Home >

AWS 2018 Exam Outline

AWS 2018 Exam Outline

Outline for the Amazon Certified Solutions Architect (Associate) exam

Posted on December 13, 2018 by Ernesto Garbarino

Introduction

This is a rather rough outline that contains key points relevant to the Amazon Certified Solutions Architect (Associate) exam. My source material was primarily the A Cloud Guru course and the AWS documentation.

Note: Items with a bracketed exclamation mark (!) have consistently appeared on mock exams.

Installation of the AWS CLI tool

# install
pip install awscli

# authenticate
# create user on console to get Access Key Id/Secret
aws configure

Saved Configuration

$ cd ~/aws
$ ls -la

Application Services

(Simple Queue Service) SQS

Simple Workflow Service (SWF)

Queue Types

Amazon SNS

Elastic Transcoder

API Gateway

Kinesis

Kinesis Streams

Kinesis Firehose

Kinesis Analytics

Simple E-Mail Service (SES)

Similar to SendGrid

Cross Account Access

Cloud Front

CloudWatch & CloudTrail

CloudWatch

CloudTrail

CloudTrail is for auditing (e.g. user john created an S3 bucket) rather than monitoring and it is not the same as CloudWatch

Consolidated Billing

Databases

Elasticache

Amazon managed-service for in-memory caching:

Amazon RDS

For provisioned IOPS SSD Storage (io1), the following ranges apply:

Databases IOPS Storage
MariaDB, MySQ, PostreSQL 1k-40k 100GiB-32TiB
SQL Server Web/Express 1k-32k 100GiB-16TiB
SQL Server Standard/EE 1k-32k 20GiB-16TiB
Oracle 1k-40k 100GiB-32TiB

Automated Backups

Encryption

Multi-AZ Replication

Red Replica

Troubleshooting

Troubleshooting Amazon RDS using Error Node responses

use XML::XPath; 
    my $xp = XML::XPath->new(xml =>$response); 
    if ( $xp->find("//Error") ) 
    {print "There was an error processing your request:\n", " Error code: ",
    $xp->findvalue("//Error[1]/Code"), "\n", " ",
    $xp->findvalue("//Error[1]/Message"), "\n\n"; }

DynamoDB

Consistency Model (!)

RedShift

Aurora

Microsoft SQL Server

MySQL Connection Example from EC2

mysql -u ernie -p -h mydb.cugrv9uf52uw.eu-west-2.rds.amazonaws.com -D my_database

Direct Connect

Direct Connect vs VPN

EBS: Elastic Block Storage

RAID and EBS

RAID stands for Redundant Array of Independent Disks

Snapshots

EBS vs Instance Store

AMIs

ECR: Amazon EC2 Container Registry

EC2: Elastic Compute Cloud

Reserved Instances

ECS: Elastic Container Service

Task Definitions

ECS Service

ECS Clusters

Scheduler types:

Security

Limits

Running Apache on the Amazon AMI EC2 Instance

# after downloading key, remove access to group and others
chmod 400 myEC2.pem

# ssh into EC2 instance
ssh ec2-user@4.8.23.237 -i myEC2.pem

# update packages on Linux AMI instance
sudo yum update -y

# install apache
sudo yum install httpd -y

# create page
echo "Hello World" > /var/www/html/index.html

# start httpd
sudo service httpd start

# always start at reboot
sudo chckconfig httpd on

Get Metadata (!)

curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/user-data/

Placement Groups

AWS CLI on EC2

# Get EC2 Instances (including terminated ones)
$ aws ec2 describe-instances

# Get instance Ids
$ aws ec2 describe-instances | grep InstanceId

# aws ec2 terminate-instances --instance-ids 
aws ec2 terminate-instances --instance-ids i-0090856f1626a0928

EFS: Elastic File System

ELB: Elastic Load Balancer

EMR: Elastic Map Reduce

It allows root access (!)

IAM: Identity and Access Management

Lambda

General Points

Triggers

Languages

Load Balancing

Organizations

An account management service that enables to consolidate multiple AWS accounts into an organisation that can be created and centrally managed.

OPsWorks

Managed version of Chef / Puppet

Resource Groups

AWS Systems Manager

Route 53 & DNS

Top Level Domains

Domain Registrars

Start Of Authority Record (SOA)

Name Server Records

Name Server Records (NS) are used by Top Level Domain servers to point to the authoritative DNS that holds the DNS records.

