AWS Skills Checklist — Complete Guide (2026)

AWS Skills Checklist: What to Actually Master at Every Level in 2026

Most AWS skills lists you find online are a wall of service names. EC2. S3. Lambda. CloudFormation. Fine — but knowing what those services do isn't the same as being able to ship them on a real account under real load. This checklist is built backwards from that gap. Each tier — Cloud Practitioner, Solutions Architect Associate, Developer Associate, DevOps Engineer — has the exact services you need to operate, the projects that prove you can, and the gotchas that catch people in interviews and on the job.

Quick context on how to use it. If you're brand new, start at the Cloud Practitioner tier and don't skip ahead. The services there aren't easier — they're the foundation. Skip them and you'll fail every higher tier because everything in aws chains back to IAM, billing, and the shared-responsibility model. If you already work in cloud, scan the Associate tiers and identify any service where you can't sketch the architecture in under two minutes. That's your gap. Build a project to close it.

The structure is simple. Each tier names the services to master, the hands-on projects that demonstrate mastery, and the time investment a reasonable adult with a day job can realistically commit. A few honest truths up front. The AWS Free Tier covers 95% of what you need to practice. You don't need a corporate sponsor. You don't need a fancy lab subscription. A real account, a card on file, and a $5/month budget alarm is the entire infrastructure you need. Most people who fail aren't blocked by money — they're blocked by skipping the projects.

One more thing. The aws careers market in 2026 still pays the highest premiums for people who can prove things — not memorize them. A candidate who walks into an interview with three live URLs to projects they built (static site on S3, serverless API on Lambda, EC2 behind a load balancer) beats someone with three certifications and zero hands-on work, every single time. The checklist below is structured around that bias. Read it. Pick your tier. Build the projects. Get the cert second.

What this checklist isn't: a replacement for the official AWS exam guides. Those still tell you what's on the test. This document tells you what to actually be able to do when someone hands you a console and says "set up the auth, the database, and the CDN by Friday." Two different skill sets. The exam guide gets you certified. This checklist gets you hired and keeps you employed.

If you're transitioning from Azure or GCP, the bottom section maps the equivalent services so you can shortcut the learning curve. EC2 is just a VM. S3 is just blob storage. The naming is different — the concepts are mostly the same. We'll cover the genuine differences (IAM is meaningfully more granular in AWS, networking via VPC has its own learning curve) and the surface-level translations.

Tier 2: AWS Solutions Architect Associate — The Skills That Pay

SAA-C03 is where the salary curve genuinely bends upward. People certified at this tier in 2026 average $130K–$165K base in the U.S., before stock or bonus. The exam is harder than the CCP by a wide margin — 65 questions, 130 minutes, scenario-based, and the wrong answer is usually correct "in a sense" which makes it brutal. Focus your study time on the four services AWS tests obsessively: VPC, S3, EC2, and IAM.

VPC is the single hardest topic on the SAA. You need to design subnets across multiple AZs, route traffic through NAT gateways, set up VPC peering and Transit Gateway, configure security groups vs NACLs (know the stateful vs stateless distinction cold), and understand VPC endpoints for keeping traffic off the public internet. Most failed attempts at this exam come from VPC questions. Build a real VPC from scratch — public and private subnets, NAT gateway, internet gateway, bastion host. Don't move on until you can sketch the diagram from memory.

S3 questions test storage classes (Standard, IA, One-Zone IA, Glacier, Glacier Deep Archive), lifecycle policies, encryption (SSE-S3, SSE-KMS, SSE-C, client-side), versioning, replication (cross-region and same-region), and event notifications. The trick is knowing the cost trade-offs. A Glacier object costs almost nothing to store and a fortune to retrieve. An IA object costs less to store but penalizes you for early deletion. You need to read scenarios and pick the storage class that minimizes total cost over the object lifecycle.

EC2 questions go deep on instance types (general purpose, compute optimized, memory optimized, storage optimized, accelerated computing), pricing models (On-Demand, Reserved, Spot, Dedicated Hosts), Auto Scaling Groups (target tracking, step scaling, scheduled scaling), and load balancers (ALB for HTTP/HTTPS, NLB for TCP/UDP/static IPs, GWLB for third-party appliances). Know when to recommend each. The exam loves "high availability and cost-optimized" — that's almost always ASG with Spot instances behind an ALB across two AZs.

IAM is where you lose points if you're sloppy. Memorize the policy evaluation logic: explicit deny > explicit allow > implicit deny. Know the difference between identity-based policies, resource-based policies (S3 bucket policies, SNS topic policies), permission boundaries, and Service Control Policies (SCPs) at the Organizations level. Trust relationships on roles — STS, AssumeRole, cross-account access — show up in 6–8 questions per exam. Build a real cross-account access setup before you sit the test.

