I passed the exam Friday (10/4) and it was nothing if not one of the most stressful things that could happen to a person. Here is a quick review of my test preparation as well as what happened the day of the exam.
There is a bit of a backstory. I took the cloud practitioner exam in June and since so much of that material is relevant to the solutions architect exam, it’s safe to say, my studies started in June. I signed up for an Intro to Cloud Computing online course with The-ITEM and had taken the exam into my third week. I stayed in the course because my husband wanted to learn about cloud computing and I could be there for moral support.
The materials I used to study with and pass the CSAA are as follows:
AWS Certified Solutions Architect Study Guide: Associate (SAA-C01) Exam book $
AWS Certified Solutions Architect Practice Tests: Associate SAA-C01 Exam book $
AWS Certified Solutions Architect-Associate Certification Guide book $
I watched the A Cloud Guru course from beginning to end, twice. Once along with The-ITEM and once with my study buddy, more on that later. Since the Linux Academy content was in the process of being refreshed, I only reviewed certain modules in that course. As I got closer to the test date, the course was done and I watched a few sections through from beginning to end. Linux Academy has a very thorough way of going through the services. It will do you well to watch this course from beginning to end. The depth and breadth of the 44 hour course is staggering.
The books were just as helpful as the course. I like to read physical books. Being able to mark up, highlight and doodle in the margins was a plus for me. I’d print out the chapter quizzes or a few pages of questions and practice answering them, over and over. The exams in the A Cloud Guru course were good as were the practice exams provided by the cert guide.
Reading the FAQs the day before and the day of the exam really helped me get a few extra points. I would highly recommend not skipping this step. The courses aren’t up to date, nor are they comprehensive. Getting the information straight from AWS is always a sound choice.
My AWS Study Buddy
After having taken a over a month off from study prep, I knew I needed to get back on the ball. The power of Twitter found me someone to study with and keep me on track to take the exam. I tweeted that I was looking for an AWS study buddy and some how, my tweet found its way to a young lady in Portugal.
We met online twice a week for 2-3 hours each time. She’s 5 hours ahead, so she was talking to me in the middle of the night. We read and watched the courses in advance and would discuss the content, walk through the console and do the quizzes and exam questions together. I scheduled my exam just to put it on my calendar and have a date to work towards. She scheduled her exam for the same day.
As the exam date neared, I fell behind. My dog died and I was devastated. I didn’t feel ready and was about to reschedule the exam. My husband told me not to. He said, “only two things can happen, you will pass or you will fail and know just what to expect on the exam”. So, I pressed on.
My study buddy took her test before me and she passed. She messaged me to tell me that I won’t have any trouble passing it either. She would know. We’d spend hours together going over content and questions and had so many discussions about all things AWS CSAA. She used almost every minute they gave her and suggested I do the same. I knew I would take her advice.
“Only two things can happen, you will pass or you will fail and know just what to expect on the exam”
Whatever could go wrong at the test center did go wrong. The computer wouldn’t log me in and someone had to assist. After that little hiccup, I was off and running. with 130 minutes to complete 65 questions. I went through the exam and flagged 18 questions, then at the end, revisited them. Next, I went through each question again, from beginning to end. I told myself that I’d end the test with a minute left. As that time approached, I felt very good about the exam and went to end the test.
The system was still counting down, but I wasn’t able to end the test. I didn’t know what to do. I got up and ran out of the room and screamed, “MY TEST WON’T END!!!” I had 30 seconds left and I had no idea what would happen. When I got back to the test, it had timed out, the proctor tried to get my test to end, screen to move or anything. Nothing happened. She walked out and I followed her. Heart racing and feeling a tear in my eye, she reassured me that the test would save and nothing would be lost. She had to call someone and he walked her through the process and she was able to log me in and end the exam for me. I sat back down, completed the survey and got the notification I was waiting for. I PASSED!
I took to Twitter to scream it from the rooftop that I passed.
…and that my study buddy passed too!
A load was lifted. All that work paid off. Next up, the AWS Certified Sysops Administrator Associate Exam.
Security is everyone’s job. There, I said it. Now that I got that under my belt, I’ll tell you how the first (Amazon Web Services) AWS re:Inforce conference went.
The Senior Information Security Architect at my job wasn’t able to attend the conference and asked me to go in his place. With the focus being on security, this wasn’t something I would have picked for myself. Alas, my manager said I could go if I came back and shared what I’d learned. I’m so glad I did.
