Every AWS certification preparation guide tells you to "get hands-on experience." Almost none of them tell you specifically what to build, how to avoid bill surprises, and how to structure lab time so it actually improves exam performance rather than just familiarizing you with the console.
This is that guide.
What the Free Tier Actually Covers
AWS Free Tier has three distinct categories that candidates routinely confuse:
Always Free — no expiration, available to all accounts:
Lambda: 1 million requests/month, 400,000 GB-seconds compute time
DynamoDB: 25 GB storage, 25 read capacity units, 25 write capacity units
CloudWatch: 10 custom metrics, 10 alarms, 1 million API requests
SNS: 1 million publishes
SQS: 1 million requests
Cognito: 50,000 monthly active users (first 50,000)
S3: 5 GB standard storage (Always Free for first 12 months — see below)
12 Months Free — from the date you create your account:
EC2: 750 hours/month of
t2.microort3.micro(Linux or Windows)RDS: 750 hours/month of
db.t2.microordb.t3.micro, 20 GB storageS3: 5 GB Standard storage, 20,000 GET requests, 2,000 PUT requests
CloudFront: 1 TB data transfer out, 10 million HTTP/HTTPS requests
ELB: 750 hours/month
Free Trials — short-term offers on specific services:
SageMaker: 2 months of
ml.t3.mediuminstancesRedshift: 2 months of
dc2.largenode
What is NOT free:
NAT Gateway: $0.045/hour + $0.045/GB processed — this one surprises people
Data transfer out to the internet: $0.09/GB after 1 GB/month
Elastic IP addresses not associated with a running instance: $0.005/hour
Route 53 hosted zones: $0.50/zone/month
Setting Up Cost Guardrails Before You Start
Before touching a single AWS service for lab work, set these up. They take 10 minutes and have prevented expensive mistakes for countless candidates.
Step 1: Enable billing alerts Go to the Billing Console → Billing Preferences → enable "Receive Billing Alerts." This allows CloudWatch alarms on billing metrics.
Step 2: Create a billing alarm CloudWatch → Alarms → Create Alarm → select "Billing" → "Total Estimated Charge" → set threshold at $5 or $10. When you hit that amount, you get an email. Simple, effective.
Step 3: Set an AWS Budget Budgets → Create Budget → Cost Budget → $20/month. Configure alerts at 80% actual and 100% forecasted. This catches scenarios where billing alarms lag.
Step 4: Enable Cost Explorer Takes 24 hours to populate. After that, you can see exactly which service is charging you and how much.
With these in place, you can experiment freely without anxiety. The worst outcome is a $10 charge you catch early and fix immediately.
Lab Architecture by Certification
For SAA-C03 (Solutions Architect Associate)
The exam tests architecture judgment. The labs should build architecture intuition.
Lab 1: Three-Tier Web Application (3-4 hours) Build: Application Load Balancer → EC2 instances in private subnet → RDS MySQL in private subnet. Use security groups to enforce tier isolation (ALB only accepts port 80/443 from internet, EC2 only accepts from ALB, RDS only accepts from EC2).
What you learn: how security groups work in practice, the difference between public and private subnets, how traffic flows through a real application architecture.
Lab 2: S3 Static Website with CloudFront (1-2 hours) Create S3 bucket, enable static website hosting, upload HTML files, create CloudFront distribution pointing to the S3 bucket, configure OAC (Origin Access Control) so S3 is only accessible via CloudFront.
What you learn: why OAC exists, how CloudFront cache invalidation works, the difference between S3 website endpoint and S3 REST API endpoint.
Lab 3: Auto Scaling Under Load (2-3 hours)
Create launch template, Auto Scaling group, Application Load Balancer. Use AWS's own load testing tool or ab (Apache Bench) from a Cloud9 environment to generate load. Watch Auto Scaling respond.
What you learn: scaling policies, cooldown periods, how the ALB health check works with Auto Scaling, what actually happens when an instance fails.
For DVA-C02 (Developer Associate)
Lab 1: Serverless API (3-4 hours) API Gateway → Lambda → DynamoDB. Build a simple CRUD API. Use Lambda environment variables (not hardcoded credentials). Add X-Ray tracing. View traces in the X-Ray console.
