Final StretchOrdered learning track

Production Readiness Final Review

Learn AWS Application and Database - Part 096

Final production readiness review for AWS application and database systems: invariants, API, queue, event, workflow, database, cache, migration, observability, DR, cost, and operational sign-off.

16 min read3128 words
Prev
Finish
Lesson 9696 lesson track80–96 Final Stretch
#aws#production-readiness#operational-readiness#well-architected+5 more

Part 096 — Production Readiness Final Review

Ini part terakhir seri.

Tujuannya bukan menambah service baru.

Tujuannya adalah memastikan semua yang sudah dipelajari bisa dipakai untuk menjawab satu pertanyaan production:

Apakah sistem ini siap menerima traffic nyata, gagal secara terkendali, dipulihkan dengan bukti, dan dievolusi tanpa kehilangan correctness?

Production readiness bukan checklist kosmetik.

Production readiness adalah argumentasi teknis yang bisa diaudit.


1. The Final System Map

Sistem application + database di AWS biasanya terlihat seperti ini:

The production question is not “does every box exist?”

The production question is:

  • what invariant does each box protect,
  • what happens when it fails,
  • who owns recovery,
  • what is the blast radius,
  • how do we prove data correctness after recovery,
  • how do we safely change it later?

2. Production Readiness as Evidence

A production-ready system has evidence for these categories:

CategoryEvidence
Functional correctnessinvariant tests, contract tests, state transition tests
Integration correctnessidempotency, retry, DLQ, replay, ordering decision
Data correctnesssource-of-truth definition, reconciliation, backup restore test
ReliabilityRTO/RPO, failover test, dependency degradation
Operabilitydashboard, alarms, runbook, owner, escalation
Securityleast privilege, encryption, audit trail, data classification
Costcapacity model, cost drivers, guardrails
Change safetydeployment plan, migration strategy, rollback/forward-fix
Complianceevidence retention, auditability, explainability

If you cannot show evidence, it is not ready. It is only hoped ready.


3. Invariants Register

Start with invariants, not services.

Example invariant register:

IDInvariantOwnerEnforcementDetectionRepair
INV-001Case number unique per tenantCase serviceDB unique constraint / conditional writeduplicate scanmerge/void duplicate
INV-002Closed case cannot receive new sanctionCommand handlerstate transition guardreconciliation queryreverse invalid sanction
INV-003Every accepted command has audit eventtransaction + outboxoutbox count mismatchoutbox repair
INV-004Projection eventually matches sourceprojection workerreconciliation jobrebuild projection
INV-005External notification sent at most once per commandside-effect ledgerduplicate checkcompensate/manual review
INV-006Workflow cannot remain pending beyond SLAStep Functions timeout + monitorstuck execution alarmescalate/compensate

A serious readiness review asks:

  • Where is this invariant enforced?
  • Is enforcement atomic?
  • What if enforcement fails after commit?
  • What if the event is duplicated?
  • What if the projection is stale?
  • What if the workflow is replayed?
  • How do we prove and repair violation?

4. Boundary Review

Every boundary must have an owner and contract.

BoundaryRequired Contract
API → command handlerrequest schema, idempotency, timeout, error model
command handler → databasetransaction boundary, concurrency policy, retry policy
database → outbox/eventatomic publication or recoverable CDC
event bus → consumerschema version, filtering, DLQ, replay behavior
queue → workeridempotent consumer, visibility timeout, backpressure
workflow → participanttask contract, timeout, compensation
source DB → cachestaleness budget, invalidation, fallback
source DB → projectionrebuild, lag SLO, reconciliation
production → operatordashboard, alarm, runbook

Anti-pattern:

"The service owns it".

Better:

Case Service owns command validation and source-of-truth writes.
Projection Worker owns OpenSearch read model freshness and rebuild.
Workflow Orchestrator owns long-running process progress and compensation.
Operations owns incident coordination, but service team owns repair logic.

5. API Readiness

API readiness is not “endpoint returns 200”.

Review:

AreaQuestion
ContractIs OpenAPI/GraphQL schema versioned and tested?
ValidationAre invalid commands rejected before side effect?
IdempotencyAre retries safe for create/update commands?
TimeoutIs timeout budget explicit from client to database?
RetryAre client retries bounded and jittered?
Rate limitAre tenant/global limits configured?
Error modelAre 4xx/409/429/5xx/503/504 semantics stable?
ObservabilityCan we trace one request to DB write/event/workflow?
AuthorizationIs decision checked server-side at command boundary?
RollbackCan old and new app versions coexist?