The fastest way to prepare is the project route. Build a three-tier web application — VPC with public ALB, private EC2 in an ASG, RDS Multi-AZ in a database subnet. Then add CloudFront in front, Route 53 for DNS, ACM for the certificate, and S3 for static assets. That single architecture covers 60% of the exam's question patterns. Add a backup strategy, a disaster recovery plan, and a cost-optimization pass and you're hitting 80%. The remaining 20% is corner cases and you can study those from practice exams.

Five Hands-On aws projects Every Engineer Should Ship

The hiring market in 2026 rewards builders over memorizers. These five projects are the ones that consistently appear in successful AWS portfolios. They map directly to interview questions, exam scenarios, and real production architectures. Build them in your own AWS account with the free tier — total cost across all five should land under $15.

Project 1: Static website on S3 + CloudFront + Route 53 + ACM. Register a domain (or use a subdomain you already control). Create an S3 bucket configured for static hosting. Upload an HTML/CSS site (a personal landing page works). Add a CloudFront distribution in front of the S3 origin using Origin Access Control. Request a free ACM certificate in us-east-1. Create a Route 53 alias record pointing your domain at the CloudFront distribution. This single project teaches you origins, CDNs, TLS, DNS, and IAM permissions for cross-service access. Expect 3–4 hours the first time, 30 minutes the second.

Project 2: Serverless API with Lambda + API Gateway + DynamoDB. Build a simple to-do API. POST adds a task, GET lists tasks, DELETE removes one. Lambda functions in Python or Node.js, triggered via API Gateway HTTP API, persisting to a DynamoDB table with userId as partition key. Add Cognito for auth — only authenticated users can read or write their own tasks. Deploy through SAM or the Serverless Framework. This teaches you serverless patterns, NoSQL design, auth, and infrastructure as code. 6–8 hours for the full build.

Project 3: EC2 web app behind an Application Load Balancer with RDS Multi-AZ. Launch two EC2 instances across two AZs running a simple Node.js or Flask app. Put them in an Auto Scaling Group behind an ALB. Connect to an RDS MySQL instance in Multi-AZ mode in a private database subnet. Add CloudFront in front of the ALB. Set up CloudWatch alarms for CPU and request count. Force a failover by terminating an EC2 instance and watch the ASG replace it. This is the bread-and-butter three-tier architecture every interviewer expects you to know.

Project 4: Centralized IAM with least-privilege roles. Set up AWS Organizations with two accounts — a "dev" account and a "prod" account. Create IAM roles in prod that can be assumed cross-account from dev with MFA required. Build a permission boundary that limits what any developer role can ever do regardless of attached policies. Write a Service Control Policy at the org level blocking all actions in regions you don't use. This teaches you real-world enterprise IAM that's tested heavily on the Security Specialty exam and asked in every senior interview.

Project 5: Full CI/CD pipeline with CodePipeline + CodeBuild + CodeDeploy. Push code to a GitHub repo. CodePipeline triggers on commit. CodeBuild runs tests and builds a Docker image, pushes to ECR. CodeDeploy deploys to ECS Fargate using a blue/green deployment. Roll back automatically on CloudWatch alarm trip. Add a manual approval gate before prod deployment. This single pipeline demonstrates you can ship production code on AWS — which is what most senior cloud roles actually need.

Document every project with a README, an architecture diagram (use draw.io or Lucidchart), and a short writeup of what you'd improve. Push the IaC to a public GitHub repo. Link them from your resume. Hiring managers click. They click on the README first. Make it good — one paragraph of context, one diagram, the AWS services used as a bulleted list, and a "What I Learned" section that's honest about the gotchas you hit.

Tier 4: aws developer learning plan for DevOps Engineer Professional

The Pro-level DevOps cert is the toughest on the AWS roster. 75 questions, 180 minutes, 75% pass mark, scenario-based questions that often have two technically correct answers — you pick the "most operationally sound." It tests your ability to design entire CI/CD pipelines, multi-account governance, automated remediation, and zero-downtime deployments at scale. The salary jump is real — DevOps Pros average $170K–$210K in major U.S. metros in 2026.

Prerequisites: you should already hold the SAA or DVA before attempting this. The Pro exam assumes you know VPC, IAM, EC2, Lambda, and CloudFormation cold. If you don't, take the SAA first. Trying to skip is the most common reason for failure on this exam.

The six study domains: SDLC Automation (22%), Configuration Management & IaC (17%), Resilient Cloud Solutions (15%), Monitoring & Logging (15%), Incident & Event Response (14%), and Security & Compliance (17%). Notice that pure DevOps tooling (CodePipeline, CodeBuild, CodeDeploy) is only one slice — most of the exam is on operational excellence, security, and resilience patterns. Budget 120–160 hours of study, spread over 3–4 months, with 6–10 practice exams in the final week.

