Never Do This

AWS Exam Anti-Patterns

7 design choices that AWS certification exams explicitly mark as WRONG. If you see one in an answer, eliminate it.

Multi-AZ ALWAYS for HA

AVOIDHA/DR
Deploying 2 EC2 instances in the same AZ behind a load balancer.
What to do instead: For any production workload requiring high availability, deploy across at least two Availability Zones.
Why it matters: Single-AZ deployments fail when the AZ fails. Multi-AZ is the cheapest path to HA within a region.
Correct: RDS Multi-AZ, ALB with targets in 2+ AZs, Auto Scaling across AZs

Keep app servers stateless

AVOIDHA/DR
Sticky sessions tied to a specific EC2 instance.
What to do instead: Store session and state outside compute (ElastiCache, DynamoDB, S3), not on EC2 local disk.
Why it matters: Stateless servers can scale horizontally and be replaced freely. Local state couples scaling to state loss.
Correct: Session data in ElastiCache Redis with TTL

Never hardcode secrets

AVOIDSecurity
AWS_SECRET_ACCESS_KEY in Lambda environment variable or .env file in Git.
What to do instead: Secrets NEVER in code, environment variables, or Git. Use Secrets Manager or Parameter Store.
Why it matters: Hardcoded secrets = compromised on first leak, rotation impossible, audit trail missing.
Correct: Secrets Manager with automatic RDS password rotation

Prefer IAM roles over access keys

AVOIDSecurity
Storing aws_access_key_id in ~/.aws/credentials on EC2.
What to do instead: Use IAM roles for AWS service-to-service access. Reserve access keys for external integrations only.
Why it matters: Roles are auto-rotated by STS. Long-lived access keys are the #1 credential compromise vector.
Correct: EC2 instance profile with IAM role, NOT access keys on disk

Least privilege, always

AVOIDSecurity
`"Action": "*"` or `"Resource": "*"` in production IAM policies.
What to do instead: Grant only the permissions required, nothing more. Start restrictive and loosen as needed.
Why it matters: Over-permissive policies expose the blast radius if credentials leak.

Databases in private subnets only

AVOIDSecurity
RDS instance with a public IP and 0.0.0.0/0 security group.
What to do instead: Databases and internal services live in PRIVATE subnets. Only LBs and bastions are in public subnets.
Why it matters: Public databases = public attack surface. Period.

Design DynamoDB partition keys for uniform distribution

AVOIDPerformance
Using timestamp or status='active' as partition key.
What to do instead: High-cardinality, evenly-distributed partition keys. Hot partitions throttle everything.
Why it matters: Exam loves this — hot partition = bad design = exam trap.

See anti-patterns in action

Our practice questions teach you to spot anti-patterns in answer choices, not just memorize facts. Train the instinct to eliminate wrong answers fast.

← View All HeuristicsPractice Questions →