Abstract

Notes on the AWS certified developer associate certification

Table of Contents

AWS Certified Developer Associate

90% compute capacity on internet provided by AWS.

AWS certifications are the most popular IT certifications.

AWS changes and updates are growing exponentialy.


https://aws.amazon.com/certification/certified-developer-associate/


AWS History

AWS having a massive effect on traditional services.

1000+ new service announcements on AWS

Blog: https://aws.amazon.com/blogs/aws/

Google certs coming out in 2017 and 2018


AWS 10,000 Feet Overview

In order to pass the exam, you need to pay attention to these AWS service areas:

AWS Global Infrastructure

Region: is a geographical area. Each region consists of 2 or more availability zones Availability Zone: is simply a data center Edge locations: are CDN end points for CloudFront

There are many more edge locations than regions.

Network and Content Delivery

VPCs (Virtual Private Cloud)

A virtual datacenter

Multiple VPCs per region. Can connect one VPC up to another.

BIG PART OF EXAM!

Need to be able to build a VPC from memory

Route53 (DNS Service)

Cloudfront (caching)

Direct Connect

Connecting your office or data center to AWS

Compute

EC2: Elastic Compute Cloud (VMs in the cloud)

EC2 Container Services: not in test

Elastic Beanstalk: comes up in developer exam quite a bit

Lambda: not in the test

Lightsail: wp or joomla. not in the test

Storage

S3: Virtual disk in the cloud. Where you can store objects. Not block based storage

Glacier: archive for S3

EFS: Block based storage, could install databases and applications.

Storage gateway: a way of connecting S3 to on-premise data center

Database

RDS: postgres, aurora, mysql, etc (not much in dev exam)

DynamoDB: (features heavily on test)

Redshit: big data storage/archival for storing data for running reports on so that it doesn’t slow down your prod db

Elasticache: a way to cache data in the cloud. Db calls and resources such as generated html and images (comes up in dev exam)

Snowball: transfer physical disks to S3.

DMS: database migration service, don’t have to stay with the database that you’re migrating from (e.g. Oracle to MySql)

SMS: server migration service. Moving VMs out to the cloud

Athena: allows you to run SQL queries on csv or json on s3

EMR: used to process large amounts of data (using hadoop)

Cloud Search: fully managed

Elastic Search: using an open source framework

Kinesis: streaming and analyzing data real time

Data Pipeline: allows you to move data from one place to another. e.g. s3 to dyanmodb

Quick Sight: business analytics tool

Security & Identity

IAM: how you sign-up or authenticate

Inspector: installs on your VMs and reports on the security thereof

Certificate Manager: gets you free SSL certs for your domain name

Directory Service: Active directory to AWS connection

WAF: web application firewall, application level protection (SQL injection, etc) Doesn’t feature in the exams

ARtifacts: documentation in the AWS console, get certifications (PCI etc)

Management Tools

Cloud Watch: EC2 disk and ram utilization etc

Cloud Formation: way of turning your infrastructure into code (need to know it inside and out for the real world) Doesn’t come up in the exams too much

Cloud Trail: used for auditing changes to your AWS (IAM changes etc)

OpsWorks: Way of automating deployments using chef

Config: way of auditing your environment, you can set alerts etc

Service Catalog: for larger orgs, place for images. Authorize images and what aren’t

Trusted Advisor: cost and performance optimizations

Application SErvices

Step Functions: way of visualizing wahat’s going on your app

SWF: coordinating human tasks and computer tasks (in exams)

API Gateway: door for you apps to access backend

Elastic Transcoder: transcodes media into different formats

Developer Tools

CodeCommit: git

CodeBuild: compiling your code

CodeDeploy: deploying your code

CodePipeLine: keeping track of your different versions

Mobile Services

Mobile Hub: console for mobile apps

Cognito: makes easy to sign up with apps

Device Farm: testing on real devices

Mobile Analytics: analyzing mobile data

Pinpoint: google analytics for mobile

Internet of Things

iOT: own cert?

Artificial Intelligence

SuperIntelligence by Nick Bostrom on AI

Alexa: voice services in the cloud (driven by lex)

Polly: text to speach as a service

Machine Learning: data sets given outcomes analysis

Rekognition: image recognition, and faces

Messaging

SNS: messagin

SQS: queue system

SES: simple email service


IAM

IAM is global and is not bound by region

Terms

Root Account

Only ever login once or twice when you need to

Use MFA - google authenticator


Security Token Service (STS)

Grants users limited and temp access to AWS resources. Users can come from three sources

Most of the time you have to develop your own identity brokers

Review Information on identity brokers before exam

GetFederationToken function using IAM credentials -> duration 1 to 36 hours

Just need to have a basic understanding of how it works

SAML/Active Directory

Active directory federation

Takeaways:

  1. can you auth with active directory: yes and it is using SAML
  2. are you authenticating to active directory first and then given a temp security credential or if you get the temp credential first and then authenticated against active directory
    • you always authenticate against AD first

The AWS sign-in endpoint for SAML is https://signin.aws.amazon.com/saml

SAML stands for Security Assertion Markup Language.

