Let’s be real: you don’t need another tutorial defining what an EC2 instance is. If you are targeting the AWS Certified Solutions Architect – Associate (SAA-C03), you likely already know the primitives. The SAA-C03 isn’t just a vocabulary test; it’s a test of your ability to arbitrate trade-offs under constraints.

This AWS SAA-C03 Cheat Sheet is “vibecoded”—stripped of the documentation fluff and optimized for the high-entropy concepts that actually trip up experienced engineers. We are focusing on the sharp edges: complex networking, consistency models, and the specific anti-patterns that AWS penalizes in exam scenarios.

1. Identity & Security: The Policy Evaluation Logic

Security is the highest weighted domain. The exam loves to test the intersection of Identity-based policies, Resource-based policies, and Service Control Policies (SCPs).

IAM Policy Evaluation Flow

Memorize this evaluation order. If you get this wrong, you fail the security questions.

1. Explicit Deny: Overrides everything.
2. SCP (Organizations): Filters permissions; does not grant them.
3. Resource-based Policies: (e.g., S3 Bucket Policy).
4. Identity-based Policies: (e.g., IAM User/Role).
5. Implicit Deny: The default state if nothing is explicitly allowed.

Senior Staff Tip: A common “gotcha” on SAA-C03 is Cross-Account access. Even if an IAM Role in Account A has s3:*, it cannot access a bucket in Account B unless Account B’s Bucket Policy explicitly grants access to that Role AR. Both sides must agree.

KMS Envelope Encryption

You don’t encrypt data with the Customer Master Key (CMK/KMS Key). You encrypt data with a Data Key (DK). The CMK encrypts the DK.

• GenerateDataKey: Returns a plaintext key (to encrypt data) and an encrypted key (to store with data).
• Decrypt: You send the encrypted DK to KMS; KMS uses the CMK to return the plaintext DK.

2. Networking: The Transit Gateway & Hybrid Era

The SAA-C03 has moved heavy into hybrid connectivity. Legacy VPC Peering is still tested, but AWS Transit Gateway (TGW) is the answer for scale.

Connectivity Decision Matrix

Route 53 Routing Policies

Don’t confuse Latency-based (performance) with Geolocation (compliance/GDPR).

• Failover: Active-Passive (Primary/Secondary).
• Multivalue Answer: Poor man’s load balancing (returns multiple random IPs).
• Geoproximity: Bias traffic based on physical distance (requires Traffic Flow).

3. Storage: Performance & Consistency Nuances

You know S3 and EBS. But do you know how they break?

S3 Consistency Model

Since Dec 2020, S3 is Strongly Consistent for all PUTs and DELETEs.

Old exam dumps might say “Eventual Consistency”—they are wrong. Update your mental model.

EBS Volume Types (The “io2 vs gp3” War)

The exam will ask you to optimize for cost vs. IOPS.

• gp3: The default. You can scale IOPS and Throughput independent of storage size.
• io2 Block Express: Sub-millisecond latency. Use for Mission Critical DBs (SAP HANA, Oracle). Expensive.
• st1/sc1: HDD based. Throughput optimized. Great for Big Data/Log processing. Cannot be boot volumes.

EFS vs FSx

IF workload == "Linux specific" AND "Shared File System":
    Use **Amazon EFS** (POSIX compliant, grew/shrinks auto)

IF workload == "Windows" OR "SMB" OR "Active Directory":
    Use **FSx for Windows File Server**

IF workload == "HPC" OR "Lustre":
    Use **FSx for Lustre** (S3 backed high-performance filesystem)
    

4. Decoupling & Serverless Architecture

Microservices are the heart of modern AWS architecture. The exam focuses on how to buffer and process asynchronous data.

SQS vs SNS vs EventBridge

• SQS (Simple Queue Service): Pull-based. Use for buffering to prevent downstream throttling.
  
  
  Limit: Standard = Unlimited throughput. FIFO = 300/s (or 3000/s with batching).
• SNS (Simple Notification Service): Push-based. Fan-out architecture (One message -> SQS, Lambda, Email).
• EventBridge: The modern bus. Content-based filtering and schema registry. Use for SaaS integrations and decoupled event routing.

