Episode 92: AI Services: Lex & Polly
This episode is all about practicing how to apply service selection patterns to exam-style scenarios. Rather than memorizing facts, the exam rewards recognizing requirements in a question and mapping them to the most appropriate AWS service. Each scenario frames a common design choice, often with multiple seemingly correct answers. The skill is to identify the simplest service that fully meets the requirement without overbuilding or missing critical constraints. As you listen, imagine yourself taking the exam: what keywords or qualifiers would point you to one service over another? That practice will help you answer quickly and confidently.
Let’s start with compute. Imagine a team needs to run a workload that executes continuously, with custom operating system dependencies and predictable capacity. The right choice here is EC2, since it offers the flexibility of virtual machines. Now compare that with a scenario where you need short-lived, event-driven code that scales instantly with usage, such as processing images uploaded to S3. That’s a classic Lambda use case. Finally, suppose you want to deploy containers but don’t want to manage the underlying servers. That’s where Fargate fits, providing serverless compute for containers. The keywords “virtual machine,” “custom OS,” or “predictable load” point to EC2; “event-driven” points to Lambda; and “serverless containers” points to Fargate.
Now think storage. If the scenario says “frequently accessed data,” the correct S3 class is Standard. If it highlights “infrequent but still immediately accessible data,” then S3 Standard-IA is best. If it says “long-term archive with retrieval in hours,” S3 Glacier or Glacier Deep Archive fits. Intelligent-Tiering is often the best choice when access patterns are unpredictable, since it automatically optimizes cost. The exam often frames this by asking about cost savings while keeping durability, so you’ll need to match storage class to access frequency.
For block storage, consider EBS versus instance store. EBS volumes are durable, persistent storage that survives instance stops and starts. Instance store is ephemeral, disappearing when the instance is terminated. If the workload is transactional, like a database, EBS is the right fit. If the workload is high-performance and disposable, such as temporary scratch space for video rendering, instance store is appropriate. The cue words “durable,” “persistent,” and “attachable” map to EBS, while “temporary” or “ephemeral” point to instance store.
Databases also show up frequently in scenario questions. RDS provides managed relational databases, great for standard SQL workloads. Aurora is the answer when high performance and cloud-native resilience are emphasized, especially if MySQL or PostgreSQL compatibility is required. DynamoDB is correct when the exam mentions “millisecond latency,” “NoSQL,” or “massive scale.” If the question highlights “structured, transactional,” lean toward RDS. If it emphasizes “serverless, global, scalable,” think DynamoDB. And if the question adds “five times the performance of MySQL,” Aurora is the likely answer.
Load balancers also come up often. Application Load Balancers (ALB) handle HTTP and HTTPS with path- or host-based routing. Network Load Balancers (NLB) handle extreme performance, millions of requests per second, and TCP/UDP protocols. Gateway Load Balancers (GWLB) integrate with security appliances, such as firewalls. So if the scenario highlights “routing based on URLs,” choose ALB. If it emphasizes “low latency” or “Layer 4 traffic,” pick NLB. And if it mentions “security appliances inline,” that’s GWLB.
Scaling policies are another exam focus. Simple scaling adds or removes instances based on one metric threshold, like CPU. Target tracking scaling keeps a metric, like CPU utilization, near a set value. Step scaling changes capacity in increments based on metric breaches. Predictive scaling anticipates demand using machine learning. On the exam, “maintain CPU at 50%” signals target tracking, while “anticipate future traffic” means predictive. Understanding these policy types ensures you can align scaling with workload behavior.
Edge services are frequently contrasted. CloudFront caches and accelerates HTTP/S content globally, reducing latency by serving from edge locations. Global Accelerator provides static anycast IPs, routing TCP and UDP traffic over AWS’s backbone to the nearest healthy endpoint. If the scenario mentions “content caching,” “CDN,” or “S3 distribution,” think CloudFront. If it highlights “static IPs,” “non-HTTP protocols,” or “gaming/VoIP acceleration,” Global Accelerator is correct.
Endpoints also show up. PrivateLink and VPC endpoint gateways provide private connectivity to AWS services. Gateway endpoints are for S3 and DynamoDB, integrating directly with route tables. Interface endpoints provide ENIs for private connections to many services and third-party APIs. If the scenario says “private access to S3,” choose a gateway endpoint. If it mentions “access to an AWS API over a private IP,” pick an interface endpoint or PrivateLink.
For APIs, you may have to distinguish between API Gateway and an ALB. API Gateway provides authentication, throttling, caching, and request transformation, making it ideal for public-facing APIs with complex needs. ALBs can route HTTP APIs internally, but they lack API management features. So if the exam says “secure API front door with authentication,” the answer is API Gateway. If it just says “distribute traffic among HTTP microservices,” the answer is ALB.
Event-driven services are another key distinction. SNS is for fanout broadcasts. SQS is for buffering between producers and consumers. EventBridge is for routing based on attributes or integrating with SaaS providers. If the exam says “broadcast to many consumers,” that’s SNS. If it says “buffer tasks until workers are ready,” that’s SQS. If it says “filter events by pattern,” that’s EventBridge. Recognizing these cues ensures you map events correctly.
VPC design questions often involve public and private tiers. Web servers belong in public subnets with Internet Gateways, while databases and backends live in private subnets with NAT Gateways for outbound access. If the scenario says “securely expose only the web layer to the internet,” that’s the classic public/private split.
