What is DynamoDB? Fully managed NoSQL database (key-value and document). Serverless - no instances to manage. Key Terms Term What it is Table Collection of items (like a table in SQL, but schema-less) Item Single record (like a row in SQL) Attribute Field within an item (each item can have different attributes) Partition Key (PK) Primary identifier - DynamoDB uses this to distribute data Sort Key (SK) Optional secondary identifier - enables range queries within a partition Primary Key Either PK alone, or PK + SK combined ┌─────────────────────────────────────────────────────────────────┐ │ DynamoDB Table: Orders │ │ │ │ Primary Key: customer_id (PK) + order_date (SK) │ │ │ │ ┌─────────────┬─────────────┬──────────┬───────────┐ │ │ │ customer_id │ order_date │ total │ items │ │ │ │ (PK) │ (SK) │ │ │ │ │ ├─────────────┼─────────────┼──────────┼───────────┤ │ │ │ user123 │ 2026-01-01 │ 150.00 │ [...] │ │ │ │ user123 │ 2026-01-02 │ 75.50 │ [...] │ │ │ │ user456 │ 2026-01-01 │ 200.00 │ [...] │ │ │ └─────────────┴─────────────┴──────────┴───────────┘ │ │ │ │ Query: Get all orders for user123 → returns 2 items │ │ Query: Get user123's orders after 2026-01-01 → returns 1 item │ └─────────────────────────────────────────────────────────────────┘ RDS/Aurora vs DynamoDB Aspect RDS/Aurora DynamoDB Type Relational (SQL) NoSQL (key-value) Schema Fixed (define columns upfront) Flexible (each item can differ) Scaling Vertical (bigger instance) Horizontal (automatic partitioning) Queries Any SQL query (JOINs, etc.) Limited (by key only, no JOINs) Transactions Full ACID Limited ACID (up to 100 items) Management You manage instance size Fully serverless Pricing Per instance hour Per request + storage What “Manage Instance Size” Means (RDS/Aurora) DB instance (EC2) size - the compute. You choose db.r5.large, db.r5.2xlarge, etc. ...

Cryptographic Fundamentals Key Pair (Public Key + Private Key) The foundation of TLS. Generated together mathematically. # Generate key pair openssl genrsa -out private.key 2048 openssl rsa -in private.key -pubout -out public.key What they do: Encrypt with public key → Only private key can decrypt Sign with private key → Anyone with public key can verify Certificate (X.509) A certificate = public key + identity information + signature from CA. ┌─────────────────────────────────────────────────────────────────┐ │ Certificate Contents │ │ │ │ Subject: CN=api.example.com, O=MyCompany ← Who this is │ │ Issuer: CN=DigiCert CA ← Who signed it │ │ Valid From: 2026-01-01 │ │ Valid To: 2027-01-01 │ │ Public Key: MIIBIjANBgkqhkiG9w0BAQEFA... ← Embedded │ │ Signature: a7f3b2c1d4e5f6... ← CA's stamp │ └─────────────────────────────────────────────────────────────────┘ Certificate is NOT secret - it contains public key and can be shared freely. ...

What is an IAM Identity Provider? An IAM Identity Provider is a configuration in AWS that tells IAM “trust this external identity system.” It lets users authenticated by external systems (Google, Okta, GitHub Actions, etc.) get temporary AWS credentials without creating IAM users. Key Concepts Concept What it is Identity Provider (IdP) External system that authenticates users (Google, Okta, Azure AD, etc.) Service Provider (SP) System that trusts the IdP and provides resources (AWS in this case) Federation Linking identities across different systems—user logs in once, accesses multiple systems Trust Relationship AWS saying “I believe what this IdP tells me about users” OIDC Provider IAM entity for trusting OpenID Connect-based IdPs SAML Provider IAM entity for trusting SAML 2.0-based IdPs OIDC vs SAML OIDC (OpenID Connect): Modern, JSON/REST-based protocol—used by web apps, mobile apps, and programmatic access (GitHub Actions, EKS pods, Cognito) SAML 2.0: XML-based enterprise protocol—used for browser-based SSO to AWS Console (Okta, Azure AD, corporate SSO) Trust Anchor When you create an IAM Identity Provider, you get: ...