Minimum API production gates:

  • Idempotency-Key or equivalent for non-trivial commands,
  • correlation ID propagated,
  • request validation exists,
  • structured error shape documented,
  • per-tenant abuse controls exist,
  • load test covers p95/p99 and failure responses,
  • dashboards show latency, error, throttling, dependency failure.

6. Queue Readiness

SQS readiness means the system can absorb work, slow down safely, and recover from bad messages.

Review:

AreaQuestion
Queue typeStandard or FIFO chosen based on ordering need?
Message contractIs schema versioned?
IdempotencyCan duplicate delivery corrupt state?
Visibility timeoutIs it longer than normal processing but not infinite?
DLQDoes max receive count match retry policy?
RedriveIs replay controlled and observable?
BackpressureCan worker concurrency be reduced safely?
Poison messageCan bad message be quarantined without blocking all work?
OrderingIf FIFO, is MessageGroupId designed to avoid hot groups?
Large payloadIs S3 pointer pattern safe and secured?

Production gate:

  • message age alarm,
  • visible backlog alarm,
  • DLQ growth alarm,
  • worker error-rate alarm,
  • replay runbook,
  • idempotency/inbox table,
  • partial batch failure support where applicable.

7. Event Readiness

Event-driven systems fail silently when no one owns the contract.

Review:

AreaQuestion
Event typeIs this a fact, not a command disguised as event?
SourceIs source stable and owned?
Detail typeIs detail-type semantic and versionable?
SchemaIs schema compatible and tested?
RoutingAre rules/filter policies owned and reviewed?
DLQAre important targets protected by DLQ?
ReplayAre consumers replay-safe?
ArchiveIs archive retention intentional?
Cross-accountAre bus policies least-privilege?
ObservabilityCan event be traced from producer to consumer?

Production gate:

  • event envelope standard,
  • schema compatibility CI,
  • consumer idempotency,
  • DLQ and replay path,
  • rule inventory,
  • archive/replay governance,
  • event storm and replay storm runbook.

8. Workflow Readiness

Step Functions readiness means long-running process correctness is explicit.

Review:

AreaQuestion
Workflow typeStandard vs Express justified?
State ownershipWhat is workflow state vs domain state?
Task timeoutDoes every task have timeout/heartbeat?
RetryAre transient vs permanent errors separated?
CompensationIs compensation semantic, not blind rollback?
CallbackAre callback tokens protected and expiring?
IdempotencyAre participants safe under retry/redrive?
VersioningWhat happens to old executions after deployment?
ObservabilityCan an operator understand stuck execution?
CostAre polling loops avoided?

Production gate:

  • state machine reviewed as code,
  • Retry/Catch policies explicit,
  • terminal states meaningful,
  • timeout/heartbeat configured,
  • compensation tested,
  • stuck execution alarm,
  • execution history/logging strategy documented.

9. Database Readiness

Database readiness is not “the table exists”.

Review:

AreaQuestion
Source of truthWhich database owns each entity?
Access patternAre query/write patterns known and tested?
ConsistencyWhich reads require strong consistency?
TransactionWhat is the atomic boundary?
ConcurrencyOptimistic, pessimistic, conditional, or serialized?
UniquenessWhere is uniqueness enforced?
Schema evolutionIs expand-migrate-contract ready?
BackupHas restore been tested?
DRAre RTO/RPO defined and tested?
ObservabilityCan we diagnose latency, lock, hot key, throttling?

9.1 RDS/Aurora gate

  • engine selection ADR,
  • parameter groups reviewed,
  • connection pool sized,
  • RDS Proxy considered/tested if needed,
  • migration lock strategy defined,
  • slow query visibility enabled,
  • wait-event dashboard,
  • backup/PITR restore test,
  • failover test,
  • read replica lag strategy.

9.2 DynamoDB gate

  • access pattern matrix,
  • PK/SK grammar documented,
  • GSI/LSI decision documented,
  • hot key load test,
  • capacity mode justified,
  • throttling alarms,
  • conditional write and transaction failure handling,
  • stream consumer idempotency,
  • backup/restore/export strategy,
  • global table conflict strategy if multi-Region.

9.3 Cache gate

  • cache is not hidden source of truth unless using MemoryDB intentionally,
  • staleness budget defined,
  • invalidation strategy tested,
  • stampede protection,
  • fail-open/fail-closed policy,
  • eviction/memory alarms,
  • reconnect storm mitigation,
  • hot key detection.

9.4 Specialized database gate

  • DocumentDB compatibility tested,
  • Neptune traversal performance tested,
  • Keyspaces partition design validated,
  • Timestream retention/rollup policy defined,
  • OpenSearch treated as projection, not source of truth,
  • rebuild/reconciliation path exists.

10. Migration and Change Readiness

Every production system must change safely.

