 pts; wrong selections deduct 25 pts. Master domain knowledge before exam day.

Loading domain sprint… ensure JavaScript is enabled.

Explore other certification tracks

← All Certifications Cisco Prep → ISACA Prep →
AWS SAA-C03 · Solutions Architect Associate

Practice Questions — AWS Solutions Architect

AWS SAA-C03 questions test architectural judgment — selecting the most cost-effective, highly available, and secure solution from a set of plausible options. Focus on understanding when to use each service, not just what it does.

1. A company hosts a web application that experiences predictable traffic spikes every weekday at 9 AM and drops to minimal traffic overnight. Which AWS Auto Scaling strategy provides the MOST cost-effective solution?

  • A) Dynamic scaling based on CPU utilisation
  • B) Scheduled scaling — increase capacity before 9 AM, reduce after peak
  • C) Predictive scaling using machine learning on historical data
  • D) Maintain peak capacity at all times to guarantee availability
Answer: B When traffic patterns are predictable, scheduled scaling is the most cost-effective approach — you scale out before the spike and scale in after, avoiding the lag inherent in reactive scaling. Predictive scaling (C) is also appropriate for predictable patterns but requires historical data and is more complex to configure. Dynamic scaling (A) reacts after demand changes, causing temporary under-provisioning. Always-on peak capacity (D) wastes money during off-peak hours.

2. An application stores frequently accessed data that must be available within milliseconds and can tolerate some data loss if a failure occurs. Which AWS storage option BEST meets these requirements?

  • A) Amazon S3 Standard
  • B) Amazon ElastiCache for Redis
  • C) Amazon EFS (Elastic File System)
  • D) Amazon DynamoDB
Answer: B ElastiCache for Redis provides in-memory data storage with sub-millisecond latency — ideal for session stores, caching, leaderboards, and real-time analytics. The "tolerate some data loss" clause signals that in-memory caching (which is volatile) is acceptable. DynamoDB (D) provides single-digit millisecond latency but persists data (would work but is more expensive and over-engineered for pure caching). S3 (A) provides high durability but latency in tens of milliseconds minimum.

3. A company needs to connect its on-premises data centre to AWS with a dedicated, private connection that provides consistent network performance and does not traverse the public internet. Which service should they use?

  • A) AWS Site-to-Site VPN
  • B) AWS Transit Gateway
  • C) AWS Direct Connect
  • D) AWS PrivateLink
Answer: C AWS Direct Connect provides a dedicated private network connection from on-premises to AWS, bypassing the public internet entirely. This delivers consistent bandwidth, lower latency, and reduced data transfer costs compared to internet-based connectivity. Site-to-Site VPN (A) uses the public internet — good for backup connectivity but does not provide consistent performance. Transit Gateway (B) is a routing hub — it works with Direct Connect or VPN. PrivateLink (D) enables private connectivity to AWS services within VPCs.

4. A security team needs to detect EC2 instances communicating with known malware command-and-control IP addresses and identify unusual API calls in CloudTrail. Which AWS service provides this capability?

  • A) AWS Config
  • B) Amazon Inspector
  • C) Amazon GuardDuty
  • D) AWS Security Hub
Answer: C Amazon GuardDuty is a threat detection service that analyses VPC Flow Logs, CloudTrail events, and DNS logs using machine learning and threat intelligence. It detects EC2 instances communicating with C2 infrastructure, unusual API calls, credential misuse, and cryptocurrency mining — without requiring agents or changes to existing workflows. Inspector (B) assesses EC2 vulnerability exposure but doesn't detect active threats. Config (A) assesses configuration compliance. Security Hub (D) aggregates findings from GuardDuty and other services.

5. A company wants to serve static website content globally with low latency. The content is stored in an S3 bucket. Which architecture achieves the LOWEST latency for global users at the LOWEST cost?

  • A) Use S3 Transfer Acceleration on the origin bucket
  • B) Deploy an Application Load Balancer in front of the S3 bucket
  • C) Place Amazon CloudFront in front of the S3 bucket with caching
  • D) Replicate the S3 bucket to all AWS regions
Answer: C Amazon CloudFront serves content from 400+ edge locations worldwide, caching static content close to users and dramatically reducing latency compared to serving directly from S3. CloudFront also reduces S3 data transfer costs because cached content is served from edge nodes. S3 Transfer Acceleration (A) optimises uploads to S3, not downloads. Multi-region replication (D) is expensive and complex. ALB (B) adds unnecessary cost and complexity for purely static content.
AZ-104 & AZ-500 sample questions

Practice Questions — Azure Administrator & Security Engineer

Azure questions are heavily scenario-based. Identify the specific requirement or constraint (cost, role, compliance, tool) before selecting the answer — Microsoft often tests whether you know the right tool rather than whether any tool technically works.

