AWS Reference Map

AWS services organized for fast browsing and practical architecture decisions.

This document groups the most-used AWS services by domain, then breaks each area into easy subtopics so you can move from platform overview to specific service choices without hunting through long vendor menus.

9major service domains

22+key AWS services covered

2-leveltopic and subtopic navigation

1 pagefor quick internal reference

How to use this page

Use the left navigation rail for broad topics, then jump into the linked subtopics beneath each category. The layout is intended for fast scanning during design discussions, documentation reviews, and solution planning.

Launching apps Start with EC2, Lambda, ECS, EKS, API Gateway, and Route 53.

Data-heavy systems Focus on S3, Aurora, DynamoDB, Redshift, Glue, Athena, and Kinesis.

Generative AI apps Review Bedrock for foundation models and SageMaker for custom ML pipelines.

Platform hardening Review IAM, KMS, CloudTrail, WAF, Shield, and Organizations.

Reading legend

Core runtime

Services that run compute, storage, and databases.

Connectivity

Networking, edge delivery, and private access patterns.

Governance

Identity, encryption, logging, and account-level controls.

Data operations

Warehouse, ETL, streaming, and analytical query services.

Compute Services

Choose from virtual machines, serverless functions, and managed container orchestration depending on workload duration, scaling profile, and operational ownership.

Amazon EC2

Elastic Compute Cloud provides resizable virtual machines for workloads that need operating system access, custom networking, or predictable long-running execution.

IaaS Autoscaling Reserved / Spot

Instance families: general purpose, compute optimized, memory optimized, storage optimized, GPU.
Scaling patterns: Auto Scaling Groups, launch templates, mixed on-demand and spot fleets.
Common use cases: web servers, legacy apps, batch jobs, stateful services, jump hosts.

AWS Lambda

Serverless event-driven compute for short-lived functions with automatic scaling and no server management, ideal for APIs, event handlers, and automation tasks.

Serverless Pay per use Event-driven

Invocation models: synchronous via API Gateway, asynchronous via events, poll-based via queues.
Operational concerns: cold starts, memory-to-CPU tuning, timeout limits, concurrency controls.
Common integrations: S3, EventBridge, SQS, DynamoDB Streams, Step Functions.

Amazon ECS, EKS, and AWS Fargate

Managed container platforms let teams standardize packaging while choosing between AWS-native orchestration, Kubernetes compatibility, and serverless task execution.

Containers Microservices Managed orchestration

ECS fits teams that want simpler AWS-native scheduling and service management.
EKS fits teams that need Kubernetes APIs, custom controllers, or multi-cluster tooling.
Fargate removes node management for ECS and EKS workloads with task-level billing.

Elastic Beanstalk and AWS Batch

These services target higher-level deployment automation and queued compute execution for teams that want AWS to manage more of the infrastructure lifecycle.

PaaS Batch processing

Elastic Beanstalk abstracts deployment for common web application stacks.
AWS Batch schedules large-scale containerized jobs with queue priorities and compute environments.
Useful for scientific workloads, media processing, and scheduled heavy compute tasks.

Storage Services

AWS storage spans object, block, and file abstractions. The right choice depends on access pattern, latency needs, durability requirements, and sharing model.

Amazon S3

Simple Storage Service is the default durable object store for backups, static sites, logs, data lakes, ML datasets, and application assets.

Object storage 11 9s durability Lifecycle policies

Storage classes: Standard, Intelligent-Tiering, Standard-IA, One Zone-IA, Glacier tiers.
Common patterns: static hosting, archival, event triggers, presigned downloads, replication.
Governance features: bucket policies, versioning, object lock, access logs, encryption.

Amazon EBS, EFS, and FSx

These services cover persistent volumes for instances, shared elastic file systems, and managed file systems optimized for specific operating environments.

Block and file Shared storage Managed filesystems

EBS attaches block volumes to EC2 for low-latency boot and application disks.
EFS provides shared POSIX-style file storage across Linux fleets.
FSx offers managed Windows, Lustre, NetApp ONTAP, and OpenZFS variants.

AWS Storage Gateway

Hybrid storage bridge between on-premises systems and AWS storage services for backup, archival, and cloud-backed file or tape workflows.

Hybrid Migration

File Gateway exposes S3-backed file shares.
Volume Gateway supports cached or stored block volumes.
Tape Gateway modernizes backup workflows with virtual tapes to S3 and Glacier.

