My tips for securing AWS Solution Architect Associate Certification

The benefits and the value of clearing an AWS certification is now well know. I often find myself answering these questions  - "How do I prepare for the AWS Solutions Architect Associate Certification? Where do I start? What should I focus on?" So here are my thoughts for preparing for the AWS Solutions Architect Associate Certification. 

Note - Honestly, what you find here is no way exhaustive and might have some updates or even inaccuracies. The intent is to give you an idea on how to prepare and what to expect in  the exam. Please review the AWS exam material for the most up to date information.

Amazon S3 -

1)      Go thru Amazon S3 and Amazon Glacier, different types of Amazon S3 and Amazon Glacier. 

a.       Create a bucket and try upload and download of files.

b.      Make your bucket and objects public and private. Notice the difference in Amazon S3 keys for public and private objects. 

c.       Create your bucket as a Amazon S3 static website.

2)      Encryption at rest and transit - Understand the different encryption at rest option – SSE-S3, SSE-KMS, SSE-C and client side encryption.

3)     Amazon S3 events, Amazon S3 security (User based – IAM policies and Resource based – Bucket policies), Amazon S3 pre-signed URL’s, Amazon S3 gateway endpoint, CORS

 

Amazon VPC –

1)      Amazon VPC, Subnet, CIDR

2)      Amazon VPC Security – primarily understand Security groups and NACL. Go to your Amazon VPC and see how these look like, default rows you will have etc.

3)      Understand the concepts of private subnet, public subnet, IGW, NAT gateway (and NAT instances as well), Bastion hosts etc.

4)      Understand the concepts of Amazon VPC peering, Transitive dependency, Transit Gateway, AWS Private link, AWS VPN, AWS VPN gateway, customer gateway, IPSEC tunnel etc.  

 

Amazon EC2 –

1)      Understand the different Amazon EC2 options you have and at a high level what to use when. Ex – C type instance for compute, P for graphics, T for general purpose, I for IOPS etc.

2)      Amazon EC2 launch types – ondemand, spot, reserved, dedicated instance, dedicated hosts

3)     Amazon EC2 default metrics – remember you have only 4 default metrics – CPU, network, status (checks instance and system status) and disk (instance store). The exam can trick you saying you will look for RAM usage. RAM is not an EC2 metric. If you see EC2 and RAM know that you need to use CloudWatch custom metrics J

4)      How do you check your instance metadata from WITHIN instance – use curl (Practice running the curl command)

5)      Auto scaling

 

AWS Storage –

1)      Understand the differences and when and where to use – Amazon EBS, Amazon EFS, instance storage, Amazon S3, Amazon Glacier. Different types of Amazon EBS.

2)      AWS Storage gateway – File, Volume and Tape gateway.

3)      AWS Snowball, AWS DMS (AWS Data migration services, SCT), DataSync. For AWS DMS know what you can connect to and what you cannot connect to. For example - remember you can have Amazon Redshift, Amazon DynamoDB etc as target but not as source for AWS DMS.

 

AWS IAM –

1)      Users, Groups, Roles, Policies – Know these things in and out

2)      Policies – AWS managed, customer managed, inline. Access advisor, access analyzer,

3)      Identify federation (very imp in all certifications) – Understand AWS managed directory, ad connector and simple AD. Have a good understanding of Amazon Cognito.

4)      High levels of STS is enough I think for architect associate. For developer associate you will need to know some of the most commonly used STS API.

 

AWS ELB (Elastic Load balancers) –

1)      4 types – Application, Network, Classic and Gateway. Know the differences between each of these.

2)      In Classic you need to know about X-FORWARDED-FOR-HEADER.

3)      Also classic can support only 1 SSL certificate while ALB supports multiple due to SNI. Know these at a high level.

 

AWS Security -

1)      AWS CloudTrail, AWS Cloudtrail events. AWS Cloud trail file log integrity.

2)      Amazon Cloudwatch alarms, Amazon Cloudwatch events, Amazon Cloudwatch logs.