Dejavu all over again. I was just here at the Boston Convention Center a few weeks ago for Red Hat Summit which means I’d have a greater chance finding my sessions. They had shuttles to and from hotels which was great, but upon entering the convention center, there were metal detectors and bag checks. I’ve never been to a conference where they had metal detectors and went through your stuff. It felt like I was at the airport, except I didn’t have to take my shoes off. You had to empty your pockets and if you had keys or any metal, you had to walk through with it in your hands and your hands over your head (like don’t shoot). Of course, the metal detector goes off as I walk through. The guard wands me and stops on my pocket. He’s starts getting louder and louder asking me what’s in my pocket over and over again. I said, “nothing” and he asks again, so I just lifted shirt up and patted my pocket and said, “nothing!!!”. He lets out this little laugh and says, “oh, it’s your jeans.” How many people do you think walked through there with grommets on their jeans? DO BETTER re:Inforce organizers.
Off to breakfast. There is nothing good to report here. On to my review of the keynote.
Tuesday started with the keynote, lead by AWS VP and CISO, Steve Schmidt. His talk started off separating AWS from the other cloud vendors by way of the revenue generated and the number of ‘regions’ competitors have verses the number of regions AWS has. With 21 regions and 66 availability zones, the way AWS constructs regions, seems to far surpass that of the next closest competitor.
There was a lot of emphasis on security of the cloud and security in the cloud, which is called, the shared responsibility model. Looking at the culture of security, (this is a security conference, right) it must be “built into what we do everyday”. Touting AWS products that will provide the type of granular security, monitoring and compliance businesses need now and in the future, he hoped we all walked away with 3-5 things to make you more secure.
Separated in to chapters, the talk covered the following topics:
Chapter 1: The Current State of Security
Chapter 2: Culture of Security
Chapter 3: Governance, Risk and Compliance
Chapter 4: Security Deep Dive
Chapter 5: The Future of Cloud Security
As he reviewed the current state of security, he hailed that fact that currently, 94% of all websites are using SSL, but on the other end of the spectrum, 94% of all IOT devices are sending information in plain text. AWS has service called IOT Defender, a fully managed service which gives you a way to patch and update devices and even more importantly, encrypting device data.
There is a service called AWS Ground Station, which is a fully managed service that lets you control satellite systems as well as ingest and process of of that data.
The most talked about suite of security services in this keynote was Security Hub (which just went GA), GuardDuty, Inspector and Macie. Together, they provide automated compliance checks of application and resources, uses machine learning to analyze and monitor account activity and networks, and classify and protect sensitive data. Although separate products, they seem to always be mentioned together.
He mentioned that “encryption is no silver bullet”, but it surely beats a blank, There is a new feature that customers have been waiting for is Elastic Block Storage (EBS) encryption by default. You can opt-in to have all newly created volumes encrypted at creation, with the ability to use customer managed keys or AWS default keys. Since keys are regional, you have to opt-in region by region. This, on top of layering defenses, AWS is putting security at every level.
There were many more services mentioned and reintroduced; Control Tower, Config Rules, IAM Access Advisor + Organizations, AppMesh, Nitro w/ Firecracker, Radar Framework, Root CA Hierarcy for ACM and so many more, I thought they were just making stuff up at this point.
How to Secure Your Active Directory Deployment on AWS
This is the session that I looked forward to the most. Since we are working towards deploying Active Directory (AD) to AWS, this was pretty timely. The presenter, an AWS employee, discussed the use cases for deploying AD to AWS, then gave an overview that covered 2 deployment types, self-manged AD and managed AD. Starting with an overview of the basics of AD, he used the shared responsibility model as the starting point to draw the distinction between the two solutions.
The managed AD solution is of course easier and less work to deploy. Creating a separate forest or domain and either a 1-way or 2-way trust in the beginning was biggest part of implementing that solution. The only thing the customer has to worry about after that are the users, group and group policy. We looked at that solution in the beginning, but for what the level of access we require in our domain, we opted for the self-manged AD, where we deploy a server and promote it to a domain controller (DC). This allows us to extend our on-prem out to AWS and work with our single sign on.
He discussed the of separation of responsibility by creating an account structure that separated the management of AD into separate accounts using AWS Landing Zone. Also, creating a separate organizational account that logged all accounts using CloudTrail and AWS Config logs as well as a security account that had the GuardDuty master in it.
This talk covered quite a bit of very relevant information for me. I’ll definitely be reviewing the slides and rewatching the session.
