AWS Developer Associate: Building Cloud-Native Applications on AWS

AWS Lambda runs your code without you managing servers — you pay only for the compute time your function uses (measured in GB-seconds). Lambda execution model: invocation triggers the function, runtime initialises (cold start — up to several seconds for large runtimes), handler function runs, response returned, execution context may be retained for subsequent invocations (warm start — much faster). Optimise cold starts: use smaller deployment packages, choose runtime with fast initialisation (Node.js, Python), enable Provisioned Concurrency for latency-critical functions. Lambda concurrency: soft limit of 1000 concurrent executions per region (adjustable), reserved concurrency guarantees a function's allocation, unreserved concurrency is shared across all functions. API Gateway sits in front of Lambda for HTTP triggers: REST API (full feature set), HTTP API (simpler, cheaper, lower latency), WebSocket API (bidirectional real-time communication). Throttling: 10,000 requests per second default regional limit, 5,000 burst — use Lambda throttling and API Gateway usage plans to protect backend services.

DynamoDB is AWS's managed NoSQL database and a core DVA-C02 topic. Data model: each item (row) must have a primary key — simple (partition key only) or composite (partition key + sort key). Partition key design is critical for performance: data is distributed across partitions by hashing the partition key — uneven distribution causes hot partitions (one partition handles all traffic while others sit idle). Best practice: use high-cardinality keys, add random suffix for write-heavy tables, use write sharding for burst scenarios. GSI (Global Secondary Index): alternate access pattern with different partition and sort key — eventually consistent, billed separately. LSI (Local Secondary Index): same partition key, different sort key — strongly consistent, must be defined at table creation. Capacity modes: Provisioned (set Read/Write Capacity Units — use Auto Scaling), On-Demand (pay-per-request, scales automatically — more expensive at predictable high volume). DynamoDB Streams: ordered log of item changes — triggers Lambda for real-time processing (event-driven architecture).

Decoupling is a fundamental cloud-native pattern — services should not depend directly on each other's availability. SQS (Simple Queue Service): message queue for point-to-point async communication. Standard queues: nearly unlimited throughput, at-least-once delivery, best-effort ordering. FIFO queues: exactly-once processing, 3,000 messages/second with batching, strict ordering within message groups. Key concepts: visibility timeout (message hidden from other consumers while being processed — set longer than max processing time), dead-letter queue (DLQ — receives messages that fail processing after maxReceiveCount attempts), long polling (reduces empty API calls — poll for up to 20 seconds). SNS (Simple Notification Service): pub/sub fanout — one message to a topic, delivered to all subscribed endpoints (SQS queues, Lambda, HTTP, email, SMS). EventBridge: event bus with routing rules — route events from AWS services, your applications, or SaaS partners to specific targets based on event pattern matching. EventBridge is preferred over SNS for complex routing and cross-account event architectures.

Developers must understand IAM deeply. IAM policies: JSON documents with Effect, Action, Resource, Condition — explicit Deny always overrides Allow. Policy types: identity-based (attached to users, groups, roles), resource-based (attached to resources like S3 buckets, Lambda functions — enables cross-account access), permission boundaries (set maximum permissions a role can have — used to delegate admin safely). EC2 instance roles: attach IAM role to EC2 instance, applications retrieve temporary credentials from Instance Metadata Service (IMDS) — never hardcode credentials. Cognito for user authentication: User Pool (user directory, handles sign-up, sign-in, MFA, JWT tokens), Identity Pool (exchanges JWT tokens for temporary AWS credentials — enables direct AWS service access from mobile/web apps). Secrets Manager: store and rotate database passwords, API keys, and credentials — retrieve via SDK, not environment variables. Parameter Store: SSM Parameter Store for non-secret configuration — Standard tier (free), Advanced tier (higher throughput, policies).

AWS provides a complete CI/CD toolchain. CodeCommit: Git-compatible source control (being deprecated — migrate to GitHub or GitLab). CodeBuild: managed build service — compiles code, runs tests, produces deployment artifacts, defined in buildspec.yml. CodeDeploy: deployment automation — blue/green deployment (traffic shifts from old to new environment after health check), rolling deployment (replaces instances in batches), in-place deployment (deploy to existing instances, brief downtime). Deployment configurations: AllAtOnce (fast, highest risk), HalfAtATime (balanced), OneAtATime (slowest, safest). CodePipeline: orchestrates the full pipeline — source trigger > build > test > deploy stages, with approval gates for manual review steps. Elastic Beanstalk: PaaS wrapper around EC2, Auto Scaling, and ELB — you upload code, Beanstalk manages infrastructure. Deployment policies in Beanstalk: All at once, Rolling, Rolling with additional batch, Immutable, Blue/Green. CloudFormation: IaC for all AWS resources — templates in YAML or JSON, Change Sets preview changes before deployment.