Notes on the AWS certified developer associate certification
Table of Contents
AWS Certified Developer Associate
90% compute capacity on internet provided by AWS.
AWS certifications are the most popular IT certifications.
AWS changes and updates are growing exponentialy.
AWS having a massive effect on traditional services.
1000+ new service announcements on AWS
Google certs coming out in 2017 and 2018
AWS 10,000 Feet Overview
In order to pass the exam, you need to pay attention to these AWS service areas:
- Security & Identity
- Management Tools
- Networking & Content Delivery
- AWS Global Infrastructure
AWS Global Infrastructure
Region: is a geographical area. Each region consists of 2 or more availability zones Availability Zone: is simply a data center Edge locations: are CDN end points for CloudFront
There are many more edge locations than regions.
Network and Content Delivery
VPCs (Virtual Private Cloud)
A virtual datacenter
Multiple VPCs per region. Can connect one VPC up to another.
BIG PART OF EXAM!
Need to be able to build a VPC from memory
Route53 (DNS Service)
Connecting your office or data center to AWS
EC2: Elastic Compute Cloud (VMs in the cloud)
EC2 Container Services: not in test
Elastic Beanstalk: comes up in developer exam quite a bit
Lambda: not in the test
Lightsail: wp or joomla. not in the test
S3: Virtual disk in the cloud. Where you can store objects. Not block based storage
Glacier: archive for S3
EFS: Block based storage, could install databases and applications.
Storage gateway: a way of connecting S3 to on-premise data center
RDS: postgres, aurora, mysql, etc (not much in dev exam)
DynamoDB: (features heavily on test)
Redshit: big data storage/archival for storing data for running reports on so that it doesn’t slow down your prod db
Elasticache: a way to cache data in the cloud. Db calls and resources such as generated html and images (comes up in dev exam)
Snowball: transfer physical disks to S3.
DMS: database migration service, don’t have to stay with the database that you’re migrating from (e.g. Oracle to MySql)
SMS: server migration service. Moving VMs out to the cloud
Athena: allows you to run SQL queries on csv or json on s3
EMR: used to process large amounts of data (using hadoop)
Cloud Search: fully managed
Elastic Search: using an open source framework
Kinesis: streaming and analyzing data real time
Data Pipeline: allows you to move data from one place to another. e.g. s3 to dyanmodb
Quick Sight: business analytics tool
Security & Identity
IAM: how you sign-up or authenticate
Inspector: installs on your VMs and reports on the security thereof
Certificate Manager: gets you free SSL certs for your domain name
Directory Service: Active directory to AWS connection
WAF: web application firewall, application level protection (SQL injection, etc) Doesn’t feature in the exams
ARtifacts: documentation in the AWS console, get certifications (PCI etc)
Cloud Watch: EC2 disk and ram utilization etc
Cloud Formation: way of turning your infrastructure into code (need to know it inside and out for the real world) Doesn’t come up in the exams too much
Cloud Trail: used for auditing changes to your AWS (IAM changes etc)
OpsWorks: Way of automating deployments using chef
Config: way of auditing your environment, you can set alerts etc
Service Catalog: for larger orgs, place for images. Authorize images and what aren’t
Trusted Advisor: cost and performance optimizations
Step Functions: way of visualizing wahat’s going on your app
SWF: coordinating human tasks and computer tasks (in exams)
API Gateway: door for you apps to access backend
Elastic Transcoder: transcodes media into different formats
CodeBuild: compiling your code
CodeDeploy: deploying your code
CodePipeLine: keeping track of your different versions
Mobile Hub: console for mobile apps
Cognito: makes easy to sign up with apps
Device Farm: testing on real devices
Mobile Analytics: analyzing mobile data
Pinpoint: google analytics for mobile
Internet of Things
iOT: own cert?