Securing Serverless and Container Services
This talk was on 2 technologies I’m not very familiar with; serverless and containers. He talked about common sense approaches to securing both technologies, using slides that covered multiple security domains and services as well as ‘cloud adoption framework’ from a security perspective. Slides & recording.
Security Best Practices and the Well-Architected Way
As a student of the Well-Architected Framework, this session gave me a great primer into how AWS provides services that upholds this pillar. With the Well-Architected tool, which is free to use, you can review your workloads and discover areas where you can improve technical decisions on how to secure your workload in AWS. I also found out about the labs on security as well as other pillars of the framwork. This look like a very good resource to play around with tools (outside of your production account, of course) and discover what’s available. Slides & recording.
Learn to Love The AWS Command Line Interface
This was a talk held in the expo center at the Developer’s Lounge by one of my favorites who teaches online AWS certification classes on Udemy and A Cloud Guru, Ryan Kroonenberg. I was so excited to see his tweet that he was doing a talk on the AWS CLI. Although the title was different, it was the same exact talk he did at AWS Public Sector Summit, but with a different name.
I wasn’t the slightest bit upset by it. At his talk at Summit, he mentioned he used Amazon Polly to help him study for exams. I took his advice and learned about Polly and did the exact same thing for my exam,which was a little over a week away. I typed my notes up and used the SSML markup and was able to download them all to MP3s. It was so rad to be able to study on the go.
Before the talk started, I’d asked could I get a selfie with him because he was swamped at the end of his talk at summit. Of course he obliged and his right hand, Faye Ellis volunteered to take the photo. There was NO WAY I was going to have her take the photo, I wanted her in it.
He went over 20 CLI commands and stipulated that this talk wasn’t aimed at gurus, just regular folks who want to learn about what’s possible in the CLI. He covered installing it on Mac and Windows as well as setting it up with your access keys (the very insecure way, but hey, that’s how we all learned). There were quite a few that I didn’t know about or forgotten about. I didn’t use Polly via the CLI, but this time I took a photo of the URL in the slides and I will definitely check it out.
Of course, I had a better grasp on some command the second time around. It was a great 30 minutes well spent and I got to thank them for the great content. There was no need to take notes, he put all the commands up in S3 for our CLI enjoyment.
Threat Detection on AWS: An Introduction to Amazon GuardDuty
Finally, a primer on GuardDuty. By this time, I’d heard so much about this product, it was high time a found out what it actually was. My colleague said we were already using it so now I was even more interested in seeing it for myself.
GuardDuty is a regional managed service that can aggregate logs across AWS accounts and analyze them for unexpected and/or malicious behavior happening into a record called a Finding. With no agent needed, it takes information from VPC Flow Logs, CloudTrail events and DNS logs and produces the findings. Rated high, medium and low, findings contain information about the resource in question and the behavior detected. You click on it for even more details about the issue. Details may include account id, the type of resource, the port, the number of times it’s been logged, as well as a link to learn more about the behavior.
GuardDuty gets their threat intel from CrowdStrike, ProofPoint and threat information gathered by AWS. With this much information, you can imagine the number of events being processed. This data is never logged, just streamed and processed in memory, unless the log entry contains a finding.
Once you get a feel for the type of behaviors that are occurring in your environment, you can set up automated remediation using Lambda, and CloudWatch events to take action on a finding. If someone adds or changes a rule to something insecure like port 22 on 0.0.0.0/0, you can create a Lambda function that will lock the port down to whatever you like.
I’m sure it will be a great tool in our AWS security arsenal. Slides & recording.
How to act on your security and compliance alerts with Security Hub
This talk was aimed at getting customers to look at Security Hub (SH) as a way to address compliance. With two AWS employees and two SH customers, they started off with 4 problem statements that outlined issues that can be addressed by this product.
Backlog of Compliance requirements
Too many security alert formats
Too many security alerts
Lack of integrated view
SH offers a single view into your security and compliance tools. Using best practices suggested by the Center for Internet Security AWS security benchmarks, you’ll get a compliance score against their standards. It’s a bit like GuardDuty in that it will offer a single view for you to review, triage and take action on issues. It even works with GuardDuty as well as Macie and Inspector as they can send their findings into SH for review. You can also centralize accounts and it will give you insight into what types of issue it discovers across your organization.
Plenty of third-party integrations like CrowdStrike Falcon, Palo Alto: VM-Series and Splunk Enterprise to enable and gain the ability to consume their data. With provided CloudFormation templates, you can set up integration between them and SH. You can also send findings to partners like PagerDuty, Slack and Splunk for even quicker notifications.