What you learn: Lambda cold starts (look at X-Ray traces), DynamoDB single-table design in practice, how API Gateway integration works.
Lab 2: CI/CD Pipeline (3-4 hours)
CodeCommit (or GitHub) → CodeBuild → CodeDeploy to an EC2 instance or Lambda. Write the buildspec.yml for CodeBuild. Write the appspec.yml for CodeDeploy. Break something in the pipeline and fix it.
What you learn: CodeBuild environment variables, build artifacts, CodeDeploy lifecycle hooks, what happens when a deployment fails.
For SOA-C02 (SysOps Associate)
Lab 1: CloudWatch Agent on EC2 (1-2 hours) Launch EC2 instance, install and configure CloudWatch Agent, send memory and disk metrics to CloudWatch. Create an alarm on memory utilization over 80%.
What you learn: the CloudWatch Agent configuration file format, the difference between default EC2 metrics and custom metrics, alarm state transitions.
Lab 2: Systems Manager Session Manager (1 hour)
Create EC2 instance with no key pair, no port 22 in security group. Attach an IAM role with AmazonSSMManagedInstanceCore policy. Connect via Session Manager. Run commands.
What you learn: why Session Manager is the correct answer for "access EC2 without opening ports," how instance profiles work in practice.
The Lab Mistake That Creates False Confidence
The most common lab mistake: building things correctly using the console wizard.
Console wizards fill in defaults, show you only the relevant options, and hide the complexity. When the exam asks a question about a specific configuration detail that wizards obscure, candidates who only used wizards are stuck.
Better approach: use the AWS CLI and CloudFormation for labs.
Building a VPC with the CLI teaches you every parameter. You can't click past subnets and route tables — you have to specify them explicitly. The knowledge becomes real because you've had to think about each component.
Example: creating a VPC manually via CLI:
aws ec2 create-vpc --cidr-block 10.0.0.0/16
aws ec2 create-subnet --vpc-id vpc-xxx --cidr-block 10.0.1.0/24 --availability-zone us-east-1a
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --vpc-id vpc-xxx --internet-gateway-id igw-xxx
aws ec2 create-route-table --vpc-id vpc-xxx
aws ec2 create-route --route-table-id rtb-xxx --destination-cidr-block 0.0.0.0/0 --gateway-id igw-xxx
Each command forces you to understand the relationship between components. When the exam asks about route tables and internet gateways, you understand it structurally, not just conceptually.
Cleaning Up After Labs
This is where candidates create real costs. Launch a NAT Gateway for a lab, forget to delete it, come back in a week to a $7.56 charge. Not catastrophic, but avoidable.
Cleanup checklist after every lab session:
Terminate EC2 instances (stopping doesn't stop EBS charges)
Delete NAT Gateways (the expensive one to forget)
Release Elastic IPs not attached to running instances
Delete load balancers not in use
Check RDS instances are stopped or deleted
Verify CloudWatch dashboards don't reference expensive custom metrics at high resolution
The nuclear option: for sandbox accounts used purely for learning, delete everything with AWS Nuke (an open-source tool) at the end of each study session. Aggressive, but guarantees $0 charges.
Cloudcraft and Lucidchart both integrate with AWS to visualize what you've built before deleting it — useful for documenting lab architectures for future reference.
Lab-to-Exam Translation
Not all lab time produces equal exam improvement. Lucid Nwosu, a cloud architect and AWS Community Builder who has helped hundreds of candidates prepare, advises focusing lab time on services that the exam tests in scenario form — meaning services where the configuration details affect the answer, not just whether the service exists.
High-value lab services for exam preparation:
VPC (routing, security groups, NACLs, endpoints)
IAM (policies, roles, trust relationships)
S3 (bucket policies, ACLs, lifecycle, replication)
Lambda (triggers, environment variables, concurrency, destinations)
CloudFormation (templates, parameters, conditions, outputs)
Low-value lab time for exam purposes:
Spending hours on console navigation you'll never see in an exam
Building elaborate demos that don't exercise exam-relevant configuration details
Re-doing the same lab multiple times without variation
Specific Lab Sequences by Certification Target
Generic "use the AWS console" advice doesn't map to exam objectives. These targeted lab sequences build the exact knowledge each certification tests.