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html

https://aws.amazon.com/blogs/aws/aws-identity-and-access-management-using-saml/

Web Identity Federation

You just need to know that you can authenticate your applications against FB, LinkedIn, Google, etc

You have to do a fair bit of coding.

You basically need to know if it is possible.

EXAM: You authenticate first with your identity provider, then you get your security credential, then you call AssumeRoleWithWebIdentity, and then you can access AWS resources

https://aws.amazon.com/iam/

EXAM: AssumeRoleWithWebIdentity


EC2

VMs in the cloud

Instance Types: Dirty MCG

Dr mcgift pic give out pictures of his homeland in Scottland.

Going to get scenarios to choose the correct instance

Instance numbers are the generation

EBS

In specific AZs


Launching an instance

Two types of virtualization:

Need to know how to create a VPC from memory

EXAM: One Subnet is always equal to one availability Zone

A subnet cannot go across multiple AZs

EXAM: By default, EBS volumes are deleted on EC2 instance termination. Delete on Termination checkbox

Tags are good to control costs. Tag everything.

Security groups are virtual firewalls

ssh -i ~/.ssh/aws-andy.pem ec2-user@34.211.66.99

yum update -y

yum install httpd service httpd start chkconfig httpd on

Status Checks

Can’t encrypt the root device volume unless you create an AMI and encrypt it yourself

You can’t encrypt the AMIs provided by Amazon


Security Groups

1 instance can have multiple security groups

Security group changes happen immediately

Inbound rules are automatically allowed back out, they are stateful

With VPCs and NACLs (network access control lists), they are stateless - you must define both in and outbound roules

Everything is blocked by default

Security groups are per region!

Key pairs

SSH key pairs are per region!


Volumes and Snapshots

You must keep the volume in the same AZ as the EC2 instance.

lsblk
cd / && mkdir myfileserver

# check the volume for data
file -s /dev/xvdf # if response is `/dev/xvdf: data` then there is no data on it

# format the device
mkfs -t ext4 /dev/xvdf

# mount
mount /dev/xvdf /myfileserver

# unmount

umount /dev/xvdf

Volume snapshots are incremental changes.

If you make a snapshot into a volume again, you’re not locked into the same storage medium.


EFS (Elastic File System)

Allows you to connect a volume to multiple EC2 instances

Data is stored across multiple AZ’s

EC2 instances need to be in the same security group as the EFS volume

http://docs.aws.amazon.com/efs/latest/ug/mounting-fs.html

http://docs.aws.amazon.com/efs/latest/ug/troubleshooting.html

Need to allow NFS on SGs for both NFSs and EC2 instances: http://docs.aws.amazon.com/efs/latest/ug/accessing-fs-create-security-groups.html

You’re using EFS as a fileserver - multiple ec2

user level perms and directory level perms

universal across all instances


IAM Roles

IAM Roles are Global EXAM

You can attach/replace a role on a running EC2 instance

roles are better than programmatic key access.


CLI Commands

EXAM Remember language of commands. i.e. what the command phraseology is

http://docs.aws.amazon.com/cli/latest/reference/ec2/

start-instances && stop-instances only starts or stops an instance and doesn’t create them.

run-instances creates and starts instances.

http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-images.html

ws ec2 run-instances –image-id ami-4836a428 –count 1 –instance-type t2.micro –key-name aws-andy –security-group-ids sg-29674452 –subnet-id subnet-c0da9998

aws ec2 describe-images –owners amazon –filters “Name=platform,Values=windows” “Name=root-device-type,Values=ebs”


Instance Meta Data

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

EXAM Need to know url to access instance meta data

http://169.254.169.254/latest/meta-data/public-ipv4

Looking for meta data, not user data

Load Balancer

Two types of load balancers

You don’t get an IP address for an ELB, only a DNS name.