Aligning to the NIST Cybersecurity Framework in the AWS Cloud
This talk was way over my pay grade, but I was able to glean some gems to bring back to my colleagues
I learned what NIST Cybersecurity Framework was what industries, organizations and even states that use it. They mentioned a whitepaper on it as well as a workbook that outlines the responsibilities.
I had to run in the middle the talk to grab a special swag item by request, but here are the slides and recording.
Securing your Block Storage on AWS
This talk was an overview of block storage in general as well as availability to opt-in for default encryption on new EBS volumes. It’s just a check box and from then on, all new volumes will be encrypted using a key you create or a default key. Although you’ll need to enable this on a region by region bases, you can forever be sure that volumes will be encrypted.
There was so much talk of KMS, I decided to make sure I dropped into the hands-on labs to see if I could get some time with it.
I hope the slides and recording can shed light on this. This session was PACKED. The walk-ups couldn’t even get in. *** Inside Hack*** Next time, walk in on an empty line, grab some headphones and sit in an empty seat in another section.
Hands On Labs
I passed on the last 2 sessions of the day to get some time in with hands on labs. When you entered the room, you were given a ticket with a code that gave you 1 free lab on qwiklabs. Once you were done with a lab, you could get another code and learn something else. I was able to knock out quite a few before they closed down. Here are the labs I completed.
Caching Static Files with Amazon Cloud Front
Introduction to Amazon EC2
Working with Amazon Elastic Block Store (EBS)
Working with Elastic Load Balancing (ELB)
Introduction to AWS Key Management
Introduction to AWS Identity and Access Management
The EC2 and IAM lab were elementary, but I’d never created an application load balancer before, so that was a pleasant surprise how straight forward it was to set up.
End of the conference
After an exhausting day and an AWS online study group to get to, I didn’t go to the closing reception. However, I was able to make my way to the expo floor and snag a few more t-shirts and a beer.
Overall, this was a really good conference. I learned a lot about services I’d never heard of and more about services that I use frequently. With all this information about what AWS has and how some services work together, I feel like I’m in a better position to investigate and dig around the console more and gain some nuggets for the Solution Architect exam.
I passed the exam today, so before I’m inundated with work stuff and AWS re:Inforce next week, I thought I’d write this up while it was fresh in my head.
I set my intentions this year to move forward learning more about AWS and getting a few certifications along the way. I started a new job in January that has some production but mostly test/dev workloads in AWS. Once I got my AWS credentials, I was off and running. I logged in and took a look around at what was running. I started trying and failing at a few things, but I learned a lot along the way.
Promising myself I’d get my AWS Certified SysOps Administrator Associates (SysOps) certification this year, so I set off in that direction. I’m going to admit, It’s better to have a little bit of experience in AWS before you dive into that exam. My boss suggested I try for the AWS Certified Solutions Architect Associates (SA) exam first, so I changed course. I discovered there was even an more entry-level certification, the AWS Certified Cloud Practitioner exam so decided to try that one first while studying for the SA.
To start my study, I purchased a book by Anthony Sequeira on May 17th and set to reading. I also started the Linux Academy course on the same topic. My SA study group started on June 3rd, held by this local group called The Item which stand for “The Inclusive Technology + Entrepreneurship Movement”. My husband decided to join the group as well, now we’re both studying to become SAs!!!
To study for the exam, we get on Zoom 3x a week and talk about the topics on the exam. We use Qwiklabs and the ‘A Cloud Guru’ course on Udemy and of course Linux Academy’s course and playground to reinforce what we’ve talked about for more practical experience and reinforcement.
Now, back to the Cloud Practitioner exam. I will admit, I like getting information from various sources. I tend to grasp certain topics better when the delivery comes in several formats (blogs, books, videos, podcasts, tutorials, flash cards). I also tried Amazon Polly which translates my notes to speech. It was such a hit! With just a few tags to make the speech more ‘human’, I was able to listen to my notes on my commute using MP3s downloaded from S3 (AWS Simple Storage Service).
I can say, with 100% certainty, that the icing on my studying cake was watching the AWS Cloud Practitioner Essentials course on their site. This was what I watched in the days leading up to the exam in addition to taking practice exams on the Pearson website.