Review:

Change TypeRequired Plan
API changecompatibility, versioning, deprecation
Event changeschema versioning, replay safety
DB schema changeexpand-migrate-contract
Index changeonline build, query plan validation
Data backfillidempotent, resumable, throttled
Database migrationfull load/CDC/dual run/cutover/rollback
Cache key changenamespace/version strategy
Projection changerebuild and shadow compare
Workflow changeversioning and old execution policy

Production gate:

  • change has owner,
  • rollback/forward-fix chosen,
  • blast radius known,
  • deploy sequence written,
  • validation queries ready,
  • observability ready before deploy,
  • destructive step separated and approved.

11. Disaster Recovery and Recovery Correctness

Backups are not recovery.

Recovery is proven only when restore and validation have been executed.

Review:

AreaQuestion
RTOHow long until service restored?
RPOHow much data loss tolerated?
RestoreHas backup/PITR/snapshot restore been tested?
IntegrityHow is restored data validated?
DependenciesWhich hard dependencies block recovery?
RunbookWho does what during recovery?
CredentialsCan operators access recovery path during identity incident?
ReplayHow are queues/events/workflows handled after restore?
ReconciliationHow are external side effects reconciled?

Important recovery edge cases:

  • database restored to T-15 minutes but SQS still contains messages after T,
  • workflow executions reference state that no longer exists,
  • outbox events replay and duplicate external notification,
  • cache/projection contains data newer than restored source DB,
  • OpenSearch index must be rebuilt,
  • DMS/CDC target lags behind source,
  • global tables have region conflict after failover.

Recovery plan must include dependent state cleanup.


12. Observability Readiness

Observability must answer:

  • is the system healthy,
  • why is it unhealthy,
  • what user/business invariant is at risk,
  • what should an operator do next?

Minimum dashboard sections:

SectionMetrics
APIrequest rate, p50/p95/p99 latency, 4xx/5xx/429/503/504
Commandidempotency hits, conflict rate, validation failure
DatabaseCPU, connections, latency, locks/waits, throttling, replica lag
Queuevisible messages, oldest age, in-flight, DLQ count
Eventfailed invocations, retry attempts, DLQ, rule match count
Workflowexecutions started/succeeded/failed/timed out, stuck age
Cachehit rate, evictions, memory, connections, latency
Projectionlag, rebuild status, mismatch count
Migrationphase, progress, error, validation mismatch
Costrequest units, state transitions, data transfer, storage growth

Alarm design:

  • alert on user impact or invariant risk,
  • avoid unactionable noise,
  • include runbook link,
  • include owner,
  • include dashboard link,
  • include recent deploy/change context.

13. Load, Capacity, and Cost Readiness

Capacity test must reflect real shape, not average traffic.

Test dimensions:

DimensionExample
steady statenormal weekday traffic
peakmonthly filing deadline
burstsudden import/upload
skewone tenant/case hot key
degraded dependencydatabase slower, cache unavailable
replaySQS/EventBridge replay after outage
backfillmigration running during live traffic
failoverAurora/RDS/ElastiCache failover
cold startcache empty, projection rebuild
regional eventcross-region routing/failover

Cost review must identify drivers:

  • API requests,
  • Lambda duration/concurrency,
  • Step Functions state transitions or Express duration,
  • SQS requests,
  • EventBridge events/rules/pipes/scheduler,
  • DynamoDB RCU/WCU/GSI/streams/global tables,
  • RDS/Aurora instance/ACU/I/O/storage/backup,
  • ElastiCache/MemoryDB node/serverless usage,
  • OpenSearch storage/compute/ingest,
  • data transfer,
  • logging volume,
  • snapshot retention.

Guardrails:

  • tenant quotas,
  • max throughput settings where supported,
  • alarms on cost anomaly,
  • per-feature cost attribution,
  • load-shed policy,
  • expensive query review.

14. Security and Compliance Readiness

Application + database security is not only IAM.

Review:

AreaQuestion
IdentityWhich principal can call/write/read?
AuthorizationIs authorization enforced near source-of-truth command?
Least privilegeAre IAM policies scoped to specific resources/actions?
EncryptionAt rest and in transit?
SecretsRotation and runtime access path?
AuditCan we explain who changed what and why?
Data classificationPII/sensitive field handling?
LogsAre secrets/PII redacted?
BackupAre backups protected and retained properly?
DeletionLegal retention vs user deletion reconciled?
Cross-accountEvent bus/resource policies controlled?

For regulatory systems, defensibility requires:

  • immutable or append-only audit trail where needed,
  • actor identity,
  • command reason,
  • previous state,
  • new state,
  • timestamp,
  • correlation ID,
  • decision basis,
  • evidence link,
  • repair/override trail.