AWS Backup

Central policy-driven backup service for coordinating retention and recovery across storage, database, and compute-integrated resources.

Backup policy Recovery plans

Applies centralized schedules, lifecycle retention, and cross-account backup policies.
Supports vaults, compliance controls, and backup auditing.
Often paired with disaster recovery and ransomware resilience planning.

Database Services

AWS supports relational, key-value, document, graph, ledger, and cache layers. Pick based on consistency needs, access model, and operational overhead.

Amazon RDS and Amazon Aurora

Managed relational database platforms for PostgreSQL, MySQL, MariaDB, SQL Server, and Oracle-compatible workloads, with Aurora offering AWS-optimized cloud-native engines.

Relational Managed backups Multi-AZ

RDS simplifies patching, backups, and failover for mainstream relational engines.
Aurora improves storage scalability, replica performance, and failover characteristics.
Use for transactional systems, internal business apps, and normalized application data.

Amazon DynamoDB

Fully managed NoSQL key-value and document database built for single-digit millisecond performance at any scale.

NoSQL Serverless scaling Streams

Design around partition keys, sort keys, and access patterns rather than ad hoc joins.
On-demand or provisioned capacity options with auto scaling.
Common pairings: Lambda, API Gateway, Global Tables, DynamoDB Streams.

Amazon ElastiCache

Managed Redis and Memcached service for low-latency caching, session storage, rate limiting, and transient data workloads.

Caching Redis

Used to offload hot reads from primary databases.
Supports pub/sub, TTL-based eviction, and in-memory data structures with Redis.
Critical for latency-sensitive APIs and high-throughput platforms.

Specialized Databases

AWS also provides purpose-built databases such as Neptune for graph, DocumentDB for document models, QLDB for ledgers, and Timestream for time-series metrics.

Graph Document Time-series

Neptune supports graph traversals and relationship-heavy applications.
DocumentDB targets MongoDB-compatible document workloads.
Timestream fits IoT, monitoring, and telemetry ingestion scenarios.

Networking and Edge

AWS networking services define connectivity, traffic routing, segmentation, and public edge delivery for cloud-native and hybrid architectures.

Amazon VPC

Virtual Private Cloud is the core network boundary for AWS workloads, giving teams control over IP ranges, subnets, routing, and traffic isolation.

Isolation Subnets Route tables

Organize public, private, and data subnets across multiple availability zones.
Use security groups and network ACLs for layered traffic control.
Extend connectivity via VPC peering, Transit Gateway, VPN, and Direct Connect.

Amazon CloudFront and Route 53

These services handle global content delivery, DNS routing, traffic steering, and entry-point optimization for public-facing systems.

CDN DNS Global routing

CloudFront caches static and dynamic content close to end users.
Route 53 supports DNS zones, latency routing, health checks, and failover records.
Together they improve availability, performance, and origin shielding.

Elastic Load Balancing

Managed traffic distribution across instances, containers, IPs, and Lambda targets using application, network, and gateway load balancers.

ALB NLB Gateway LB

ALB is suited to HTTP routing, path-based rules, host routing, and WebSockets.
NLB focuses on very high performance and TCP or UDP pass-through.
Gateway Load Balancer inserts network appliances inline in traffic paths.

API Gateway and Private Connectivity

API Gateway, PrivateLink, and Direct Connect help expose services cleanly while managing internal and external access boundaries.

APIs Private access

API Gateway fronts REST, HTTP, and WebSocket APIs with auth, throttling, and stages.
PrivateLink exposes services privately across VPCs without full network peering.
Direct Connect supports dedicated hybrid connectivity from data centers into AWS.

Security, Identity, and Governance

Security services shape how identities are granted access, how data is encrypted, how events are audited, and how threats are blocked at multiple layers.

IAM and IAM Identity Center

Identity and Access Management provides the permission model for AWS accounts, services, roles, and automation, while Identity Center handles workforce access and SSO.

RBAC Roles Federation

Use roles instead of long-lived users for workloads whenever possible.
Apply least privilege with policy boundaries, permission sets, and scoped conditions.
Federate enterprise identities to reduce local credential management.

KMS, Secrets Manager, WAF, and Shield

These services protect data, credentials, and public surfaces through encryption key control, secret rotation, web filtering, and DDoS mitigation.