Exam questions will be focused around classic load balancers, most likely

https://aws.amazon.com/elasticloadbalancing/classicloadbalancer/faqs/

https://aws.amazon.com/elasticloadbalancing/applicationloadbalancer/faqs/

Tools

https://aws.amazon.com/tools/

Browse around SDK’s

Know the available SDKs

Review

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Storage.html

https://aws.amazon.com/ec2/

https://aws.amazon.com/blogs/security/how-to-protect-data-at-rest-with-amazon-ec2-instance-store-encryption/

http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html

http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html

http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html

https://aws.amazon.com/cloudfront/custom-ssl-domains/


S3

S3 Object tagging:

https://aws.amazon.com/s3/faqs/?campaign-id=s3console&sc_ichannel=ha&sc_icampaign=f90_serviceconsole_s3_90days&sc_icontent=2580&sc_iplace=en_s3_ed&trk=ha_f90_serviceconsole_s3_default_2580/#storage-management

101

Updates to S3 are atomic, you might get the new data or the old data. New objects are immediately available.

S3 is designed to sort in alpha order. Adding random letters and numbers at the start of a filename ensures and even sort order.

Storage Tiers/Classes will come up in the exam

https://aws.amazon.com/s3/faqs/

^^^ Read S3 FAQs for Exam

Creating a website

EXAM Need to know ARN that would be generated for an s3 bucket website

Need to make sure objects are public.

Cors

Allows code in one S3 bucket to access the code in another S3 bucket.

Make sure that you are using the website url and not the S3 url!

Versioning

EXAM You cannot remove versioning, you can only disable it.

Versions are essentially two or more different objects in a bucket.

Don’t have versioning turned on with large files without a lifecycle management policy!

If you delete the current version, it automatically goes back to the previous version

Cross Region Replication

Versioning must be enabled on both buckets if you are to use versioning.

ONLY new objects will be replicated. Not existing - but it will replicate all versions when there is a new version of an object.

Deleting delete markers does not replicate to other buckets.

Lifecycle Management

Cloudfront

First request/user suffers the performance penalty until the data is cached in the edge location for the time of the TTL for the second request/user.

Origins can be someone else’s server. You can also write to Edge locations

CDN Lab

Web and RTMP are the two current types of Cloudfront CDNs

WAF Web ACL allows you to stop certain attacks such as SQL injection etc

GEO Restrictions on the exam about Cloudfront

Security and Encryption

Need to know the 4 types of encryption!

Storage Gateway

Exam questions haven’t been updated to current terminology possibly.

Review storage gateway

Virtual Tape Library sits on S3 - instantaneous

Virtual Tape Shelf sits on Glacier - 24 hours

Snowball

Snowball - 50TB or 70TB data transfer appliance

Snowball Edge - 100TB + compute (think Lambda functions) appliance

Snowmobile - Exabyte scale data transfer

Transfer Acceleration

Upload to an Edge location

S3 Summary

https://aws.amazon.com/s3/

S3 website bucket url format: http://bucketname.s3-website.eu-west-2.amazonaws.com

S3 bucket url format: https://s3.eu-west-2.amazonaws.com/bucketname

Largest file that can be PUT is 5GB

Largest file that can be stored is 5TB

Smallest file size for regular S3 is 0B

Smallest file size for IA is 128KB

Pay-as-you-go pricing and unlimited capacity

Database Essentials

Six relational databases on AWS

Look up OLAP

Questions about how to improve the performance of a DB

DMS converts Oracle and other databases to free open source DBs

https://aws.amazon.com/rds/faqs/

Dynamo DB

Spread across 3 data center

If your data can wait for up to a second to be updated, then eventually consistent works just fine. Otherwise, use strongly consistent.

You can have up to 35 levels of nesting in DynamoDB data

Hash key is the same thing as the partition key but it is the older term

DynamoDB Streams only stored for 24 hours

When primary key is unique then each item is stored a different area in DynamoDB

You can scale quickly with DynamoDB

You can only create a LSI (up to 5) at the time of table creation. GSIs (up to 5) can be created anytime

You can’t delete an LSI but you can delete GSIs

Queries and Scans

ScanIndexForward to change the sort order exam ONLY ON A QUERY!

Can use the ProjectionExpression to limit the results of a scan

Provisioned Througput

You will be asked about this on the exams and you will be given scenarios to solve for.

Capacities must be even integers.

The formula is: (Size of Read rounded to nearest 4 KB chunk / 4kb) x no of items = read throughput

Divide by 2 if eventually consistent.

400 HTTP Status Code - ProvisionedThroughputExceededException

Web Identity Providers

Uses the AssumeRoleWithWebIdentity API

Can connect from 15 minutes to 1 hour

Need to remember basic steps to authenticate

Other facts

Conditional writes: if item.price == 10 then update else don’t

Atomic Counters are not idempotent.

Use Atomic counters if you don’t need 100% data accuracy (think website counter); use conditional writes if you do need 100% accuracy.

Summary

Most important topic!