15. Incident Runbook Readiness

Minimum runbooks:

IncidentRunbook Must Include
API latency spikedependency isolation, throttle, rollback
DB connection exhaustionpool reduction, RDS Proxy, client kill, failover check
DB lock/deadlockidentify blocker, safe terminate, query fix
DynamoDB throttlingthrottling reason, hot key, capacity/action
SQS backlogworker scale, DB pressure, poison message check
DLQ growthsample, classify, replay/quarantine
EventBridge target failureDLQ/retry/rule inspection
Step Functions stuck workflowexecution search, timeout/compensation
Cache failurefail-open/fail-closed, DB protection
Projection mismatchrebuild/reconcile
Migration failurepause, rollback/forward-fix, validation
Regional degradationtraffic route, data authority, recovery state
Restore neededfreeze, restore, validate, replay/reconcile

Runbook format:

Symptom:
Impact:
Likely causes:
Immediate mitigation:
Diagnostic queries:
Rollback/repair:
Validation after repair:
Escalation:
Customer/compliance note:

16. Launch Readiness Review Template

Use this before production launch or major release.

16.1 System context

Service:
Owner:
On-call:
Business capability:
Critical users:
Dependencies:
Source-of-truth databases:
Derived stores:
Async systems:
External side effects:

16.2 Invariants

Invariant:
Enforced by:
Detection:
Repair:
Evidence:
Residual risk:

16.3 Failure model

Failure:
Expected behavior:
Blast radius:
Alarm:
Runbook:
Test evidence:

16.4 Data readiness

Schema reviewed:
Migration plan:
Backfill plan:
Validation plan:
Restore test date:
RTO/RPO:
Reconciliation owner:

16.5 Go/no-go criteria

Go if:
- critical invariants have enforcement and detection,
- high-severity runbooks tested,
- dashboards/alarms active,
- rollback/forward-fix clear,
- load/capacity evidence accepted,
- security/compliance sign-off complete.

No-go if:
- source of truth unclear,
- destructive migration lacks rollback/restore plan,
- DLQ/replay path missing for critical async work,
- backup restore untested,
- no owner for production incident,
- observability cannot identify user impact.

17. Final Architecture Review Questions

Ask these in the final review.

Correctness

  • What can never be allowed to happen?
  • Where is that enforced?
  • Is enforcement atomic?
  • How do we detect violation?
  • How do we repair violation?

Consistency

  • Which read paths are stale by design?
  • What is the staleness budget?
  • Which state is source of truth?
  • Which state is derived?
  • Can derived state be rebuilt?

Failure

  • What happens if DB write succeeds but response fails?
  • What happens if event publish fails?
  • What happens if message is delivered twice?
  • What happens if workflow times out?
  • What happens if cache is empty or stale?
  • What happens if Region fails?

Operations

  • Which dashboard shows user impact?
  • Which alarm wakes someone up?
  • Which runbook do they follow?
  • Can they safely pause consumers/backfill/replay?
  • Can they prove recovery?

Evolution

  • Can we add a field without breaking old app?
  • Can we change event contract safely?
  • Can we rebuild projection?
  • Can we migrate database with low downtime?
  • Can we roll back or forward-fix?

18. The Top 1% Mental Model

A strong engineer does not ask:

Should we use SQS, EventBridge, Step Functions, Aurora, or DynamoDB?

A strong engineer asks:

What invariant must hold?
What is the access pattern?
Where is the transaction boundary?
What happens under retry?
What happens under duplicate delivery?
What happens under stale read?
What happens under partial failure?
How do we observe, recover, and evolve it?

AWS services are implementation choices.

The real architecture is:

  • boundary,
  • ownership,
  • state,
  • consistency,
  • failure model,
  • recovery,
  • operability,
  • evolution.

If those are clear, service selection becomes disciplined.

If those are unclear, even the best managed service becomes a distributed failure amplifier.


19. Series Completion

This is the final part of the series:

learn-aws-application-database-part-096-production-readiness-final-review.mdx

The series covered:

  • application/database mental model,
  • integration style decision framework,
  • API Gateway and AppSync,
  • SQS,
  • SNS and EventBridge,
  • Step Functions,
  • database selection,
  • RDS and Aurora,
  • Aurora DSQL,
  • DynamoDB,
  • cache and MemoryDB/ElastiCache,
  • specialized databases,
  • database migration,
  • zero-downtime schema change,
  • final production readiness review.

You now have the map.

The next level is not more service memorization.

The next level is building production-grade systems, injecting failures, measuring invariants, and forcing the design to survive reality.


References

Lesson Recap

You just completed lesson 96 in final stretch. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.

Continue The Track

Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.