Ranked Breakdown
The 10 Most Misunderstood AWS Exam Concepts – And How to Finally Get Them Right
Struggling with AWS exam questions on IAM, VPCs, S3 consistency, or RDS failover? Here are the 10 concepts that trip up even experienced engineers, explained clearly with real architectural context.
The 10 Most Misunderstood AWS Exam Concepts – And How to Finally Get Them Right
Most AWS exam mistakes don’t come from topics you never studied. They come from topics you thought you understood. Below are ten concepts that reliably produce this problem – not because they’re obscure, but because common explanations are incomplete or the exam tests a nuance most materials gloss over.
Rank 1 of 10IAM: Identity‑Based vs. Resource‑Based Policies
IAM: Identity‑Based vs. Resource‑Based Policies
Identity‑based policies attach to IAM principals (users, groups, roles) and define what they can do.
Resource‑based policies attach to resources (S3 buckets, SQS queues, KMS keys) and define who can access them.
For cross‑account access, you typically need both – the resource‑based policy must grant access to the external account, and the identity‑based policy must permit the action. Exception: a resource‑based policy can delegate trust directly to a principal in another account, eliminating the need for an explicit identity policy.
Rank 2 of 10S3 Consistency: What “Strong Consistency” Actually Means
S3 Consistency: What “Strong Consistency” Actually Means
Since late 2020, S3 provides strong read‑after‑write consistency for all operations in all regions. After a PUT, any GET returns the new object; after a DELETE, GET returns 404; LIST reflects completed writes.
What this does not mean: S3 is now a strongly consistent database for read‑modify‑write loops. Concurrent writes or atomic operations are not supported. For true transactional needs, look elsewhere.
Rank 3 of 10RDS Multi‑AZ vs. Read Replicas
RDS Multi‑AZ vs. Read Replicas
Multi‑AZ = high availability. Synchronous standby in another AZ. Automatic failover. Standby is not accessible for reads.
Read Replicas = read scaling. Asynchronous replication. No automatic failover (manual promotion only). Can have multiple replicas.
Multi‑AZ is for surviving failures. Read Replicas are for surviving load. They are complementary.
Rank 4 of 10Security Groups vs. NACLs – Statefulness Is the Key
Security Groups vs. NACLs – Statefulness Is the Key
Security Groups are stateful. Allow inbound = return traffic automatically permitted. No explicit deny rules.
Network ACLs are stateless. Need separate inbound and outbound rules for ephemeral ports (1024‑65535). They support explicit deny rules.
Troubleshooting hint: if inbound looks right but responses don’t return, suspect missing NACL outbound rule.
Rank 5 of 10SQS Visibility Timeout: Not a Delivery Guarantee
SQS Visibility Timeout: Not a Delivery Guarantee
When a consumer reads a message, it becomes invisible for the visibility timeout. If processing succeeds, the consumer deletes it. If it fails or timeout expires, the message becomes visible again.
This is at‑least‑once, not exactly‑once. Long visibility timeouts delay retries of failed messages. For exactly‑once, use FIFO queues with deduplication IDs.
Rank 6 of 10VPC Peering vs. Transit Gateway
VPC Peering vs. Transit Gateway
VPC Peering – direct, non‑transitive connection between two VPCs. Full mesh for 10 VPCs requires 45 connections.
Transit Gateway – regional hub that supports transitive routing and cross‑account connections. Scales linearly.
Use peering for 2‑3 VPCs with no growth. Use Transit Gateway for many VPCs or transitive routing needs.
Rank 7 of 10CloudFront Caching: Invalidation vs. TTL
CloudFront Caching: Invalidation vs. TTL
To serve updated content immediately, you have two options:
- Invalidate the object in cache (costs after first 1,000 paths/month)
- Version filenames (new file = new cache key)
Reducing TTL helps for future updates, but does nothing for content already cached. Versioned filenames are the architectural solution.
Rank 8 of 10Lambda Concurrency: Reserved vs. Provisioned
Lambda Concurrency: Reserved vs. Provisioned
Reserved concurrency caps a function’s maximum concurrent executions, protecting it from other functions and limiting its own scale.
Provisioned concurrency pre‑initializes execution environments to eliminate cold starts (costs for idle capacity).
Cold start problem → provisioned concurrency. Need to guarantee or limit capacity → reserved concurrency.
Rank 9 of 10Aurora vs. RDS – Not Just “Aurora Is Better”
Aurora vs. RDS – Not Just “Aurora Is Better”
Aurora advantages: storage autoscaling (128 TB), 15 read replicas, faster failover, Serverless, Global Database.
But Aurora:
- Only MySQL and PostgreSQL – if the scenario specifies Oracle, SQL Server, or MariaDB, Aurora is off the table.
- Costs more than standard RDS for the same instance class.
Read the engine requirement carefully before picking Aurora.
Rank 10 of 10The Shared Responsibility Model – Where the Line Actually Is
The Shared Responsibility Model – Where the Line Actually Is
The line depends on the service type:
- Infrastructure (EC2) – AWS: hypervisor, hardware. You: OS, patches, firewall, app, data.
- Managed (RDS) – AWS: OS, engine patching, infra. You: DB config, access controls, encryption settings, data.
- Abstracted (S3, Lambda) – AWS: everything below the API. You: access policies, encryption settings, code/data.
A question asking “Who patches the RDS OS?” – answer is AWS. Don’t apply the EC2 model to managed services.
How to Use This List
For each concept, ask yourself:
- Can I explain the distinction in my own words?
- Can I describe a scenario where the wrong answer seems plausible?
- Which exam domains test this?
The most effective reinforcement is scenario‑based practice – not flashcards, but realistic questions that force you to choose between similar options. That’s what ExamOS provides: daily scenario practice that makes these distinctions second nature.
Exam Mapping
The table provides how each of the concept is important for different certifications.
| Topic | Archictect | Developer | CloudOps |
|---|---|---|---|
| IAM: Identity vs Resource Policies | High | High | Medium |
| S3 Strong Consistency | Medium | High | Medium |
| RDS Multi-AZ vs Read Replicas | High | Medium | High |
| Security Groups vs NACLs | High | Medium | High |
| SQS Visibility Timeout | Medium | High | Medium |
| VPC Peering vs Transit Gateway | High | Low | High |
| CloudFront Invalidation vs TTL | Medium | Medium | Low |
| Lambda Reserved vs Provisioned Concurrency | Medium | High | Medium |
| Aurora vs RDS Tradeoffs | High | Medium | Medium |
| Shared Responsibility Model | Medium | Medium | High |
Legend: High = commonly tested and conceptually important Medium = appears regularly but usually not a primary domain focus Low = possible but less emphasized
The Pattern Underneath
Every concept here is a pair of things that look similar but solve different problems. Multi‑AZ vs. Read Replicas. Reserved vs. Provisioned concurrency. Identity‑based vs. resource‑based policies.
The skill isn’t knowing what each does. It’s knowing when to use which one – and being able to defend the choice. Build that skill, and the exam (and the job) takes care of itself.
👉 Other Related exams:
AWS Solutions Architect Associate : SAA-C03
AWS Solutions Architect Professional : SAP-C02
AWS Developer Associate : DVA-C02