Approximately 18 months ago, I took the “Architecting on AWS” class (https://aws.amazon.com/training/course-descriptions/architect/), and passed the exam to achieve the “AWS Certified Solutions Architect – Associate” certification. I am now embarking on enhancing my AWS credentials. These will not just be paper certifications for me. My current employer is moving rapidly to AWS, and has a goal to move completely in a relatively short time. As such, my day-to-day hands on work is very much aligned with the items I need to know for the certifications. I am planning on studying for and achieving the “AWS Certified SysOps Administrator – Associate” and the “AWS Certified Solutions Architect – Professional” certifications, in that order. Obviously, as someone who has a primary job as a database administrator, there will be some gaps for me to fill. However, I do have a background as a systems administrator before I focused solely on DBA work, and I have already made extensive use of scripting and automation before I worked in cloud environments.
For the SysOps certification, AWS has the exam criteria at https://d1.awsstatic.com/training-and-certification/docs-sysops-associate/AWS%20Certified%20SysOps%20-%20Associate_Exam%20Guide_Sep18.pdf. The document lists seven domains that will be covered by the exam. In order to come up with my own study plan, I started with the Exam Readiness video (https://www.aws.training/learningobject/video?id=27486). This 90 minute video reviews the seven domains and gives pointers on the types of services that each domain focuses on, as well as some sample questions. I realize that this video is intended to be used towards the end of your preparation, but I feel it really provides a solid outline for studying and review. Here is a summary of the video’s pointers.
Domain 1: Monitoring and Reporting
This domain will heavily focus on CloudWatch and CloudTrail.
CloudWatch is a metrics repository. How do metrics get in – every AWS service supports AWS metrics on CloudWatch. You can push your own metrics into CW.
Once they metrics are in, what do you do with them – can view in console or other products. Can set alarm thresholds (send SNS, email, or trigger an event (lambda, auto-scale).
Know definitions of Metric, Namespace, Period, Alarm, Events, and Logs.
Metrics are not continuous. Stnd EC2 is every 5 mins. Pay $ to get more.
Cloudwatch Alarms have three states. OK, ALARM, INSUFFICIENT DATA. They test a selected metric against a specified threshold. Can conditionally trigger an action.
Cloudwatch events – JSON doc that explains what happened. Can be parsed. Header fields are constant, details portion of the doc changes.
Cloudwatch logs – you can parse to look for alarms as well.
Cloudtrail – all calls to AWS API system – who what where when. Successes, and failures. Pushed to S3.
AWS config – over view to report of current config, control of version history, can trach change management, human error, etc.
Domain 2: High Availability
Know different use cases for HA, as well as the difference between HA and resiliency
Study Route 53, including how to set dynamic routing based on latency, health checks, etc.
Understand CloudFront, and how it can be used for static and dynamic content
Understand Elastic Load Balancing (ELB), and the differences between Application Load Balancing (uses http\https, is most flexible, balances based on the type of communications, actually reads packet data), Network Load Balancing (pure IP, so much faster but not as flexible), and Classic.
Learn about EC2 auto scaling – how do launch configurations work, what are auto scaling groups, and how can auto scaling be triggered (health checks, on a schedule, via policies, etc.)
Domain 3: Deployment and Provisioning
This is all about three services – Elastic Beanstalk, OpsWorks, and CloudFormation. Need to know different use cases for each, and why you would pick one over the other. BeanStalk is a good development deployment tool, and can handle updates. It is the most convenient way to deploy. OpsWorks is higher powered, and uses AWS Stacks, Chef, or Puppet as managed by AWS. It can deploy application stacks, and also handle updates to assets. Need to understand OpsWorks stacks and layers. CloudFormation is infrastructure as code. Need to understand the structure of the templates, how parameters and mappings work, etc.
Domain 4: Storage and Data Management
Services that you need to know for this Domain: Within a VPC, Elastic Block Storage and Instance Storage. Know the different use cases, how snapshots are used, etc. Know the different EBS volume types and what they are suited for, and what their specs are. Understand how to encrypt EBS volumes, what the limits, benefits are of encrypting.
Outside of a VPC, need to know S3, Glacier, and Elastic File System. S# is highly available and durable, resides in a single AZ. It is priced based on the volume of data stored and on retrieval. Glacier is low cost long term backup. Standard retrieval will take 3-5 hours. Expedited retrieval is available (1-5 minutes) but is expensive. EFS is mounted shared storage volumes.
Domain 5: Security and Compliance
Need to know the shared responsibility model inside and out. Need to know IAM (Identity and Access Management). How do users, groups, and roles work. How are policies applied. Need to be able to read an IAM policy JSON doc and understand what it does. Know the four types of security credentials (email\password, IAM user\password, access key\secret key, and multi-factor). Understand that IAM roles are preferred as a security mechanism over users in most cases. Understand what Security groups and NACLs are.
Learn about security products offered by Amazon: Guard Duty (uses machine learning), SHield (protects against DDoS), Inspector.
Domain 6: Networking
How are VPCs created?
How do VPCs straddle AZs
Understand subnetting in a VPC
How do security groups and NACLs work?
Understand the uses and differences between Internet Gateway, Virtual Private Gateway, and Peering Gateway.
What makes a subnet private?
Direct Connect – how can a customer’s on-prem environment connect to AWS?
NAT options – NAT Gateway or NAT instance? Why would you want to NAT? (get updates over the internet).
Security Groups – stateful, work at interface level
NACLs – stateless, work at subnet level
Know how to troubleshoot connectivity and NAT issues
Domain 7: Automation and Optimization
Need to understand Trusted Advisor and System Manager inside and out.
Understand the optimization value of right-sizing, Lambda\serverless, shutting down unused resources (or running spot instances for sporadic work), using tags for billing.
Understand how step functions can be used to workflow optimization.