How to pass the Provyn AWS fundamentals assessment

What the assessment tests

The AWS assessment is scenario-based. You are given a workload description and asked which combination of services, configurations, and policies satisfies the requirements. It is not about knowing every service — it is about knowing how the core services interact.

IAM is the highest-weighted area. Every AWS architecture involves IAM decisions. Know least-privilege, know the difference between identity-based and resource-based policies, and know when to use roles versus users.

IAM: the most tested area

Least-privilege means granting only the permissions the principal needs to do its job. The assessment will show you a policy and ask what is wrong with it — usually it is either too broad (s3:*) or it allows the wrong action on the wrong resource.

Roles are for applications and services. When a Lambda function needs to read from an S3 bucket, give it a role with s3:GetObject on that bucket — not an IAM user with access keys baked into the code. The assessment will ask you to identify the correct approach; access keys in application code is always wrong.

Compute: Lambda vs EC2 vs Fargate

Lambda for short-lived, event-driven, bursty workloads. EC2 for long-running processes, persistent state, or workloads that need GPU or specific instance types. Fargate (ECS/EKS without managing instances) for containerised workloads where you want managed scaling without maintaining a fleet.

Lambda cold starts are the trap. If a question asks about latency-sensitive workloads with infrequent invocations, Lambda with provisioned concurrency is the right answer — plain Lambda will cold-start and miss the latency budget.

Storage: S3 vs EBS vs EFS

S3 for object storage, web assets, data lake input/output, and anything accessed via HTTP or the AWS SDK. EBS for block storage attached to a single EC2 instance — databases, file systems, anything that needs low-latency disk I/O. EFS for shared file storage accessed by multiple EC2 instances simultaneously.

S3 storage classes: Standard for frequently accessed data, Infrequent Access for data accessed less than once a month, Glacier for archive. Lifecycle policies automate the transition. The assessment will give you a scenario with access frequency and cost requirements and ask which class to use.

Three-day prep plan

Day one: run the practice assessment and note the IAM questions you got wrong. Review AWS IAM policy syntax and the effect/action/resource/condition structure.

Day two: draw an architecture diagram for a three-tier web application on AWS (Route 53 → ALB → EC2 in an auto-scaling group → RDS Multi-AZ). Know what each component does and what failure mode each protects against.

Day three: review VPC networking. Know what a public subnet is, what a private subnet is, and what a NAT Gateway does. The assessment will give you a scenario where an EC2 instance in a private subnet needs to reach the internet — NAT Gateway is the answer.