Architectural Decision Engine

“Shared Linux file system, POSIX compliant, concurrent multi-AZ EC2 access”

Do not choose EBS (Single AZ only, cannot attach across AZs natively) or S3 (Not a POSIX file system).

“Windows infrastructure, SMB protocol, native Active Directory integration, high performance”

Do not choose Amazon EFS. EFS is Linux-only and communicates via NFS, completely incompatible with native Windows file locking.

“On-premises legacy systems, local cache required for low-latency, standard file protocols (NFS/SMB) backed by S3”

Do not mount FSx or S3 directly over a standard VPN connection. High latency will cause application timeouts; local caching is mandatory.

“Analyze historical application logs sitting flat in S3 using ad-hoc serverless standard SQL queries”

Do not provision an EMR Hadoop cluster or spin up an RDS database just to run exploratory read queries on static files.

“Migrate petabytes of data from on-premises data center, constrained outbound network bandwidth, tight timeline”

Do not select AWS DataSync or Site-to-Site VPN. If the network bandwidth is narrow, physical data transport appliances will beat network transit times.

“Strict regulatory compliance, write-once-read-many (WORM) enforcement, prevent object deletion even by root account”

Do not rely on standard S3 Versioning or bucket policies alone. Compliance Mode enforces hard locks that even the AWS root account cannot override.

“Highly variable traffic, millisecond scaling requirements, zero operational maintenance, containerized microservices”

Do not choose EC2 with Auto Scaling for near-instantaneous traffic spikes. EC2 instance initialization and bootstrapping take too long to absorb flash spikes.

“High-performance computing (HPC), tightly coupled inter-instance cluster communication, MPI architectures, ultra-low latency”

Do not select a standard Elastic Network Adapter (ENA). ENAs handle typical high-throughput networking but lack the OS-bypass capability required for HPC fabrics.

“Containerized web applications, HTTP/HTTPS routing logic, path-based or host-based microservice distribution”

Do not select Network Load Balancer (NLB) for HTTP header matching or URL routing. NLB operates at Layer 4 and is completely blind to HTTP patterns.

“Ultra-low latency, real-time gaming, UDP traffic protocols, static IP address per Availability Zone required”

Application Load Balancer (ALB) cannot allocate static IPs (its IPs change dynamically) and completely lacks support for raw UDP routing.

“Private subnet resources need outbound internet access for patches, must block unsolicited inbound traffic entirely”

Do not deploy a NAT Gateway inside the private subnet itself. It must sit in a public subnet with an explicit route pointing to an Internet Gateway.

“Private subnet instances require high-volume data fetching from S3, completely eliminate transit costs and routing over internet”

Do not route this traffic through a NAT Gateway or an Interface Endpoint (PrivateLink). Both charge heavy per-GB data processing fees.

“Establish dedicated, consistent network performance from corporate office to AWS VPC, bypass public internet entirely”

Do not select AWS Site-to-Site VPN if consistent throughput and deterministic latency are required. VPN traffic traverses the unpredictable public internet.

“Relational SQL application, highly unpredictable traffic patterns, minimize costs during deep utilization drops”

Do not choose provisioned RDS instances. Provisioned instances charge a fixed hourly compute rate 24/7 regardless of actual database activity.

“Relational database, multi-region architecture, active-passive disaster recovery (DR) with sub-second cross-region replication latency”

Do not choose RDS Multi-AZ. Multi-AZ is strictly for local high availability within a single region; it provides zero disaster recovery for regional outages.

“NoSQL architecture, single-digit millisecond read/write latencies at any scale, global active-active multi-region writes”

Do not use relational databases like Aurora or RDS for high-scale global active-active writes; handling distributed transactional locks will break performance.

“Massive analytical workloads, complex SQL aggregations across petabytes of historical data, business intelligence warehousing”

Do not use standard OLTP databases like RDS MySQL or PostgreSQL for data warehousing. Complex historical queries will severely choke operational app transactions.

“Accelerate read heavy database workloads, mitigate connection bottlenecks, sub-millisecond response layer”

Do not scale up the instance tier of your primary database to resolve read performance limits. Application-layer caching is significantly more cost-effective.

“Consolidate multiple AWS accounts, centrally control root permissions, apply restrictive organizational guardrails”

Standard IAM policies cannot restrict an account's root user. SCPs act as a perimeter guardrail that sets the absolute maximum permission ceiling for an entire account.

“Mitigate large-scale volumetric Layer 3/4 DDoS attacks, continuous edge protection, native integration with Route 53 and CloudFront”

AWS WAF is designed for Layer 7 application protection (blocking cross-site scripting or SQL injection), not for mitigating massive network layer saturation attacks.

“Store database credentials securely, mandate automatic 30-day password rotation policies, seamless integration with Amazon RDS”

Systems Manager (SSM) Parameter Store can encrypt text strings cleanly, but completely lacks out-of-the-box managed code rotation integration.

“Single newly deployed EC2 instance is completely inaccessible over SSH, while all other parallel instances in the same subnet function perfectly”

Do not modify Network ACLs. If a Network ACL were misconfigured at the subnet level, traffic to all existing instances in that boundary would be blocked simultaneously.

“Enforce encryption at rest across storage tiers, meet strict compliance for cryptographic isolation, support automatic yearly key rotation”

Do not select CloudHSM unless dedicated, single-tenant hardware crypto tokens are explicitly demanded by the business architecture.

“Asynchronously decouple application tiers, prevent message drops, support independent scaling of workers absorbing spikes”

Do not choose Amazon SNS for asynchronous processing worker pools. SNS is a transient push notification engine; it does not queue up messages persistently if workers offline.

“Broadcast single events or transactions to multiple distinct downstream consumer systems simultaneously (fan-out pattern)”

Amazon SQS cannot natively broadcast a single message to multiple queues simultaneously. You must front the architecture with an SNS topic to fan-out to SQS queues.

“Real-time high-velocity data streaming ingestion, zero consumer app maintenance, deliver directly into S3, Redshift, or OpenSearch”

Do not select Kinesis Data Streams if you need automated destination delivery. Data Streams requires developing and operating custom consumer code on EC2/Lambda.

“Microservices architecture, decouple applications using an event-driven system with rule-based routing filters from SaaS providers”

Do not use standard SQS or SNS if complex JSON structural routing rules or direct integrations with external third-party SaaS APIs are required.

“Secure edge data delivery, serve private S3 bucket media assets globally, reject direct bucket unauthenticated paths completely”

Do not use S3 Presigned URLs if you must protect edge caching. Presigned URLs route users directly to the S3 bucket regional endpoint, bypassing the CDN tier.

“Global distributed user base, high network latency running database queries over internet, accelerate routing path to AWS backbone infrastructure”

Do not choose CloudFront if you are accelerating non-HTTP data or bidirectional TCP/UDP traffic layers like remote gaming or database connection protocols.