Example of a NS record pointing to Amazon set up at a Registrar (e.g. GoDaddy)

mydomain.com. 86400 IN NS ns.awsdns.com

Common Record Types

Routing Policies

Security

S3: Simple Storage Service

AWS CLI S3 commands

# list buckets
aws s3 ls

# list a bucket's files
aws s3 ls bucket1

# copy one bucket to another
aws s3 cp --recursive s3://bucket1 s3://bucket2

# copy static website under ./site to s3 and make public
aws s3 cp --recursive --acl public-read _site/ s3://garba-static

# dealing with InvalidRequest errors (specify EC2 region)
aws s3 cp s3://sao_paulo_bucket/cowboy.jpg /tmp/ --region eu-west-1

S3 Lifecycle Rules

Snowball

Types

The snowball software works similarly to the AWS cli tool. Software must be copied into “buckets” that will then end up in the proper cloud bucket when Amazon gets the appliance back:

./snowball cp hello.txt s3://my_bucket

Storage Gateway

STS: Security Token Service

It grants users limited and temporary access to AWS resources.

Users come from three sources:

  1. Regular Enterprise Federation
    • It typically uses Active Directory (AD)
    • It uses the Security Assertion Markup Language (SAML)
    • It relies on AD credentials
      • User does not need to be an IAM user
    • It allows single sign-on to the AWS console without IAM credentials
  2. Federation with Mobile Apps
    • OpenID providers
    • Examples:
      • Facebook
      • Google
  3. Cross Account Access
    • It lets users from one AWS account to access resources in another

Key terms

More facts

Support Plans

Property Basic Developer Business Enterprise
Customer Service 24x7 24x7 24x7 24x7
Trusted Advisor <= 7 checks <= 7 checks All checks All checks
Health notific. Dashboard Dashboard Dash. + API Dash. + API
Tech Support - E-mail 24x7+chat/phone 24x7+chat/phone
Who can do cases - primary contact all contacts all contacts
—general - <24h <24h <24h
—impaired - <12h biz hours <12h <12h
Severity resp.
— impaired - - <4h <4h
— down - - <1h <1h
— biz. down - - - <15m
Arch. support - gen. guidance contextualised per application
Launch support - + fee free
Cases via API - Yes Yes
3rd Party suppo. - - troubleshooting troubleshooting
Arch. review - - - WAF
Ops support - - - reviews
Training - - - online labs
Acc. assistance - - - concierge team
Dedicated AM - - - Yes
Pricing included $29/month+ $100/month+ $15k/month+

S3 Transfer Acceleration

Security Groups

Tags

Trusted Advisor

Security Checks (!)

VPC: Virtual Private Cloud

Amazon VPC is a capability that allows to provision a logically isolated section and network so that resources can be secured and grouped into trust areas.

ELBs and VPCs

Subnet Ranges

CIDR Prefix First IP Last IP Total
(10/8) 10.0.0.1 10.255.255.255 16,777,216
(182.16/12) 172.16.0.1 172.31.255.255 1,048,576
(192.168/16) 192.168.0.1 192.168.255.255 65,536

http://cidr.xyz/

Creating a new VPC

Creating a new VPC results in the automatic creation of:

Unavailable IPs

For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved:

NAT Instances

NAT Instances are AMI virtual machines that work as a NAT router.

NAT Gateway

A NAT gateway is a cloud native managed service rather than a user-managed EC2 instance

Network ACL (NACL)

VPC Flow Logs

It allows capturing information about IP traffic going to and from network interfaces in a VPC using Amazon CloudWatch.

They can be created at three levels:

  1. VPC
  2. Subnet
  3. Network Interface Level

General

Endpoints

Two types

Internet Gateway

Online 1 Internet Gateway can be attached to a VPC

VPC Peering

General Q&A

You can conduct your own vulnerability scans within your own VPC without alerting AWS first? -> Answer is NO.

Well Architected Framework (WAF)

Introduction (Best Practices)

Cloud Benefits

Design for Failure

Decoupling

Elasticity

  1. Proactive cyclic scaling: (daily, weekly, etc)
  2. Proactive business event-based scaling (e.g. Christmas, product launch, etc.)
  3. Auto-scaling based on demand: based on metrics and triggers

Security

File pillars

  1. Security
  2. Reliability
  3. Performance Efficiency
  4. Cost Optimisation
  5. Operational Excellence

General Design Principles

Security

Design Principles

AWS Shared Responsibility Model

Security Best Practices

The key areas data protection, privilege management, infrastructure protection, and detective controls.

Data protection

Privilege management

Infrastructure protection

Detective controls

Reliability

Design Principles

Best Practices

Key areas are foundations, change management, and failure management.

Foundations

Change Management

Failure Management

Performance Efficiency

Design Principles

Best Practices

The four key areas are compute, storage, database, and space-time trade-off.

Compute

Storage

Space-Time Trade-off

Cost Optimisation

Design Principles

Best Practices

The four key areas are: matched supply and demand, cost-effective resources, expenditure awareness, and optimizing over time.

Matched Supply and Demand

Cost-effective Resources

Expenditure Awareness

Optimizing Over Time

Operational Excellence

Design Principles

Best Practices

The key areas are preparation, operation, and response.

Preparation

Operation

Response

Workspaces

General Last Points