Task Statement 1.1: Design secure access to AWS resources.
📘AWS Certified Solutions Architect – (SAA-C03)
Why AWS Global Infrastructure Matters for the Exam
AWS Global Infrastructure is a core foundation topic.
You cannot design secure, highly available, or fault-tolerant systems unless you understand:
- Where AWS resources are physically located
- How AWS separates resources for security and availability
- How Regions and Availability Zones affect data access, latency, compliance, and disaster recovery
AWS exam questions frequently test:
- Region vs Availability Zone
- High availability designs
- Data residency and compliance
- Service scope (global vs regional)
What Is AWS Global Infrastructure?
AWS Global Infrastructure is the worldwide physical setup that AWS uses to deliver cloud services.
It includes:
- AWS Regions
- Availability Zones (AZs)
- Edge Locations
- Regional and Global services
This infrastructure allows AWS to provide:
- High availability
- Fault tolerance
- Low latency
- Strong security and isolation
AWS Regions
What Is an AWS Region?
An AWS Region is a geographic area where AWS has multiple data centers.
Each Region is:
- Completely separate from other Regions
- Designed to be isolated for security and fault tolerance
Examples of Regions:
us-east-1(North Virginia)eu-west-1(Ireland)ap-south-1(Mumbai)
Key Characteristics of AWS Regions
| Feature | Explanation |
|---|---|
| Geographic isolation | Problems in one Region do not affect others |
| Independent security | IAM policies, VPCs, and resources are Region-specific |
| Compliance support | Choose Regions to meet legal and data residency rules |
| Latency control | Pick Regions closer to users |
Why Regions Matter for Security (Exam Point)
- Data stays inside the Region unless you copy it elsewhere
- You control where your data is stored
- Some services and features are not available in all Regions
Exam tip:
If a question mentions data residency, compliance, or legal requirements, the answer usually involves choosing the correct Region.
Availability Zones (AZs)
What Is an Availability Zone?
An Availability Zone (AZ) is one or more physical data centers inside a Region.
Each AZ:
- Has its own power, networking, and cooling
- Is physically separate from other AZs
- Is connected to other AZs using high-speed, low-latency links
Example:
- Region:
us-east-1- AZs:
us-east-1a,us-east-1b,us-east-1c
- AZs:
Key Characteristics of Availability Zones
| Feature | Explanation |
|---|---|
| Fault isolation | Failure in one AZ does not affect others |
| High availability | Resources can be spread across AZs |
| Fast communication | AZs connect with low latency |
| Same Region | AZs never cross Regions |
Why AZs Matter for the Exam
AWS expects architects to:
- Deploy applications across multiple AZs
- Avoid placing all resources in one AZ
- Design for AZ failure, not just server failure
Exam tip:
If a question mentions high availability or fault tolerance, the correct design almost always uses multiple Availability Zones.
Relationship Between Regions and Availability Zones
| Concept | Region | Availability Zone |
|---|---|---|
| Scope | Large geographic area | Data centers inside a Region |
| Isolation | Isolated from other Regions | Isolated from other AZs |
| Used for | Compliance, latency, DR | High availability |
| Exam focus | Data location | Fault tolerance |
Edge Locations
What Is an Edge Location?
An Edge Location is a global data center used to deliver content closer to users.
Edge Locations are used mainly by:
- Amazon CloudFront
- AWS Shield
- AWS WAF
- Route 53
Purpose of Edge Locations
- Reduce latency
- Improve performance
- Protect applications from attacks
- Serve cached data closer to users
Important exam note:
Edge Locations are not Regions or AZs.
Global vs Regional AWS Services (Very Important for Exam)
Global Services
These services are not tied to a specific Region.
| Service | Why It Is Global |
|---|---|
| IAM | Controls access across the entire AWS account |
| Route 53 | DNS works globally |
| CloudFront | Uses Edge Locations worldwide |
| AWS Organizations | Manages multiple accounts globally |
Regional Services
These services exist inside a specific Region.
| Service | Scope |
|---|---|
| EC2 | Region-specific |
| S3 | Region-specific (bucket lives in one Region) |
| RDS | Region-specific |
| VPC | Region-specific |
| Lambda | Region-specific |
Exam tip:
If a question asks “Which service controls access across all Regions?”, the answer is IAM.
How AWS Global Infrastructure Supports Secure Access
Isolation by Design
- Regions isolate data geographically
- AZs isolate infrastructure failures
- AWS does not automatically share data across Regions
Controlled Access
- IAM policies control who can access what
- VPCs isolate networking per Region
- Security groups and NACLs apply within Regions and AZs
High Availability and Security Together
AWS expects you to:
- Spread resources across AZs for availability
- Use Regions to isolate workloads
- Use global services (IAM, Route 53) for centralized control
Common Exam Scenarios You Must Recognize
Scenario 1: High Availability Required
Correct design:
- Deploy resources across multiple Availability Zones
Scenario 2: Data Must Stay in a Country
Correct design:
- Choose the correct AWS Region
Scenario 3: Centralized Access Control
Correct design:
- Use IAM (Global Service)
Scenario 4: Low Latency for Global Users
Correct design:
- Use Edge Locations (CloudFront)
Key Exam Rules to Remember (Very Important)
- ❌ AZs do not span Regions
- ❌ Regions do not share resources automatically
- ✅ Multiple AZs = high availability
- ✅ Regions = compliance and isolation
- ✅ IAM = global
- ✅ EC2, VPC, RDS = regional
Quick Exam Summary
| Concept | Remember This |
|---|---|
| Region | Geographic location, isolated |
| Availability Zone | Fault-isolated data centers |
| Edge Location | Content delivery and protection |
| Global services | IAM, Route 53, CloudFront |
| Regional services | EC2, S3, RDS, VPC |
| High availability | Use multiple AZs |
| Compliance | Choose correct Region |