 

Amazon RDS, Amazon Redshift, Amazon DynamoDB, Amazon Neptune, Amazon DocumentDB –

1)      Know the different RDS options, Read replica, multi-AZ

2)      Amazon Aurora, Amazon Aurora Global DB, Amazon Aurora multi-master

3)      Multi-AZ in Amazon RDS is for DR only – meant for high Availability. This is not for performance improvement. Remember this as you will get some trick questions here with high availability vs performance improvement scenarios.

4)      At a high level know about the different databases in AWS such as Amazon DynamoDB, Amazon Neptune, Amazon DocumentDB and use cases for each. You may get some questions such as NOSQL requirements (Amazon DynamoDB), OLAP use case (Amazon Redshift), graph (Amazon Neptune).

5)      Amazon DynamoDB keys and indexes, scan and query. Developer Associate requires deeper knowledge of Amazon DynamoDB. You need to know how to determine Read Capacity Unit (RCU) and Write Capacity Unit (WCU) for your Amazon DynamoDB. You need to know about Amazon DynamoDB TTL and Amazon DynamoDB Streams.

 

AWS Lambda –

1)      What is AWS Lambda, when and where to use. When not to use it. 

2)      Limits in AWS Lambda

 

Amazon SQS and Amazon SNS –

1)      You will need to know at a high level of both these.

2)      Amazon SQS limits, visibility timeout, short/long polling, delay Q, Amazon Std Q, Amazon FIFO Q.

3)      Fanout in AWS using Amazon SNS + Amazon SQS

 

Amazon Kinesis –

1)      Know the differences between Amazon Kinesis Data Stream and Amazon Kinesis Firehose. Amazon Kinesis Datastream is for real time streaming while Amazon Kinesis Firehose is 'Near real time'. 

2)  You can expect scenario questions where you will need to know if you have to use Amazon Kinesis Firehose or Amazon Kinesis Datastream. Remember - Amazon Kinesis Firehose has an internal memory buffer of minimum 1MB and Max 128MB, and a time buffer of minimum 1 minute. So expect at least 1 min latency when using Amazon Kinesis Firehose. 

3)      Understanding how you can read data from Amazon Kinesis Datastream using Amazon Kinesis Client Library (KCL), Lambda and Amazon Kinesis Fanout. 

 

Cost control on AWS –

1)      Which service you need to use when. Ex – using Amazon S3 instead of instance store, Amazon Kinesis vs Amazon SQS usage scenario etc

2)      Cost allocation tags and billing console.

3)      How you can use AWS organization to saves costs. Remember - reserved instances and ondemand instance costs and how the costs get aggregated in organizations.

4)      AWS Trusted advisor

5)      AWS Limit monitor

 

Others Services to know  –

1)      AWS organizations and SCP. Have an understanding of service control policy (SCP) and how it works. They can trick you with some questions here giving scenarios of SCP at root vs some OU level.

2)      Amazon Route53 – Amazon Route53 routing policies

3)      Amazon CloudFront – CDN, CF origin with Amazon S3 for static data – this is a common question on how you can use S3 for static data distribution. Amazon Cloudfront signed URL, signed cookie

4)  AWS Config

5)  AWS CloudFormation, BeanStalk, AWS CodeCommit, AWS CodeBuild, AWS Codepipeline -  There is a lot of focus on these in Developer Associate compared to Architect Associate. Developer Associate tests your ability to build and execute a pipeline using AWS CodeCommit, AWS CodeBuild, AWS CodeDeploy and AWS CodePipeline. 

6)  Amazon EMR, AWS Glue, Step functions.

7)  Amazon  SWF (Amazon Simple workflow) – use this if you have manual intervention.

8)  AWS OpsWork

9)  Service catalog and how you use this with AWS Cloud formation.

10)  Disaster recovery in AWS at a high level – Amazon EBS snapshots, Amazon RDS snapshots etc

 

~Narendra V Joshi