SuperIntelligence by Nick Bostrom on AI
Alexa: voice services in the cloud (driven by lex)
Polly: text to speach as a service
Machine Learning: data sets given outcomes analysis
Rekognition: image recognition, and faces
SQS: queue system
SES: simple email service
- Centralized control of your AWS account
- Shared access to your AWS account
- Granular Permissions
- Identity Federation (including Active Directory, Facebook, Linkedin, etc)
- Multifactor auth
- Provide temp access for users/devices and services where necessary
- Allows you to set up your own password rotation policy
- Integrates with AWS services
- Supports PCI DSS compliance
IAM is global and is not bound by region
- Groups - a collection of users under one set of permissions
- Roles - you create roles and can then assign them to AWS resources (e.g. an EC2 instance) for service to service interaction permissions
- Three types
- Service roles - inter AWS account
- Identity Provider - access to AWS resources for FB, Google, Twitter authenticators, etc
- Policies - a document that defines one or more permissions
Only ever login once or twice when you need to
Use MFA - google authenticator
Security Token Service (STS)
Grants users limited and temp access to AWS resources. Users can come from three sources
Most of the time you have to develop your own identity brokers
Review Information on identity brokers before exam
GetFederationToken function using IAM credentials -> duration 1 to 36 hours
Just need to have a basic understanding of how it works
Active directory federation
- can you auth with active directory: yes and it is using SAML
- are you authenticating to active directory first and then given a temp security credential or if you get the temp credential first and then authenticated against active directory
- you always authenticate against AD first
The AWS sign-in endpoint for SAML is https://signin.aws.amazon.com/saml
SAML stands for Security Assertion Markup Language.
Web Identity Federation
You just need to know that you can authenticate your applications against FB, LinkedIn, Google, etc
You have to do a fair bit of coding.
You basically need to know if it is possible.
EXAM: You authenticate first with your identity provider, then you get your security credential, then you call AssumeRoleWithWebIdentity, and then you can access AWS resources
- Most important part of any of the associate exams*
VMs in the cloud
Instance Types: Dirty MCG
Dr mcgift pic give out pictures of his homeland in Scottland.
Going to get scenarios to choose the correct instance
Instance numbers are the generation
In specific AZs
Launching an instance
Two types of virtualization:
- PV - para-virtualization
- HVM - hyper-virtualization
Need to know how to create a VPC from memory
EXAM: One Subnet is always equal to one availability Zone
A subnet cannot go across multiple AZs
EXAM: By default, EBS volumes are deleted on EC2 instance termination.
Delete on Termination checkbox
Tags are good to control costs. Tag everything.
Security groups are virtual firewalls
ssh -i ~/.ssh/aws-andy.pem firstname.lastname@example.org
yum update -y
yum install httpd
service httpd start
chkconfig httpd on
- System status checks
- verifies that the instance is reacheable. No AWS or infrastructure problems
- Instance status checks
- verifies that the instance OS is accepting packets
Can’t encrypt the root device volume unless you create an AMI and encrypt it yourself
You can’t encrypt the AMIs provided by Amazon
1 instance can have multiple security groups
Security group changes happen immediately
Inbound rules are automatically allowed back out, they are stateful
With VPCs and NACLs (network access control lists), they are stateless - you must define both in and outbound roules
Everything is blocked by default
Security groups are per region!
SSH key pairs are per region!
Volumes and Snapshots
You must keep the volume in the same AZ as the EC2 instance.
lsblk cd / && mkdir myfileserver # check the volume for data file -s /dev/xvdf # if response is `/dev/xvdf: data` then there is no data on it # format the device mkfs -t ext4 /dev/xvdf # mount mount /dev/xvdf /myfileserver # unmount umount /dev/xvdf
Volume snapshots are incremental changes.
If you make a snapshot into a volume again, you’re not locked into the same storage medium.
EFS (Elastic File System)
Allows you to connect a volume to multiple EC2 instances
Data is stored across multiple AZ’s
EC2 instances need to be in the same security group as the EFS volume
Need to allow NFS on SGs for both NFSs and EC2 instances: http://docs.aws.amazon.com/efs/latest/ug/accessing-fs-create-security-groups.html
You’re using EFS as a fileserver - multiple ec2
user level perms and directory level perms
universal across all instances
IAM Roles are Global EXAM
You can attach/replace a role on a running EC2 instance
roles are better than programmatic key access.
EXAM Remember language of commands. i.e. what the command phraseology is
stop-instances only starts or stops an instance and doesn’t create them.
run-instances creates and starts instances.
ws ec2 run-instances –image-id ami-4836a428 –count 1 –instance-type t2.micro –key-name aws-andy –security-group-ids sg-29674452 –subnet-id subnet-c0da9998
aws ec2 describe-images –owners amazon –filters “Name=platform,Values=windows” “Name=root-device-type,Values=ebs”
Instance Meta Data
EXAM Need to know url to access instance meta data
Looking for meta data, not user data
Two types of load balancers
- Works at layer 7 and the preferred method.