For AWS Cloud Practitioner (CLF-C02)
CCP is conceptual, but labs dramatically accelerate understanding. Complete these in sequence:
Launch an EC2 instance — choose an instance type, select an AMI, configure security groups, connect via SSH. Understand what each step involves.
Create an S3 bucket — configure public access settings, upload a file, enable versioning, set a lifecycle policy. This builds understanding of S3's durability model.
Set up a CloudWatch alarm — create a CPU utilization alarm on your EC2 instance, configure an SNS notification. This demonstrates monitoring and alerting in practice.
Create an IAM user with limited permissions — create a user, attach a policy, verify the user cannot perform actions the policy doesn't allow. This makes IAM concepts concrete.
Total lab time: 3-5 hours. CCP labs are primarily for building intuition — the exam tests concepts, but concepts learned through practical experience stick longer.
For AWS Solutions Architect Associate (SAA-C03)
SAA labs must cover the three heaviest domains: resilient architectures, high-performing architectures, and secure applications. Each of these lab sequences takes 2-4 hours:
Resilience lab: deploy a web application behind an Application Load Balancer with EC2 instances in two Availability Zones. Configure the ALB health checks. Terminate one instance and verify the ALB routes traffic to the remaining instance. Then restore it. This makes Multi-AZ and load balancing concrete.
VPC networking lab: create a custom VPC with public and private subnets in two AZs. Deploy an EC2 instance in each subnet type. Configure a NAT Gateway for the private subnet. Verify internet access from the private subnet routes through NAT. This is exactly what the SAA exam tests in VPC questions.
S3 cross-region replication lab: create two S3 buckets in different regions, configure cross-region replication, upload files, and verify replication. Then test bucket policies for cross-account access. S3 appears on every SAA exam in multiple questions.
RDS Multi-AZ vs Read Replica lab: create an RDS MySQL instance with Multi-AZ enabled. Examine the standby replica. Create a Read Replica in a different region. Understand what failover looks like vs read replica promotion. This distinction appears on virtually every SAA exam.
For AWS DevOps Engineer Professional (DOP-C02)
DOP labs should focus on the two highest-weighted domains: SDLC Automation (22%) and Configuration Management/IaC (17%).
CodePipeline lab: create a full pipeline from CodeCommit (source) through CodeBuild (build) to CodeDeploy (deploy to EC2). Trigger the pipeline, watch it execute, introduce a build failure, observe the pipeline behavior. Understanding pipeline failure modes is specifically tested.
CloudFormation advanced lab: write a template with custom resources (Lambda-backed), nested stacks, and condition functions. Deploy the stack, update it with a change that requires replacement vs in-place update, observe the behavior. CloudFormation update behavior is heavily tested on DOP-C02.
SSM Run Command lab: use AWS Systems Manager Run Command to execute a shell script across a fleet of EC2 instances. This is the exam's preferred approach for fleet-wide operational tasks — it appears as the correct answer for many "how do you run this command on 500 instances" scenarios.
Avoiding Free Tier Billing Surprises
The most common reason candidates don't lab enough is fear of unexpected charges. This fear is reasonable — AWS billing can be confusing — but manageable with specific precautions.
The $5 budget alert: in the AWS Billing console, create a budget for $5 per month with email notification at 50% and 100%. This alerts you before meaningful charges accumulate. Enable it the moment you create your AWS account.
The daily cleanup habit: build a cleanup step into every lab session. Before logging out:
Terminate EC2 instances (stopped instances still charge for storage)
Delete NAT Gateways (these are the most common source of unexpected charges at ~$32/month if left running)
Delete Elastic IP addresses not attached to running instances
Delete RDS instances you've finished with
Services that generate charges even when "not in use":
NAT Gateways: $0.045/hour plus data transfer
Elastic IPs not associated with running instances: $0.005/hour
RDS instances in stopped state: still charged for storage
Elastic Load Balancers: $0.008/LCU hour even with no traffic
The CloudFormation cleanup advantage: for complex multi-resource labs, using CloudFormation templates means you can delete the entire stack with one command, ensuring no resources are left running. Build CloudFormation templates for your labs even if you're not studying CloudFormation specifically.
