Forem: Wojciech Szczepucha

AWS Certified Solutions Architect - Professional a few thoughts

Wojciech Szczepucha — Mon, 22 Mar 2021 22:23:07 +0000

For what reason did I attend this exam at all?

After a few years of working on plenty of cloud projects, where AWS was around 95% of my daily duty, I just wanted to give it a try. No other reasons that I'm aware of ;).

The Exam

AWS states on the official Exam Guide:
"This exam validates advanced technical skills and experience in designing distributed applications and systems on the AWS platform."

You are going to be tested on five domains:

Domain 1: Design for Organizational Complexity
Domain 2: Design for New Solutions
Domain 3: Migration Planning
Domain 4: Cost Control
Domain 5: Continuous Improvement for Existing Solutions

On my LinkedIn post, I wrote.

"A very nice exam, but you have to rush, really - for me, the time was short. It covers all possible solutions available on the AWS cloud, so you should have hands-on experience with most of them. Most of the questions are migration-related, so again you have to have experience."

And above is a nutshell of what you can expect and what is expected from you.

The exam itself is a "Blitzkrieg," if you know what I mean. Questions are quite long, so you have to keep the focus on the details. Answers are not so tricky, but the devil is in the details - again. What you can expect is well shown here.

It lasts for 220 mins. Due to Covid-19, the only way to get it done is the on-line way. I did online exams before, but never for 4h in a row, so bear in mind that you are stick to your desk without an option to move or use a bathroom (that's insane).

220 mins for 75 questions, give you like 3 minutes per question. It means that you have to be confident about the topic. There is not that much time for consideration. At least for me, the time was short, even, the language is quite straightforward (I'm not a native English speaker).

Preparation

The best preparation is to use the cloud and work with multiple projects for few years.

Before the cloud, I was responsible for building multi-branches secure networks, highly available and resilient solutions, clustered virtualized environments, that supported the companies I worked for.

What helped me a lot was that I've conducted commercial "AWS driven" training for multiple groups of professionals in the area of Development on AWS, Architecture, and dedicated Security training for the last two years.

If you can, try to teach someone, for sure you will have a very good recap for all services :). You can pick someone from your surrounding, maybe a colleague who starts his/hers journey with the cloud. You will be able to find gaps in how you understand particular services.

Creating materials, labs, and writing articles for my newly created site was extremely helpful too.

You might be surprised that I don't write much about certain services. This is for a reason, as you will find all possible solutions on the exam that fits within 5 domains.

Most questions were around the fifth domain, so I was asked about possible improvements to the existing solutions: a few questions involved AWS DMS and the overall migration process. Also, I got a few technical questions about VPC, like AWS Transit Gateway or Peering connections. Of course, you will find services like Kinesis or SQS (remember, decoupling). But there are few questions, that ask about 4-5 services to be implemented in a row.

A list of services you might find on the exam can be found here even it's in Polish.

I also used Adrian Cantrills AWS Certified Solutions Architect - Professional course to do a quick re-cap around services, which I haven't touched for a while.

The last service I've used was a Whizlabs, as they have very good tests, so you can practice and find your gaps also.

The TutorialsDojo has well-prepared AWS cheat sheets, they also might be helpful for you.

My last thoughts around the exam

Build your own lab and use as many services as you can. Play a lot. Think like you would have a three-tier application on your on-premises environment, and how would you migrate it to the cloud, when you have 10 GB, 100GB, and 100TB of data to move. What services are involved, what are your options for transfer, and so on?

Take your time to get a good understanding of the costs of migration, what costs more, what is better if you are thin into time.

Bear in mind, that cost is not always the determinant.

What if you want to implement something quickly without disrupting the production environment.

How would you secure the application, when you have attacks coming from distributed sources with random IPs - what services can help you with it.

If you haven't work on multiple domains yet, wait and come back sooner or later. I mean it.

Try to teach someone, it's the best way I found, to be on track with the services and how you understand them.

Take advantage of the previous exam discount (if you still have one) - AWS gives you a 50% discount coupon for each exam you pass.

AWS Certified Security Speciality a few thoughts

Wojciech Szczepucha — Tue, 19 Jan 2021 21:25:49 +0000

What does AWS expects from you?

You need to have at least two years of experience in AWS!

I mean it!

Hand-on experience, in my opinion, is a must-have if you want to pass this exam. Also, in the context of the AWS Security Speciality exam, AWS requires from you broad knowledge of theirs security-related services.

You will be asked to prove your professional experience with IAM, S3, CloudWatch, or KMS - having on mind full coherence of those and other services. Additionally, if you feel insecure with a good understanding of the networking stack, attacks like DDoS, and how to remediate them, better sit and learn.

This might feel like an exaggeration, but not this time :).

My personal goal was not only to pass the exam, but it was still somewhat important for me, but I really wanted to deep dive into services and know them well. I work as a Cloud Security Engineer, and for me, understanding "how does it work" is fundamental.