Encryption Secrets DDoS and app protection

KMS centralizes encryption key creation, access control, and rotation.
Secrets Manager stores database passwords, tokens, and API credentials with rotation workflows.
WAF and Shield protect internet-facing apps from abusive traffic and attacks.

CloudTrail, Config, GuardDuty, and Security Hub

Governance and detection services collect audit trails, track configuration drift, surface suspicious activity, and centralize security findings.

Audit Detection Compliance

CloudTrail logs API activity across accounts and regions.
Config records resource state and policy compliance over time.
GuardDuty and Security Hub improve threat detection and triage consolidation.

AWS Organizations and Control Tower

Account-level governance services standardize multi-account environments using organizational units, service control policies, and baseline landing zones.

Multi-account Guardrails

Organizations defines account hierarchy and centralized constraints.
Service Control Policies limit the maximum permissions available in accounts.
Control Tower accelerates secure account vending and baseline governance.

Analytics and Data Platform

AWS analytical tooling supports warehousing, ETL pipelines, ad hoc SQL, streaming ingestion, and managed lakehouse patterns built around S3.

Lakehouse Stack: S3, Glue, Athena, Redshift

These services form a common AWS data platform foundation for raw storage, metadata catalogs, ETL jobs, serverless SQL, and warehouse analytics.

Data lake ETL Warehouse

Glue catalogs datasets and runs Spark-based transformation jobs.
Athena queries S3 data directly using serverless SQL.
Redshift provides high-performance analytical warehousing and BI integration.

Kinesis, MSK, and Event Streams

Streaming services support real-time event ingestion, buffering, and downstream processing for telemetry, clickstreams, fraud detection, and operational analytics.

Streaming Real-time analytics

Kinesis Data Streams handles shard-based ordered ingestion.
Kinesis Firehose delivers managed stream loading into S3, Redshift, and OpenSearch.
Amazon MSK offers managed Apache Kafka infrastructure.

EMR and OpenSearch

EMR provides managed big data runtimes while OpenSearch supports indexed search, observability, and log analytics workloads.

Big data Search analytics

EMR runs Spark, Hadoop, Hive, Presto, and related big data frameworks.
OpenSearch fits log search, dashboards, text search, and vector-style retrieval patterns.
Useful when teams need specialized indexing or distributed compute engines.

QuickSight

Managed business intelligence service for dashboards, embedded analytics, and lightweight self-service reporting on top of AWS and external data sources.

BI Dashboards

Connects to Redshift, Athena, RDS, S3, and other datasets.
Supports SPICE in-memory acceleration for fast dashboard performance.
Often used by product and operations teams for internal reporting.

AI and Machine Learning

AWS splits AI and ML workflows across two major models: SageMaker for building, training, tuning, and operating custom machine learning systems, and Bedrock for consuming foundation models through managed generative AI APIs.

Amazon SageMaker

SageMaker is AWS's end-to-end managed machine learning platform for data preparation, notebook-based experimentation, training jobs, hyperparameter tuning, model registry workflows, hosted inference, and MLOps automation.

ML platform Training and inference MLOps

Development layer: Studio, notebooks, processing jobs, and experiment tracking help data scientists move from exploration to reproducible pipelines.
Training layer: managed training jobs support distributed training, spot-backed jobs, built-in algorithms, and custom containers.
Deployment layer: real-time endpoints, asynchronous inference, batch transform, and serverless inference support different latency and throughput profiles.
Governance layer: model registry, pipelines, model monitoring, feature store, and role-based controls support production ML operations.
Typical use cases: recommendation systems, fraud models, forecasting, computer vision, custom LLM fine-tuning, and enterprise model hosting.

Amazon Bedrock

Bedrock is AWS's managed generative AI platform for accessing foundation models from multiple providers through a unified API, adding guardrails, knowledge bases, agents, evaluation workflows, and enterprise security controls without managing GPU infrastructure directly.

Generative AI Foundation models Managed API layer

Model access: use hosted foundation models for text generation, embeddings, multimodal prompts, summarization, and conversational applications.
Application layer: build chat systems, copilots, document assistants, and agentic workflows with Bedrock APIs and orchestration features.
Safety layer: guardrails apply topic filtering, sensitive-data controls, and response constraints for enterprise-facing applications.
Retrieval layer: Knowledge Bases for Bedrock connects embeddings and retrieval workflows to enterprise content for RAG-style systems.
Operational fit: best for teams that want fast generative AI delivery without owning model training clusters or low-level inference serving.