For connectivity troubleshooting, the exam often tests whether you know the difference between security groups and NACLs. If the issue is with return traffic or stateful behavior, the answer is security groups. If it mentions explicit deny rules or stateless filters at the subnet level, the answer is NACLs.
Finally, you’ll need to distinguish CloudWatch, CloudTrail, and Config. CloudWatch provides metrics, logs, and alarms for performance monitoring. CloudTrail records API calls for auditing. Config tracks configuration compliance and drift. If the exam mentions “monitoring CPU” or “triggering alarms,” that’s CloudWatch. If it says “who did what, when,” that’s CloudTrail. If it highlights “evaluate against compliance rules,” that’s Config. These distinctions are exam favorites.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
When evaluating scenarios, a strong pattern is to prefer managed or serverless services wherever they fit. The exam often contrasts options that technically all work, but the best answer minimizes operational toil. For instance, if you see a requirement for event-driven compute, Lambda will usually be correct over EC2 unless there’s a hard dependency on custom OS-level access. The philosophy is clear: choose the service that reduces management burden while still meeting requirements.
Another rationale pattern is to minimize public exposure by keeping traffic private. AWS gives you VPC endpoints, PrivateLink, and gateway endpoints specifically so workloads don’t rely on public internet paths. On the exam, if the question hints at “private connectivity,” “no internet access,” or “reduce attack surface,” then endpoint-based solutions are the best match. This design choice aligns with zero-trust security and is one of AWS’s most emphasized best practices.
High availability comes from Multi-AZ design, not from running a single instance. If the exam scenario describes fault tolerance, the answer is never “deploy one large EC2.” Instead, it’s to spread resources across multiple Availability Zones, use Auto Scaling, or rely on Multi-AZ databases. This mindset shows up often: if the requirement is resilience, choose multi-instance, multi-AZ, or cross-Region solutions rather than a single resource.
Caching is a common lever for both cost reduction and performance. CloudFront caches at the edge, ElastiCache accelerates queries in memory, and API Gateway supports caching for REST endpoints. If you see cues about “reduce database load” or “lower latency for repeated queries,” caching is the strategy. It’s often the simplest answer that simultaneously improves speed and reduces expense.
For reliability, idempotency and Dead Letter Queues (DLQs) are recurring themes. Idempotency ensures retries don’t duplicate effects, while DLQs capture failed messages for later analysis. Exam scenarios mentioning “repeated events,” “error isolation,” or “poison messages” usually expect you to recognize idempotency and DLQs as the safeguards. These are foundational to designing robust, distributed systems.
Security best practice is to grant least-privilege roles and avoid long-lived keys. IAM roles provide temporary credentials to applications, while static keys embedded in code or config are always a red flag. If the exam question includes “temporary access,” “cross-service role,” or “eliminate static credentials,” the correct answer will involve IAM roles, scoped policies, and fine-grained permissions.
Infrastructure as Code (IaC) is the standard for consistency. CloudFormation or the CDK ensures environments can be created and recreated reliably. If the exam scenario mentions “repeatable deployments,” “avoid manual drift,” or “standardize environments,” the expected answer is to use IaC tooling. This principle comes up often as a way to align DevOps discipline with AWS automation.
Operational readiness requires alarms tied to service level objectives (SLOs). CloudWatch alarms on metrics like CPU, queue length, or iterator age ensure teams respond before users feel pain. Exam cues like “detect when system lags” or “notify when thresholds are crossed” point directly to CloudWatch alarms as the proactive mechanism.
Encryption by default is the safe assumption. Many services integrate with KMS, and the exam expects you to recognize when to apply it. If you see “encrypt at rest,” “manage keys,” or “regulatory compliance,” then enabling SSE with KMS or configuring CMKs is the correct answer. Tracking key usage with CloudTrail reinforces compliance and auditability.
Disaster recovery (DR) strategies are framed around RTO (Recovery Time Objective) and RPO (Recovery Point Objective). If the exam question mentions “minutes of downtime” or “seconds of data loss,” you need to match that requirement to the right DR pattern, such as Multi-AZ for high availability or cross-Region replication for low RPO. Matching recovery targets to services is a key readiness skill.
The exam consistently rewards choosing services that reduce operational toil. If you can offload backups, patching, scaling, or monitoring to a managed service, that’s the right answer. This pattern applies across domains: RDS over self-managed databases, Lambda over EC2 cron jobs, CloudWatch over custom monitoring. The theme is to let AWS handle undifferentiated heavy lifting.
For exam tips, always read qualifiers carefully: Region, scale, SLA, and cost often determine the right choice. If the requirement stresses “global,” then think Route 53, CloudFront, or Global Accelerator. If it highlights “elastic,” then think Auto Scaling or serverless. Keywords are cues, and matching them quickly is how you succeed.
Another tip is to eliminate answers that overbuild or undersecure. If one option involves deploying complex, multi-service solutions when a single managed service suffices, that’s likely wrong. If another option leaves data exposed to the internet or lacks encryption, that’s also wrong. The correct answer is usually the simplest option that fully meets security and performance needs.
In conclusion, success on both the exam and in real-world AWS design comes from recognizing scenario cues and mapping them to the simplest, most reliable service. Prefer managed and serverless where possible, secure everything by default, design for multi-AZ resilience, and always think about cost. With practice, these patterns become second nature, allowing you to select services confidently and design architectures that are both exam-ready and production-ready.