I didn’t fully grasp IAM roles and polices until I watched the Identity and Access Management video in the ‘AWS Cloud Practitioner Essentials: Security’ video by Blaine Sundrud. His explanations and white-boarding really hit it home for me. Also, what gave me confidence on the understanding the Well-Architected Framework (on top of having read it) was the video on AWS. I recommend watching it and reading it as well. These concepts are important to grasp.
I stayed up late the night before and got up early on test day just to watch more of the videos on AWS. I also did a few more runs on the practice tests, scoring 93-100% all the way. I felt ready. I got a few good luck emails from the CTO, my boss and a few team mates. I got to the PearsonVue location early and was ready to go. The wait almost did me in. With 2 people ahead of me for my 9AM test appointment, I didn’t get into my test chair until 9:30.
Once there, I was off and running. I was done in almost 30 minutes, but marked several for review. After reviewing about 10 or so questions, I started from the beginning and went over each question again. They gave my 90 minutes, so I used an hour of it. I wasn’t in a rush after having waited over 30 minutes to get to my workstation. When it was all over, I exhaled, ended the exam and found out I passed.
My main advice to anyone studying for either exam is to practice. Go through the console and get an idea of where everything is. Then step through creating the resources and getting a feel for what the configurations looks like. Know the terms and their nuances, you will be tested on similar ‘feeling ‘ terms, so know what they mean emphatically. Read the FAQs for key services and don’t forget to commit the Well-Architected Framework to memory. In my opinion, your success on your practice exams will closely mimic your success on the real exams. Sadly, my results haven’t been posted to my account yet. I was hoping they’d be up before the AWS conference next week so I could stunt in the certification lounge.
The resources I used for the Cloud Practitioner exam are as follows:
AWS Well-Architected framework training course (free)
Good old fashioned flashcards (free)
Copious notes (free)
You don’ t need all of this to pass this exam. I’m just fortunate to have access to so many resources, so find what works within your budget and work hard. To find out more about AWS certifications and to register for an exam, visit AWS training and certification and set up and account.
Good luck and I’ll see you when I’ve taken the SA exam.
*UPDATE* I got my results! Now it’s official. I can proudly flex my badge and get into the certification lounge at AWS re:Inforce and re:Invent.
In the destination IP box, select your Static IP name and click save.
You will be given a list of name servers to point your domain to. I’m using Hover and here is how I point my domain to my Lightsail server.
Log into your Hover account and on the overview tab, scroll down to nameservers and click edit.
Enter the name servers give to you in the DNS records tab in your Lightsail console. You must add at least two. Add additional nameservers by clicking the plus sign. When you’re done. Click Save Nameservers.
Edit DNS Records:
Click on the DNS tab and review your current DNS settings. Click edit next to the A (*) record and enter the static IP or your Lightsail server.
Click Save Changes and repeat for the A(@) record.
Test your changes by entering your domain name into a browser to see if your website loads.
If it doesn’t load immediately, be patient. It can take anywhere from 24-48 hours for DNS to propagate.
I was invited to Philly ‘burbs WordPress meetup to give a talk about how to install WP on AWS. I’d given this talk before in an impromptu setting, my dining room table, to my monthly coding group. It was more of a workshop, really hands on and at the end, everyone was a command-line hero in my book. Most, never having logged into a Linux server before, let alone deploying a server in the cloud.
Liam, the group leader, saw a tweet about it and invited me to present it to his group. Here are the videos and the slide deck from the MeetUp.
I was legit so happy learning how AWS works and how to get WP on it. Game changer for me!
Lightsail is an Amazon Web Services (AWS) offering that allows you to quickly spin up a preconfigured virtual private server (VPC). It’s a wizard-driven server deployment that has everything you need to get a server up and running quickly and for a low and predictable price of $5 month. It a great way to get your app, blog or website off of shared hosting and onto it’s own server where you don’t have to jockeying for resources and you can scale up, if needed (not a hot add, but there are ways to increase your bundle)
When you deploy your server, you’ll be asked to download your key pair.
If you didn’t do it then, you can always go back to your instance and download them now.
I’m working on a Windows 10 workstation, so I’ll be using Windows tools to do this:
These tasks can be done on Linux and MacOS using the native SSH commands from the terminal and the .pem.
Open PuTTY Key Generator. Go to Conversions > Import Key
Browse to the .pem you download from Lightsail. Click Save Private Key. Give the private key a name and click save.
Close key gen and launch PuTTY. Enter the server IP, under Saved Sessions, give it a name then click on Connection > SSH > Auth. Browse to the private key you just created. Scroll back up to the Session category and click Save. Click open to launch your SSH session. Log into the server with the username.