When to choose SageMaker vs Bedrock

The choice depends on whether you are building custom predictive models and ML infrastructure or consuming managed foundation models for generative AI experiences.

Decision guide Architecture choice

Choose SageMaker when you need training pipelines, custom data science workflows, model tuning, feature management, or control over deployment strategies.
Choose Bedrock when you need ready-to-use LLM and generative AI capabilities, managed inference APIs, RAG building blocks, and safety tooling.
Use both together when teams fine-tune or operationalize internal ML assets in SageMaker while exposing generative experiences through Bedrock.

Related AWS AI Services

Beyond SageMaker and Bedrock, AWS offers targeted AI services that solve specific workloads without requiring a full ML platform buildout.

Specialized AI Managed services

Amazon Comprehend, Textract, Rekognition, Polly, and Transcribe address language, OCR, vision, speech, and audio use cases.
OpenSearch, Kendra-style retrieval patterns, and vector storage often complement Bedrock-based RAG applications.
CloudWatch, IAM, KMS, and VPC networking remain important for securing and observing AI workloads in production.

Application Integration

These services connect distributed systems through messaging, event buses, and workflow orchestration so applications can scale beyond synchronous request chains.

SQS and SNS

Core messaging primitives for decoupling systems, buffering spikes, broadcasting notifications, and building resilient asynchronous architectures.

Queues Pub/Sub Decoupling

SQS provides durable queues with standard and FIFO delivery models.
SNS fans events out to multiple subscribers such as Lambda, email, HTTP, and queues.
A common pattern is SNS to multiple SQS queues for consumer isolation.

Step Functions and EventBridge

Workflow and event routing services help model business processes, connect AWS services, and coordinate retries, branching, and scheduled automations.

State machines Event bus

Step Functions orchestrates long-running flows with retries, waits, and compensation paths.
EventBridge routes events across AWS services, SaaS apps, and custom producers.
Useful for audit pipelines, ETL workflows, and multi-step operational processes.

Amazon MQ and AppFlow

Managed brokers and data movement tools help teams integrate with legacy messaging protocols and external SaaS systems when modern event buses are not enough.

Integration SaaS data movement

Amazon MQ supports ActiveMQ and RabbitMQ-compatible broker use cases.
AppFlow connects AWS services with applications such as Salesforce and Slack.
These fit migration-heavy or enterprise integration programs.

API-Led Event Architecture

In practice, AWS application integration often combines API Gateway, Lambda, queues, and event routing to separate user traffic from backend processing.

Async design Resilience

Front-end APIs remain responsive while heavy work moves to queues or workflows.
Retries and dead-letter queues improve reliability under failure or partial outage.
Observability becomes easier when each event boundary is explicit.

Management, Observability, and DevOps

This layer covers provisioning, monitoring, deployments, systems management, and operational controls for running AWS estates at scale.

CloudWatch and X-Ray

Operational telemetry services for metrics, logs, dashboards, alarms, and distributed tracing across applications and infrastructure.

Monitoring Logs Tracing

CloudWatch aggregates infrastructure and application metrics with alerting thresholds.
Log groups centralize app and service logs for query and retention management.
X-Ray helps inspect request traces across service boundaries.

CloudFormation, CDK, and Terraform

Infrastructure as code tools define AWS resources declaratively so environments can be recreated, versioned, and reviewed like application code.

IaC Repeatability

CloudFormation is AWS-native resource provisioning with stack-based lifecycle control.
CDK raises abstraction with familiar programming languages that synthesize to CloudFormation.
Terraform is common in multi-cloud estates or teams standardizing on a shared IaC toolchain.

CodePipeline, CodeBuild, and CodeDeploy

Native CI/CD services automate build pipelines, artifact packaging, test stages, and application deployment into AWS targets.

CI/CD Deployment

CodeBuild runs managed build jobs without maintaining separate build servers.
CodePipeline chains together source, test, approval, and deployment stages.
CodeDeploy manages application rollouts for EC2, Lambda, and container targets.

Systems Manager and Trusted Advisor

Operational tooling for patching, remote commands, inventory, parameter storage, and high-level optimization recommendations.

Ops automation Cost and posture

Systems Manager supports remote execution, patch baselines, session access, and parameters.
Trusted Advisor highlights cost, availability, security, and performance improvements.
Useful for standardizing fleet maintenance across many accounts and instances.