Read a lot

Start with AWS Whitepapers and AWS Best Practices. Of course, particular services FAQs are very helpful either.

Services - I urge you to know them very well

Let's stop for a while. Below you will find services that, in my opinion, you should know well before taking the exam.

AWS IAM

Policy - know what they are for, how to build them, how they work, and the policy evaluation logic. There is no excuse here; if you do not feel comfortable with IAM, do not go further. Know well how the 'Condition' statement works in the policy, what types of statements can be used.
Understand the difference between identity policy and resource policies, when to use which.
Know how to give permissions to your resources between accounts. How to revoke them.
User, Group, Identity Pool (SAML usage) - overall knowledge and best practices are enough.

Example scenario: Corporate (with over 5000 user accounts, with their own IdP in the on-premise environment) wants to give part of theirs employees access to AWS accounts. Think, how would you build federation services here (maybe SAML & ADFS)?

AWS KMS

If you haven't used this service intentionally, take your time and play with it.

Know how to create your own encryption keys, how do they work, what are the limits? How to rotate keys, understand when to rotate them manually? Take your time to understand how authorization with other services works: S3, RDS, EBS, third party accounts.
Know what the manual process of encrypting and decrypting data is. How to provide your own material?
When CMK is enough when CloudHSM is required?

AWS CloudHSM

It is worth knowing what scenarios it will work in. What are the differences in terms of management and how to deal with Disaster Recovery and multi-region.

Amazon S3

Think of S3 as a central files and logs repository - pay attention to ACLs and moving data between accounts.
I would recommend you to exercise: encryption, replication between buckets.
Be familiar with different types of tiers! How to make sure that your objects can stay untouched when time passes?
Know the difference between Bucket Policy and ACL on the object level.

Amazon VPC

When the private network is private, and when it's public? How to properly set routing and NAT?
How Security Groups and NACLs work - how and where they can be attached, what is the difference between statefulness and stateless?
Know how to connect networks between each-other. Peering, VPC Endpoints, Private Links.
What is the Bastion Host, when and where should it be used?
Know how to diagnose network connectivity problems, what tools to use, and which tools will show what?

Example: Security Group allows the traffic, but the traffic is not passing, where is the problem?

AWS CloudWatch

Know it well. Understand how it works, what it is for - how to use it for scheduled actions, how to interact with other services.
Take your time to understand how CloudWatch can be used to centralize events from your accounts and services.

AWS CloudFront

Pay particular attention to the usage scenarios; it is worth clicking through and being aware of the functionality. Pay attention to possible options for limiting access to content, payment for access, use by applications.

AWS Lambda

Play with permissions when using other services and working with API Gateway, including Cognito and authentication.
You should also know when Lambda can come in handy, e.g., automating responses to security events.

AWS Cognito

It is worth distinguishing between User Pool and Identity Pool, what to use when, and how to build user permissions based on IAM and Cognito.

AWS WAF

What is WAF? How can we leverage from it with ALB, CloudFront? Why should we consider buying from the marketplace or using custom rules?

AWS Config

Love this one! :)
Automated reaction on findings/events is crucial here.
Know the rule. AWS Config is for knowing "what" was changed, where CloudTrail is mostly for "who" did that change.

AWS SSM

Do you know how to get into your EC2 without TCP port 22?
Know how we can update our EC2 instances and remediate findings in an automated way.

AWS Secrets Manager

Get around with it.
Remember! After configuring auto-rotation, the first operation is done immediately (to confirm that it's working as expected), so it may break the service's operation consuming this parameter.

AWS Athena

It's worth getting through your logs with Athena, even though just for a better understanding of what it's capable of.

It is also worth knowing:

AWS Shield Advanced
AWS Security HUB
Amazon GuardDuty
AWS CloudTrail
AWS Config
AWS Inspector
Trusted Advisor
AWS Directory Services
AWS Organizations - what is SCP for?
Amazon ECS - take a look at the security of underlying hosts.

Read the FAQs for all of the services mentioned above and focusing heavily on the IAM and KMS documentation.

Additional resources

Video materials worth watching

My last thoughts around the exam

Build your own lab and use as many services as you can. Play a lot with IAM policies, KMS policies, and know them well.. not only semantically but for understanding the rules and connections.
Take your time to get a good understanding of AWS Config, AWS Inspector, AWS GuardDuty - what, where it gets information from, how it exchanges it with each other, what it is for.
Practical knowledge of CloudTrail (especially data availability over time), CloudWatch, VPC FLow Log is essential.
DDoS - counteracting depending on the service (ALB, CloudFront, EC2) - is very helpful on the exam;)
Use extra time for people with a leading language other than English (be sure to ask for it before registering for the exam);
Take advantage of the previous exam discount (if you still have one) - AWS gives you a 50% discount coupon for each exam you pass.