Topic — AWS SAA Foundational Knowledge Supplement
Exam scope — AWS SAA (Solutions Architect Associate)
Services covered — Control Tower, Config, Outposts, Elastic Beanstalk, Transfer Family, DataSync
These notes were written during SAA exam prep to fill in gaps on AWS services I was less familiar with — a quick reference for future review.
AWS Control Tower
Control Tower is the "franchise headquarters" for multi-account environments — responsible for uniformly creating, managing, and monitoring the compliance status of all accounts. It is not a brand-new service but rather an orchestration platform layered on top of AWS Organizations, IAM Identity Center, and Service Catalog.
- Landing Zone: Pre-built networking, security, and logging infrastructure based on AWS best practices; all new accounts operate within this secure container
- Controls / Guardrails: High-level rules written in plain language, categorized as preventive, detective, or proactive; classified as mandatory, strongly recommended, or optional — ensuring accounts don't cross security boundaries
- Account Factory: An automated account creation template; development teams can spin up a fully configured new account with a few clicks, no manual setup required
- Dashboard: Centrally monitors the guardrail status of all accounts — instantly see which accounts or resources are noncompliant
AWS Config
Config is the "asset manager and time machine" for your AWS environment — continuously recording the state and change history of all resources for troubleshooting, security forensics, and compliance auditing.
- Automatic change tracking: Any resource that is created, modified, or deleted is automatically recorded by Config
- Custom rules (Config Rules): Define organizational mandates (e.g., "all EBS volumes must be encrypted"); violations are automatically flagged as Noncompliant with a notification, and auto-remediation can be configured
- Time machine (troubleshooting): View the relationship graph between a resource and others, trace back through historical configurations, and identify which change caused the system to break
- Compliance auditing: Historical configuration snapshots (Configuration snapshots) stored in S3 by Config serve as audit evidence; you can even determine what permissions a specific employee had on a specific date
- Cross-account centralized management:
- Aggregators: Collect Config data from multiple accounts and regions into a single view
- Conformance packs: Deploy a complete set of rules to all accounts in one operation
Prerequisites: S3 (for storing historical records), SNS (for sending non-compliance notifications), and an IAM Role (for reading resource state) are required.
AWS Outposts
Outposts physically brings AWS compute capabilities into your own data center — hardware is managed by AWS, but compute and data stay on-premises.
Core advantages:
- Ultra-low latency: Ideal for factory production lines, medical devices, high-frequency trading, and other scenarios requiring real-time response
- Local data processing: Used when data is legally restricted from leaving local facilities
- Seamless operation: Outposts is logically an extension of an AWS Region; EC2 and RDS share the same private IP address space as the cloud VPC
Hardware form factors:
- Outposts racks (42U standard rack): For formal data centers — a complete rack including servers, switches, and power
- Outposts servers (1U / 2U): For space-constrained environments (retail stores, hospitals) — a single small-capacity server
- Outposts ACE racks: Required when deploying 4 or more racks, managing connectivity between multiple racks and the local network
Key network components:
- Service link: The dedicated connection from Outposts back to the AWS Region, used for hardware monitoring and software updates
- Local gateway (LGW): Rack-specific; allows Outposts resources to communicate with existing local systems
- Local network interface: The on-premises network interface specific to the server form factor
AWS Elastic Beanstalk
Elastic Beanstalk is a PaaS (Platform as a Service) — developers simply upload their code and the platform automatically handles all underlying infrastructure.
- Fully automated infrastructure: Automatically provisions EC2 instances, configures Load Balancers, enables health monitoring, and runs Auto Scaling
- Two execution environments:
- Web server environment: Handles user HTTP requests
- Worker environment: Works with SQS to handle long-running background tasks (such as video transcoding), preventing the main website from being blocked
- Language support: Native support for Go, Java, .NET, Node.js, PHP, Python, and Ruby; special environments can be deployed using Docker containers
- Launch flow: Create application → upload code → automatic startup; manageable via the Console, AWS CLI, or EB CLI
AWS Transfer Family
Transfer Family is a fully managed file transfer server that lets business partners continue using their familiar FTP software to transfer files, with seamless integration to AWS cloud storage on the backend.
- Supported protocols: SFTP, FTPS, FTP, AS2, and browser-based web transfer
- Zero changes for clients: Partners continue using tools like FileZilla and WinSCP — no configuration changes required
- Backend storage:
- S3: The most common option, ideal for data lakes, B2B data exchange, and vendor data collection
- EFS: Used when a shared network file system is needed, with automatic capacity scaling
- Managed File Transfer Workflows (MFTW): Automatically run post-processing steps after a file arrives (decompression, virus scanning, tagging, forwarding) — full audit logging throughout
- Common use cases: B2B data exchange (AS2 is commonly used in finance), supplier report uploads, internal employee web uploads to S3
AWS DataSync
DataSync is a high-speed tool for migrating TB/PB-scale data between systems — more focused on large-scale data movement than Transfer Family, which is designed for external user uploads.
- Compatible sources and destinations:
- On-premises: NFS, SMB, HDFS, on-premises object storage
- AWS: S3, EFS, various Amazon FSx options
- Other clouds: Google Cloud, Azure, Alibaba, IBM
- Common use cases:
- Large-scale data migration: Shut down on-premises data centers and rapidly move data to AWS
- Cold data archival: Move old files to S3 Glacier to free up expensive local storage
- Backup and disaster recovery: Regularly replicate data to AWS
- Cloud compute: Generate data locally (e.g., genome sequencing), transfer to AWS for machine learning, then retrieve results
- Core advantages:
- Speed: Multi-threaded parallel processing — tens of times faster than traditional open-source tools
- Security: End-to-end encryption + data integrity verification (per-file checksum) + VPC Endpoint support for private network transfer
- Fully automated: Configure source, destination, and schedule — runs automatically with no underlying server management
Quick Review
| Service | Positioning |
|---|---|
| Control Tower | Compliance management and automated account factory for multi-account environments |
| Config | Track resource change history, debug issues, and support compliance auditing |
| Outposts | Physically bring AWS compute capabilities on-premises for ultra-low latency |
| Elastic Beanstalk | PaaS — upload code and all infrastructure is automatically deployed |
| Transfer Family | Let external partners transfer files to S3/EFS via FTP seamlessly |
| DataSync | High-speed TB/PB-scale data transfer between systems with integrity verification |