Pro-Tip: If the exam asks about maintaining order in a distributed system, the answer is almost always SQS FIFO groups. If it asks about “filtering events before processing,” look for EventBridge.

Frequently Asked Questions (FAQ)

What is the difference between Global Accelerator and CloudFront?

CloudFront caches content at the edge (great for static HTTP/S content). Global Accelerator uses the AWS global network to improve performance for TCP/UDP traffic (great for gaming, VoIP, or non-HTTP protocols) by proxying packets to the nearest edge location. It does not cache.

When should I use Kinesis Data Streams vs. Firehose?

Use Data Streams when you need custom processing, real-time analytics, or replay capability (data stored for 1-365 days). Use Firehose when you just need to load data into S3, Redshift, or OpenSearch with zero administration (load & dump).

How do I handle “Database Migration” questions?

Look for AWS DMS (Database Migration Service). If the schema is different (e.g., Oracle to Aurora PostgreSQL), you must combine DMS with the SCT (Schema Conversion Tool).

Conclusion

This AWS SAA-C03 Cheat Sheet covers the structural pillars of the exam. Remember, the SAA-C03 is looking for the “AWS Way”—which usually means decoupled, stateless, and managed services over monolithic EC2 setups. When in doubt on the exam: De-couple it (SQS), Cache it (ElastiCache/CloudFront), and Secure it (IAM/KMS).

For deep dives into specific limits, always verify with the AWS General Reference. Thank you for reading the DevopsRoles page!

In a mature DevOps environment, relying on AWS-generated key pairs often creates technical debt. AWS-generated keys are region-specific, difficult to rotate programmatically, and often leave private keys sitting in download folders rather than secure vaults. To achieve multi-region consistency and enforce strict security compliance, expert practitioners choose to import EC2 key pairs generated externally.

By bringing your own public key material to AWS, you gain full control over the private key lifecycle, enabling usage of hardware security modules (HSMs) or YubiKeys for generation, and simplifying fleet management across global infrastructure. This guide covers the technical implementation of importing keys via the AWS CLI, Terraform, and CloudFormation, specifically tailored for high-scale environments.

Why Import Instead of Create?

While aws ec2 create-key-pair is convenient for sandboxes, it is rarely suitable for production. Importing your key material offers specific architectural advantages:

• Multi-Region Consistency: An imported public key can share the same name and cryptographic material across us-east-1, eu-central-1, and ap-southeast-1. This allows you to use a single private key to authenticate against instances globally, simplifying your SSH config and Bastion host setups.
• Security Provenance: You can generate the private key on an air-gapped machine or within a secure enclave, ensuring the private key never touches the network—not even AWS’s API response.
• Algorithm Choice: While AWS now supports ED25519, importing gives you granular control over the specific generation parameters (e.g., rounds of hashing for the passphrase) before the cloud provider ever sees the public half.

Pro-Tip: AWS only stores the public key. When you “import” a key pair, you are uploading the public key material (usually id_rsa.pub or id_ed25519.pub). AWS calculates the fingerprint from this material. You remain the sole custodian of the private key.

Prerequisites and Key Generation Standards

Before you import EC2 key pairs, ensure your key material meets AWS specifications.

Supported Formats

• Type: RSA (2048 or 4096-bit) or ED25519.
• Format: OpenSSH public key format (Base64 encoded).
• RFC Compliance: RFC 4716 (SSH2) is generally supported, but standard OpenSSH format is preferred for compatibility.

Generating a Production-Grade Key

If you do not already have a key from your security team, generate one using modern standards. We recommend ED25519 for performance and security, provided your AMI OS supports it (most modern Linux distros do).

# Generate an ED25519 key with a specific comment
ssh-keygen -t ed25519 -C "prod-fleet-access-2025" -f ~/.ssh/prod-key

# Output the public key to verify format (starts with ssh-ed25519)
cat ~/.ssh/prod-key.pub

Method 1: The AWS CLI Approach (Shell Automation)

The AWS CLI is the fastest way to register a key, particularly when bootstrapping a new environment. The core command is import-key-pair.