Cost Monitoring Setup: Step-by-Step Walkthrough
Setting up cost monitoring before your first lab session takes 15 minutes and prevents the anxiety that stops candidates from doing enough hands-on practice.
Step 1: Enable billing data in CloudWatch
In the AWS console, navigate to the Billing and Cost Management console → Billing Preferences. Check "Receive Billing Alerts." Without this enabled, CloudWatch cannot access billing metrics.
Important: billing metrics only appear in the us-east-1 (N. Virginia) region. If you create a CloudWatch alarm for billing, create it in us-east-1 regardless of where you're building your labs.
Step 2: Create a $10 billing alarm
In CloudWatch (us-east-1) → Alarms → Create Alarm → Select metric → Billing → Total Estimated Charge → USD. Set threshold: Static, Greater than, $10.00. Configure SNS notification with your email address. Name the alarm "TotalBillingAlert-$10."
This alarm fires when your total AWS charges for the current month exceed $10. For most lab usage, $10/month is a reasonable upper bound — if you're hitting $10, either you have a runaway resource or you're doing extensive work and should review what's running.
Step 3: Set a Cost Explorer budget
AWS Budgets (in the Billing console) → Create Budget → Cost Budget. Monthly budget: $20. Alert thresholds: 80% actual ($16), 100% actual ($20), 100% forecasted ($20 projected but not yet spent). Add email notification.
The reason for both CloudWatch alarm AND Budgets: they have different latency. CloudWatch billing alarms update approximately every 6 hours. Budgets update once per day. Having both gives faster detection (CloudWatch) and a daily summary view (Budgets).
Step 4: Enable Cost Explorer
Cost Management → Cost Explorer → Enable. Takes 24 hours to populate with initial data. After that, you can view spending by service, by day, by tag. When you see unexpected charges, Cost Explorer shows which service generated them and on which day — making diagnosis fast.
Step 5: Tag lab resources
When creating resources for labs, add a tag: Key = Purpose, Value = CertificationLab. You can filter Cost Explorer by this tag to see exactly what your lab work costs separately from any other AWS usage. For candidates with existing AWS accounts, this isolation is essential.
Services With Hidden Costs That Catch Candidates Off-Guard
The free tier documentation lists what's free. It doesn't prominently display what generates charges before candidates realize it.
NAT Gateway — the most common billing surprise
NAT Gateway costs $0.045/hour plus $0.045 per GB processed. If you create a NAT Gateway for a lab (they're part of many standard architectures) and forget to delete it, the hourly charge accumulates: $0.045 × 24 × 30 = $32.40/month per NAT Gateway.
Candidates who build the three-tier VPC lab (a standard SAA-C03 lab topology) are especially at risk because NAT Gateway is required for private subnet outbound connectivity. Build the habit: every time you finish a lab session, delete NAT Gateways first.
Elastic IP addresses not attached to running instances
AWS charges $0.005/hour for Elastic IPs that are allocated but not associated with a running instance. This seems small — but if you allocate an EIP for a lab, stop the EC2 instance (not terminate), and log out, you now have an unattached EIP accruing charges at $3.60/month. Multiply by several forgotten EIPs across different labs and it adds up.
Data transfer charges that exceed the free tier
The free tier includes 1 GB/month of data transfer out. Beyond 1 GB, data transfer from EC2 to the internet costs $0.09/GB. For most lab work, you won't hit 1 GB. But candidates who run load testing labs, transfer large datasets, or do S3 transfer labs can exceed this. Monitor your data transfer metrics in Cost Explorer.