1. (AZ-104) An administrator needs to deploy 50 identical virtual machines with the same OS, configuration, and installed software. Which approach requires the LEAST administrative effort?

  • A) Deploy one VM, configure it, then copy the VHD manually 49 times
  • B) Create a custom VM image and deploy VMs from it using a VM Scale Set or ARM template
  • C) Use Azure Automation to run a configuration script on each VM after deployment
  • D) Clone the VM 49 times using the Azure portal
Answer: B Creating a custom generalised image (sysprepped for Windows, deprovision for Linux) and deploying from it via VM Scale Sets or ARM/Bicep templates is the correct enterprise pattern. The image captures the OS state, configuration, and software — ensuring all 50 VMs are identical at deployment with minimal effort. Azure Automation (C) works but adds post-deployment configuration complexity and drift risk.

2. (AZ-500) You need to ensure that all Azure Storage accounts in a subscription use HTTPS only and do not allow public blob access. What is the MOST efficient approach to enforce and audit this?

  • A) Manually configure each storage account through the Azure portal
  • B) Create Azure Policy definitions to audit and enforce HTTPS-only and no public blob access, then assign to the subscription
  • C) Use Azure Monitor alerts to detect non-compliant storage accounts
  • D) Enable Microsoft Defender for Storage on all accounts
Answer: B Azure Policy provides scalable governance — built-in policies like "Secure transfer to storage accounts should be enabled" and "Storage account public access should be disallowed" can be assigned at subscription scope, automatically auditing existing resources and preventing non-compliant new deployments. Azure Monitor (C) can detect issues but cannot enforce or prevent them. Defender for Storage (D) detects threats, not configuration compliance.

3. (AZ-500) A user reports they can access a resource group but cannot create or delete resources within it. They are assigned the Reader role at subscription scope. The security team wants to grant minimum necessary permissions to create VMs in a specific resource group only. Which role assignment is correct?

  • A) Assign Contributor at subscription scope
  • B) Assign Virtual Machine Contributor at the specific resource group scope
  • C) Assign Owner at the specific resource group scope
  • D) Remove the Reader role and assign Contributor at resource group scope
Answer: B The Virtual Machine Contributor built-in role grants permissions to create and manage VMs without granting access to the virtual network or storage account it is connected to (those must be separately granted). Assigning it at the specific resource group scope limits the blast radius. Assigning Contributor at subscription scope (A) is over-privileged. Owner (C) is excessive — it includes the ability to assign roles.
GCP Associate Cloud Engineer & Professional Cloud Security Engineer

Practice Questions — Google Cloud (GCP)

Google Cloud certifications emphasise project structure, IAM hierarchy, and Google-specific services (Cloud Run, GKE, BigQuery, Cloud Storage). Many questions hinge on understanding GCP's resource hierarchy: Organization → Folders → Projects → Resources.

1. An organisation wants to centrally manage billing and apply security policies across all GCP projects. Which resource hierarchy element should be configured FIRST?

  • A) Create projects with shared billing accounts
  • B) Set up a Google Cloud Organization linked to a Cloud Identity domain
  • C) Apply organisation-level IAM policies on individual projects
  • D) Use a single project to contain all resources
Answer: B The Google Cloud Organization is the root of the GCP resource hierarchy. It must be set up first (linked to Google Workspace or Cloud Identity) before folders, projects, and centralised policies can be created. Once an Organization exists, you can apply Organization Policies (constraints like "block public IPs on VMs") and IAM policies that inherit downward to all projects. Without an Organization, projects exist as orphans with no centralised control.

2. A team needs to deploy a containerised application that scales from zero to thousands of requests per second, with no infrastructure management. Which GCP service is the BEST fit?

  • A) Google Kubernetes Engine (GKE) Standard
  • B) Compute Engine with managed instance groups
  • C) Cloud Run (fully managed)
  • D) App Engine Standard
Answer: C Cloud Run is GCP's serverless container platform — deploy a container image, and Cloud Run scales it from zero to thousands of concurrent requests automatically with per-request billing. No cluster management. GKE Standard (A) requires cluster operations. GKE Autopilot is a closer option but Cloud Run is purpose-built for stateless HTTP services. App Engine (D) supports specific runtimes and is less flexible than containers. Cloud Run is the default modern choice for HTTP/gRPC microservices in GCP.

3. A security engineer needs to ensure that a service account used by an application has the LEAST privilege necessary to read objects from a specific Cloud Storage bucket. Which IAM role assignment is correct?