Basic Import

aws ec2 import-key-pair \
    --key-name "prod-global-key" \
    --public-key-material fileb://~/.ssh/prod-key.pub

Note the use of fileb:// which tells the CLI to treat the file as binary blob data, preventing encoding issues on some shells.

Advanced: Multi-Region Import Script

A common requirement for SREs is ensuring the key exists in every active region. Here is a bash loop to import EC2 key pairs across all enabled regions:

#!/bin/bash
KEY_NAME="prod-global-key"
PUB_KEY_PATH="~/.ssh/prod-key.pub"

# Get list of all available regions
regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text)

for region in $regions; do
    echo "Importing key to $region..."
    aws ec2 import-key-pair \
        --region "$region" \
        --key-name "$KEY_NAME" \
        --public-key-material "fileb://$PUB_KEY_PATH" \
        || echo "Key may already exist in $region"
done

Method 2: Infrastructure as Code (Terraform)

For persistent infrastructure, Terraform is the standard. Using the aws_key_pair resource allows you to manage the lifecycle of the key registration without exposing the private key in your state file (since you only provide the public key).

resource "aws_key_pair" "production_key" {
  key_name   = "prod-access-key"
  public_key = file("~/.ssh/prod-key.pub")
  
  tags = {
    Environment = "Production"
    ManagedBy   = "Terraform"
  }
}

output "key_pair_id" {
  value = aws_key_pair.production_key.key_pair_id
}

Security Warning: Do not hardcode the public key string directly into the Terraform code if the repo is public. While public keys are not “secrets” in the same vein as private keys, exposing internal infrastructure identifiers is bad practice. Use the file() function or pass it as a variable.

Method 3: CloudFormation

If you are operating strictly within the AWS ecosystem or utilizing Service Catalog, CloudFormation is your tool.

AWSTemplateFormatVersion: '2010-09-09'
Description: Import a custom EC2 Key Pair

Parameters:
  PublicKeyMaterial:
    Type: String
    Description: The OpenSSH public key string (ssh-rsa AAAA...)

Resources:
  ImportedKeyPair:
    Type: AWS::EC2::KeyPair
    Properties: 
      KeyName: "prod-cfn-key"
      PublicKeyMaterial: !Ref PublicKeyMaterial
      Tags: 
        - Key: Purpose
          Value: Automation

Troubleshooting Common Import Errors

Even expert engineers encounter friction when dealing with encoding standards. Here are the most common failures when you attempt to import EC2 key pairs.

1. “Invalid Key.Format”

This usually happens if you attempt to upload the key in PEM format or PKCS#8 format instead of OpenSSH format. AWS expects the string to begin with ssh-rsa or ssh-ed25519 followed by the base64 body.

Fix: Ensure you are uploading the .pub file, not the private key. If you generated the key with OpenSSL directly, convert it:

ssh-keygen -y -f private_key.pem > public_key.pub

2. “Length exceeds maximum”

AWS has a strict size limit for key names (255 ASCII characters) and the public key material itself. While standard 2048-bit or 4096-bit RSA keys fit easily, pasting a key with extensive metadata or newlines can trigger this. Ensure the public key is a single line without line breaks.

Frequently Asked Questions (FAQ)

Can I import a private key into AWS EC2?

No. The EC2 service only stores the public key. AWS does not have a vault for your private SSH keys associated with EC2 Key Pairs. If you lose your private key, you cannot recover it from the AWS console.

Does importing a key allow access to existing instances?

No. The Key Pair is injected into the instance only during the initial launch (via cloud-init). To add a key to a running instance, you must manually append the public key string to the ~/.ssh/authorized_keys file on that server.

How do I rotate an imported key pair?

Since EC2 key pairs are immutable, you cannot “update” the material behind a key name. You must:
1. Import the new key with a new name (e.g., prod-key-v2).
2. Update your Auto Scaling Groups or Terraform code to reference the new key.
3. Roll your instances to pick up the new configuration.