RDS instances in "stopped" state still charge for storage
When you stop an RDS instance (not delete), the instance stops accruing hourly compute charges, but you continue paying for the allocated storage ($0.115/GB-month for gp2). A 20 GB RDS instance costs $2.30/month in storage even when stopped. For labs, delete RDS instances when finished unless you have a specific reason to preserve the data.
Tracking EC2 Free Tier Hours
The 12-month free tier provides 750 hours/month of t2.micro or t3.micro. 750 hours/month is exactly enough for ONE instance running 24/7 (24 × 31 = 744 hours). If you run two t2.micro instances simultaneously, you consume 2 × 24 = 48 hours per day instead of 24 — exceeding the monthly allowance in about 15.6 days.
How to track free tier usage:
- Navigate to the Billing console → Free Tier → view the "Free Tier Usage Alerts" table. It shows your current usage vs the monthly limit for each free tier service.
- Enable Free Tier Usage Alerts in Billing Preferences. AWS sends an email when you reach 85% of any free tier limit.
Practical guidance for lab candidates:
Run labs with a single t2.micro or t3.micro at a time
Terminate instances when not actively working (not just stop — terminate)
If you need multiple instances simultaneously for a lab (load balancing lab, Multi-AZ demonstration), plan for that lab to consume multiple hours in a short session and account for the impact on your monthly budget
The free tier hours reset on the first day of each calendar month, not 30 days from your account creation. If your account was created on March 15, your first free tier period covers March 15 - April 14, not calendar months. After the 12-month anniversary, EC2 free tier expires entirely.
"The candidates who get the most from AWS free tier lab work are the ones who treat the cost monitoring setup as part of the lab itself — not an afterthought. Once you've got billing alarms configured and you understand which services charge even when 'idle,' you can experiment freely without the anxiety that comes from uncertainty about your bill." — Lucid Nwosu, AWS Community Builder and cloud architect
References
Amazon Web Services. AWS Free Tier — Service Details. AWS, 2024. https://aws.amazon.com/free/
Amazon Web Services. AWS CloudFormation User Guide. AWS Documentation, 2024. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/
Amazon Web Services. AWS CLI Command Reference. AWS Documentation, 2024. https://docs.aws.amazon.com/cli/latest/reference/
Amazon Web Services. AWS Billing and Cost Management User Guide. AWS Documentation, 2024. https://docs.aws.amazon.com/account-billing/
Nwosu, Lucid. Cloud Architecture on AWS. Independently published, 2023. (Nwosu is an AWS Community Builder and cloud architect with documented contributions to AWS certification community resources)
Cantrill, Adrian. AWS Labs and Demos. learn.cantrill.io, 2024. (Lab-first approach to AWS certification preparation, widely cited in AWS study communities)
Frequently Asked Questions
Can I prepare for AWS certifications using only the free tier?
Yes for most labs. EC2 t2.micro/t3.micro instances get 750 free hours per month in the first 12 months. RDS, Lambda, DynamoDB, and S3 are all covered under free tier. The main charges to watch are NAT Gateway ($0.045/hour), Elastic IPs not attached to running instances, and data transfer out.
How do I avoid unexpected AWS charges during lab practice?
Set up a CloudWatch billing alarm at \(5 and an AWS Budget at \)20 before starting any lab work. Enable Cost Explorer to see per-service charges. Always delete NAT Gateways, release unused Elastic IPs, and terminate (not stop) EC2 instances after each lab session.
Why is using the AWS CLI better than the console for exam prep?
Console wizards hide configuration details by filling in defaults. Building VPCs, subnets, and route tables via CLI forces you to specify every parameter explicitly, creating deeper understanding of component relationships. Exam questions test specific configuration details that console wizards obscure.
What labs are most valuable for SAA-C03 preparation?
Three-tier web application (ALB + EC2 in private subnet + RDS), S3 static website with CloudFront and Origin Access Control, and Auto Scaling under simulated load. These cover the architectural patterns tested most frequently on SAA-C03.
What is AWS Nuke and should I use it?
AWS Nuke is an open-source tool that deletes all resources in an AWS account. For sandbox accounts used purely for learning, running it at the end of each session guarantees zero charges. It's aggressive but effective for candidates who frequently forget to clean up resources.