  • A) Grant the service account roles/owner on the project
  • B) Grant the service account roles/storage.admin on the project
  • C) Grant the service account roles/storage.objectViewer on the specific bucket
  • D) Grant the service account roles/editor on the project
Answer: C roles/storage.objectViewer grants read-only access to objects in a bucket — the minimum needed. Apply at the bucket level rather than project level to restrict scope. Primitive roles (Owner, Editor, Viewer) are heavily over-privileged and Google recommends against them in production. GCP IAM best practice: prefer predefined roles over primitive roles; prefer custom roles when predefined roles include unnecessary permissions; apply at the lowest scope necessary.

4. (Professional Cloud Security Engineer) An organisation must ensure that customer data in BigQuery is encrypted with keys that the cloud provider cannot access. Which feature enables this?

  • A) Google-managed encryption keys (default)
  • B) Customer-Managed Encryption Keys (CMEK) using Cloud KMS
  • C) Customer-Supplied Encryption Keys (CSEK) with external key management
  • D) Cloud External Key Manager (Cloud EKM) — keys held in a third-party HSM outside Google's infrastructure
Answer: D Cloud EKM lets customers store encryption keys with a third-party key management provider (Thales, Fortanix, Equinix SmartKey, Virtru) outside Google's infrastructure. Google calls the external provider for encrypt/decrypt operations, so Google never has access to the actual key material. This provides "hold your own key" (HYOK) for regulated workloads. CMEK (B) gives customer control but keys reside in Google Cloud KMS — Google has theoretical access. CSEK (C) is being deprecated in favour of CMEK and EKM.

5. A workload running on a GKE pod needs to authenticate to Cloud Storage without using embedded service account keys. Which GCP feature should be used?

  • A) Hardcode the service account JSON key file in the container image
  • B) Workload Identity — bind a Kubernetes Service Account to a Google Service Account
  • C) Pass the service account key as an environment variable
  • D) Store the key in a Kubernetes Secret
Answer: B Workload Identity is the GKE-recommended pattern for granting GCP API access to pods without embedded credentials. Map a Kubernetes Service Account to a Google Service Account via an annotation. Pods using that KSA automatically obtain short-lived credentials through the metadata server. Eliminates long-lived service account keys — a top cause of GCP credential compromise. The exam consistently rewards Workload Identity as the answer for pod-to-GCP authentication scenarios.
Common questions

Cloud Certification FAQ

Which cloud certification should I start with?

For AWS: Start with AWS Cloud Practitioner (CLF-C02) if you are non-technical or new to AWS; skip to Solutions Architect Associate (SAA-C03) if you have IT experience. For Azure: AZ-900 is the lightweight entry point; AZ-104 is the first technical credential. For GCP: Cloud Digital Leader for non-technical roles, Associate Cloud Engineer for hands-on practitioners.

Is AZ-104 harder than AWS SAA-C03?

Both are intermediate associate-level credentials. AZ-104 is more operationally focused — configuring and managing Azure resources including VMs, networking, storage, and identity. AWS SAA-C03 emphasises architectural reasoning — designing resilient, scalable, cost-effective solutions. Most candidates report AZ-104 requires more memorisation of Azure-specific services while SAA-C03 requires stronger architectural judgment.

How do I prepare for the AWS Security Specialty?

The AWS Certified Security – Specialty (SCS-C02) requires deep knowledge of IAM policies, KMS, CloudTrail, GuardDuty, Security Hub, WAF, Shield, Secrets Manager, and incident response in AWS. Candidates should have SAA-C03 or equivalent and 2+ years of AWS security hands-on experience. Start with the free AWS Skill Builder Security learning plan, the AWS security documentation hub, and the AWS Security Whitepaper (free PDF).

Do cloud certifications expire?

Yes. Most cloud certifications are valid for 3 years (AWS, Azure, GCP all use 3-year cycles). AWS requires recertification by passing the current exam. Azure allows recertification through a free online renewal assessment available 6 months before expiry. GCP requires passing the current exam. Cloud technology evolves rapidly, so renewal exams are updated significantly and require active study.

Interactive · Timed · Fully explained

Interactive Practice Exam — AWS Solutions Architect Associate (SAA-C03)

Eighteen scenario-based items that mirror the SAA-C03 preference for "most cost-effective", "most resilient", and "least operational overhead" phrasing. Each item explains the AWS Well-Architected Framework principle behind the right choice and links to the official AWS documentation.

Loading the interactive practice exam… If it does not load, ensure JavaScript is enabled.

Case study · Apply Well-Architected thinking

Real-World Walkthrough: The 2019 Capital One Breach (AWS)

This breach is required reading for every AWS Solutions Architect Associate candidate — it is one extended question on least privilege, IMDS, WAF, encryption, and detective controls.