Conclusion

The ability to import EC2 key pairs is a fundamental skill for securing cloud infrastructure at scale. By decoupling key generation from key registration, you ensure that your cryptographic assets remain under your control while enabling seamless multi-region operations. Whether you utilize the AWS CLI for quick tasks or Terraform for stateful management, standardization on imported keys is a hallmark of a production-ready AWS environment.Thank you for reading the DevopsRoles page!

Observability at scale is the silent killer of Kubernetes operations. For expert platform engineers, the challenge isn’t just generating Amazon EKS metrics; it is ingesting, storing, and querying them without managing a fragile, self-hosted Prometheus stateful set that collapses under high cardinality.

In this guide, we bypass the basics. We will architect a production-grade observability pipeline using Amazon Managed Service for Prometheus (AMP) and the AWS Distro for OpenTelemetry (ADOT). We will cover Infrastructure as Code (Terraform) implementation, IAM Roles for Service Accounts (IRSA) security patterns, and advanced filtering techniques to keep your metric ingestion costs manageable.

The Scaling Problem: Why Self-Hosted Prometheus Fails EKS

Standard Prometheus deployments on EKS work flawlessly for development clusters. However, as you scale to hundreds of nodes and thousands of pods, the “pull-based” model combined with local TSDB storage hits a ceiling.

• Vertical Scaling Limits: A single Prometheus server eventually runs out of memory (OOM) attempting to ingest millions of active series.
• Data Persistence: Managing EBS volumes for long-term metric retention is operational toil.
• High Availability: Running HA Prometheus pairs doubles your cost and introduces “gap” complexities during failovers.

Pro-Tip: The solution is to decouple collection from storage. By using stateless collectors (ADOT) to scrape Amazon EKS metrics and remote-writing them to a managed backend (AMP), you offload the heavy lifting of storage, availability, and backups to AWS.

Architecture: EKS, ADOT, and AMP

The modern AWS-native observability stack consists of three distinct layers:

1. Generation: Your application pods and Kubernetes node exporters.
2. Collection (The Agent): The AWS Distro for OpenTelemetry (ADOT) collector running as a DaemonSet or Deployment. It scrapes Prometheus endpoints and remote-writes data.
3. Storage (The Backend): Amazon Managed Service for Prometheus (AMP), which is Cortex-based, scalable, and fully compatible with PromQL.

Step-by-Step Implementation

We will use Terraform for the infrastructure foundation and Helm for the Kubernetes components.

1. Provisioning the AMP Workspace

First, we create the AMP workspace. This is the distinct logical space where your metrics will reside.

resource "aws_prometheus_workspace" "eks_observability" {
  alias = "production-eks-metrics"

  tags = {
    Environment = "Production"
    ManagedBy   = "Terraform"
  }
}

output "amp_workspace_id" {
  value = aws_prometheus_workspace.eks_observability.id
}

output "amp_remote_write_url" {
  value = "${aws_prometheus_workspace.eks_observability.prometheus_endpoint}api/v1/remote_write"
}

2. Security: IRSA for Metric Ingestion

The ADOT collector needs permission to write to AMP. We utilize IAM Roles for Service Accounts (IRSA) to grant least-privilege access, avoiding static access keys.

Create an IAM policy AWSManagedPrometheusWriteAccess (or a scoped inline policy) and attach it to a role trusted by your EKS OIDC provider.

data "aws_iam_policy_document" "amp_ingest_policy" {
  statement {
    actions = [
      "aps:RemoteWrite",
      "aps:GetSeries",
      "aps:GetLabels",
      "aps:GetMetricMetadata"
    ]
    resources = [aws_prometheus_workspace.eks_observability.arn]
  }
}

resource "aws_iam_role" "adot_collector" {
  name = "eks-adot-collector-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRoleWithWebIdentity"
      Effect = "Allow"
      Principal = {
        Federated = "arn:aws:iam::${var.account_id}:oidc-provider/${var.oidc_provider}"
      }
      Condition = {
        StringEquals = {
          "${var.oidc_provider}:sub" = "system:serviceaccount:adot-system:adot-collector"
        }
      }
    }]
  })
}

3. Deploying the ADOT Collector

We deploy the ADOT collector using the EKS add-on or Helm. For granular control over the scraping configuration, the Helm chart is often preferred by power users.