The services that drive most exam points: CodePipeline (multi-stage approval flows, cross-region/cross-account), CodeDeploy (blue/green, canary, linear deployment configs), CloudFormation (stack policies, change sets, drift detection, custom resources via Lambda), Systems Manager (Parameter Store, Run Command, Patch Manager, State Manager, Session Manager), Config (rules, conformance packs, remediation), CloudWatch (Synthetics canaries, anomaly detection, EventBridge for automation), and Secrets Manager (rotation Lambda, cross-region replication).

The hardest single topic is multi-account deployments via CodePipeline with cross-account roles and CloudFormation StackSets. Build this scenario in a real two-account org before the exam. Pipeline in your tools account, deploys to dev and prod accounts via cross-account roles, with manual approval before prod. You'll either understand it after building it once or you'll fail the exam — there's no middle ground on this topic.

Practice exams matter more at this tier than at Associate. The official AWS practice questions are too easy. Use Tutorials Dojo (Stéphane Maarek's question bank is also strong) — aim to hit 80%+ on three consecutive practice exams before sitting the real one. Anything lower than that and you'll be guessing on 15+ questions, which usually puts you under the 75% pass line on the actual test.

aws careers Crossover: Transferable Skills From AWS to Azure

Cloud engineers who know one major platform can ramp to a second in 6–10 weeks, not the year people assume. The concepts are 80% identical — VMs, blob storage, managed databases, serverless functions, CDN, DNS, IAM. The naming and console UX differ wildly. The actual service capabilities mostly match. Here's the mapping that lets you shortcut the learning curve.

Compute parallel: EC2 maps to Azure Virtual Machines. Both offer general-purpose, compute-optimized, memory-optimized, and GPU instance families. Both have reserved/spot equivalents. Both let you bring your own image. Auto Scaling Groups in AWS map to Virtual Machine Scale Sets in Azure. Lambda maps to Azure Functions (consumption plan = serverless, premium plan = always-warm). ECS maps to Azure Container Instances + Container Apps. EKS maps to AKS. ECR maps to Azure Container Registry.

Storage parallel: S3 maps to Azure Blob Storage. Both offer Hot, Cool, and Archive tiers (AWS adds Standard-IA, One-Zone IA, Glacier Instant Retrieval, Glacier Flexible Retrieval, Glacier Deep Archive — six classes total, more granular than Azure's three). Both support lifecycle rules, versioning, encryption at rest, presigned URLs. EBS maps to Azure Managed Disks (HDD, Standard SSD, Premium SSD, Ultra Disk). EFS maps to Azure Files. Glacier maps to Azure Archive Storage.

Database parallel: RDS maps to Azure SQL Database (managed SQL Server) and Azure Database for PostgreSQL/MySQL/MariaDB. DynamoDB maps to Azure Cosmos DB (which is broader — supports NoSQL, SQL, MongoDB, Cassandra, Gremlin APIs). ElastiCache maps to Azure Cache for Redis. Aurora maps loosely to Azure SQL Hyperscale.

Networking parallel: VPC maps to Azure Virtual Network. Subnets map directly. Security Groups map to Network Security Groups (also stateful in Azure, same concept). NAT Gateway maps to Azure NAT Gateway. Route 53 maps to Azure DNS + Traffic Manager. CloudFront maps to Azure Front Door + CDN. ALB/NLB maps to Azure Application Gateway / Load Balancer. The biggest conceptual difference: Azure uses Resource Groups as a logical container for everything in a deployment — AWS doesn't have a true equivalent (tags + CloudFormation stacks come closest).

IAM parallel: IAM maps to Azure RBAC + Azure AD (now called Entra ID). The model is conceptually similar — identities, roles, policies — but Azure ties everything to Entra ID, while AWS IAM is self-contained per account. Cross-account access in AWS via STS AssumeRole maps to multi-tenant apps and managed identities in Azure. Both support MFA, conditional access, and service principals.

What doesn't translate cleanly: AWS Organizations + SCPs is more granular than Azure Management Groups + Azure Policy, but both achieve org-wide governance. CloudFormation maps to ARM templates or Bicep (Bicep is much friendlier — closer to Terraform). EventBridge maps to Event Grid (concept matches but Event Grid is more native to Azure-internal events). The fastest way to ramp on Azure after AWS: spend a weekend rebuilding your S3+CloudFront static site project as Blob Storage + Azure Front Door + Azure DNS. After that one project, 70% of the Azure portal stops feeling foreign.