Timeline

  • March 22 – 23, 2019: A former AWS employee exploits a Server-Side Request Forgery (SSRF) vulnerability in a Capital One web application firewall (ModSecurity behind a reverse proxy). The SSRF retrieves credentials from the EC2 Instance Metadata Service (IMDSv1) — a role with broad S3 access.
  • April 21, 2019: Using the harvested role credentials, the attacker lists ~700 S3 buckets and exfiltrates ~30 GB of data from buckets containing credit card applications (2005–2019): ~106 million records including names, addresses, SSNs (~140,000), Canadian SINs (~1M), and ~80,000 bank account numbers.
  • July 17 – 19, 2019: Attacker posts about the breach on GitHub and Slack. A responsible-disclosure tip reaches Capital One via their bug-bounty channel.
  • July 29, 2019: FBI arrests the attacker. Capital One publicly discloses. Final cost: $80M OCC fine, $190M class-action settlement, accelerated cloud-security investment.

Map to AWS SAA-C03 (and SCS-C02 Security Specialty)

  • IAM least privilege: The compromised role had read access to many buckets rather than just the one needed. Use IAM Access Analyzer + Resource-based policies + conditions like aws:SourceVpc.
  • IMDSv2 (mandatory): IMDSv1 was vulnerable to SSRF retrieval. IMDSv2 requires a token-bearing PUT request that the SSRF could not forge. AWS now strongly recommends IMDSv2-only on every new EC2.
  • VPC architecture: The host did not need outbound internet — limiting egress with VPC Endpoints for S3 would have neutralised exfiltration without removing functionality.
  • WAF: The proxy-level WAF had an SSRF-permissive rule. Modern AWS WAF managed rule sets explicitly cover SSRF patterns.
  • Encryption: Data was encrypted at rest with KMS — but the role used had legitimate decrypt access. Encryption is necessary but never sufficient; pair with key policy conditions (caller VPC, MFA-context).
  • Detective controls: CloudTrail logged the abnormal API calls (list buckets, large GetObject). GuardDuty + macie + custom CloudWatch metrics would have alerted. Why didn't they? Logs existed but alerting thresholds didn't trigger on legitimate-shaped traffic from a legitimate role.
  • Blast radius reduction: Account-per-environment with SCPs, cross-account roles with explicit trust policies, and Object Lock on PII buckets are now baselines.
  • Well-Architected Security Pillar: Every control above maps to a design principle: identity, traceability, defence in depth, encryption, automation.
Free & reputable only · Verified links

Helpful Materials — Cloud Certifications

A focused list for AWS, Azure, and GCP candidates. Every resource below is free or free-tier. The single most important activity for cloud certs is hands-on practice in the actual consoles — use free tiers and sandbox credits generously.

Quick reference · AWS SAA-C03 favourites

AWS Cheatsheet

The AWS service decisions you must know cold.

Compute selection

  • EC2 + ASG + ALB — long-running stateless web tiers
  • Lambda — event-driven, short tasks (<15 min)
  • Fargate (ECS/EKS) — containers without managing nodes
  • Spot — interruption-tolerant batch (up to 90% off)
  • Savings Plans / RIs — steady-state workloads

Database selection

  • RDS — relational, Multi-AZ for HA, Read Replicas for scale-reads
  • Aurora — cloud-native; up to 15 read replicas; Global Database for <1s cross-region
  • DynamoDB — single-digit-ms NoSQL; Global Tables for multi-region active-active
  • ElastiCache — Redis (richer) or Memcached
  • Redshift — data warehouse

Storage classes (S3)

  • Standard (frequent), Intelligent-Tiering (auto)
  • Standard-IA (≥30 days, infrequent)
  • One Zone-IA (cheaper, single AZ)
  • Glacier Instant / Flexible / Deep Archive (cold)

Networking patterns

  • Public subnet — IGW route 0.0.0.0/0
  • Private subnet — egress via NAT Gateway
  • Service traffic — VPC Endpoints (Gateway: S3/DDB; Interface: most)
  • Cross-VPC — Peering (no transit) or Transit Gateway (hub)
  • Hybrid — Direct Connect (dedicated) or Site-to-Site VPN

Security & identity

  • IAM roles (never long-lived keys), IMDSv2 mandatory
  • KMS CMKs with rotation, Secrets Manager for credential rotation
  • CloudTrail to S3 + Object Lock + log-archive account
  • GuardDuty + Security Hub + Inspector + Macie
  • WAF on ALB / CloudFront / API Gateway for L7 protection