Below is a snippet of the values.yaml configuration required to enable the Prometheus receiver and configure the remote write exporter to send Amazon EKS metrics to your workspace.

# ADOT Helm values.yaml
mode: deployment
serviceAccount:
  create: true
  name: adot-collector
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/eks-adot-collector-role"

config:
  receivers:
    prometheus:
      config:
        global:
          scrape_interval: 15s
        scrape_configs:
          - job_name: 'kubernetes-pods'
            kubernetes_sd_configs:
              - role: pod
            relabel_configs:
              - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
                action: keep
                regex: true

  exporters:
    prometheusremotewrite:
      endpoint: "https://aps-workspaces.us-east-1.amazonaws.com/workspaces/ws-xxxx/api/v1/remote_write"
      auth:
        authenticator: sigv4auth

  extensions:
    sigv4auth:
      region: "us-east-1"
      service: "aps"

  service:
    extensions: [sigv4auth]
    pipelines:
      metrics:
        receivers: [prometheus]
        exporters: [prometheusremotewrite]

Optimizing Costs: Managing High Cardinality

Amazon EKS metrics can generate massive bills if you ingest every label from every ephemeral pod. AMP charges based on ingestion (samples) and storage.

Filtering at the Collector Level

Use the processors block in your ADOT configuration to drop unnecessary metrics or labels before they leave the cluster.

processors:
  filter:
    metrics:
      exclude:
        match_type: strict
        metric_names:
          - kubelet_volume_stats_available_bytes
          - kubelet_volume_stats_capacity_bytes
          - container_fs_usage_bytes # Often high noise, low value
  resource:
    attributes:
      - key: jenkins_build_id
        action: delete  # Remove high-cardinality labels

Advanced Concept: Avoid including high-cardinality labels such as client_ip, user_id, or unique request_id in your metric dimensions. These explode the series count and degrade query performance in PromQL.

Visualizing with Amazon Managed Grafana

Once data is flowing into AMP, visualization is standard.

1. Deploy Amazon Managed Grafana (AMG).
2. Add the “Prometheus” data source.
3. Toggle “SigV4 SDK” authentication in the data source settings (this seamlessly uses the AMG workspace IAM role to query AMP).
4. Select your AMP region and workspace.

Because AMP is 100% PromQL compatible, you can import standard community dashboards (like the Kubernetes Cluster Monitoring dashboard) and they will work immediately.

Frequently Asked Questions (FAQ)

Does AMP support Prometheus Alert Manager?

Yes. AMP supports a serverless Alert Manager. You upload your alerting rules (YAML) and routing configuration directly to the AMP workspace via the AWS CLI or Terraform. You do not need to run a separate Alert Manager pod in your cluster.

What is the difference between ADOT and the standard Prometheus Server?

The standard Prometheus server is a monolithic binary that scrapes, stores, and serves data. ADOT (based on the OpenTelemetry Collector) is a pipeline that receives data, processes it, and exports it. ADOT is stateless and easier to scale horizontally, making it ideal for shipping Amazon EKS metrics to a managed backend.

How do I monitor the control plane (API Server, etcd)?

EKS Control Plane metrics are not exposed via standard scraping endpoints inside your VPC because the control plane is managed by AWS. However, you can enable “Control Plane Logging” in EKS to send metrics to CloudWatch, or use specific PromQL exporters if AWS exposes the metrics endpoint (varies by EKS version and configuration).

Conclusion

Migrating to Amazon Managed Service for Prometheus allows expert teams to treat observability as a service rather than a server. By leveraging ADOT for collection and IRSA for security, you build a robust, scalable pipeline for your Amazon EKS metrics.

Your next step is to audit your current metric cardinality using the ADOT processor configuration to ensure you aren’t paying for noise. Focus on the golden signals—Latency, Traffic, Errors, and Saturation—and let AWS manage the infrastructure. Thank you for reading the DevopsRoles page!