- Layer 4 - TCP-IP (can do some layer 7 briging but it’s essentially layer 4)
You don’t get an IP address for an ELB, only a DNS name.
Exam questions will be focused around classic load balancers, most likely
Browse around SDK’s
Know the available SDKs
S3 Object tagging:
Updates to S3 are atomic, you might get the new data or the old data. New objects are immediately available.
S3 is designed to sort in alpha order. Adding random letters and numbers at the start of a filename ensures and even sort order.
Storage Tiers/Classes will come up in the exam
^^^ Read S3 FAQs for Exam
Creating a website
EXAM Need to know ARN that would be generated for an s3 bucket website
Need to make sure objects are public.
Allows code in one S3 bucket to access the code in another S3 bucket.
Make sure that you are using the website url and not the S3 url!
EXAM You cannot remove versioning, you can only disable it.
Versions are essentially two or more different objects in a bucket.
Don’t have versioning turned on with large files without a lifecycle management policy!
If you delete the current version, it automatically goes back to the previous version
Cross Region Replication
Versioning must be enabled on both buckets if you are to use versioning.
ONLY new objects will be replicated. Not existing - but it will replicate all versions when there is a new version of an object.
Deleting delete markers does not replicate to other buckets.
First request/user suffers the performance penalty until the data is cached in the edge location for the time of the TTL for the second request/user.
Origins can be someone else’s server. You can also write to Edge locations
Web and RTMP are the two current types of Cloudfront CDNs
WAF Web ACL allows you to stop certain attacks such as SQL injection etc
GEO Restrictions on the exam about Cloudfront
Security and Encryption
Need to know the 4 types of encryption!
Exam questions haven’t been updated to current terminology possibly.
Review storage gateway
Virtual Tape Library sits on S3 - instantaneous
Virtual Tape Shelf sits on Glacier - 24 hours
Snowball - 50TB or 70TB data transfer appliance
Snowball Edge - 100TB + compute (think Lambda functions) appliance
Snowmobile - Exabyte scale data transfer
Upload to an Edge location
S3 website bucket url format: http://bucketname.s3-website.eu-west-2.amazonaws.com
S3 bucket url format: https://s3.eu-west-2.amazonaws.com/bucketname
Largest file that can be PUT is 5GB
Largest file that can be stored is 5TB
Smallest file size for regular S3 is 0B
Smallest file size for IA is 128KB
Pay-as-you-go pricing and unlimited capacity
Six relational databases on AWS
Look up OLAP
Questions about how to improve the performance of a DB
DMS converts Oracle and other databases to free open source DBs
Spread across 3 data center
If your data can wait for up to a second to be updated, then eventually consistent works just fine. Otherwise, use strongly consistent.
You can have up to 35 levels of nesting in DynamoDB data
Hash key is the same thing as the partition key but it is the older term
DynamoDB Streams only stored for 24 hours
When primary key is unique then each item is stored a different area in DynamoDB
You can scale quickly with DynamoDB
You can only create a LSI (up to 5) at the time of table creation. GSIs (up to 5) can be created anytime
You can’t delete an LSI but you can delete GSIs
Queries and Scans
ScanIndexForward to change the sort order exam ONLY ON A QUERY!
Can use the
ProjectionExpression to limit the results of a scan
You will be asked about this on the exams and you will be given scenarios to solve for.
Capacities must be even integers.
The formula is:
(Size of Read rounded to nearest 4 KB chunk / 4kb) x no of items = read throughput
Divide by 2 if eventually consistent.
400 HTTP Status Code - ProvisionedThroughputExceededException
Web Identity Providers
Uses the AssumeRoleWithWebIdentity API
Can connect from 15 minutes to 1 hour
Need to remember basic steps to authenticate
Conditional writes: if item.price == 10 then update else don’t
Atomic Counters are not idempotent.
Use Atomic counters if you don’t need 100% data accuracy (think website counter); use conditional writes if you do need 100% accuracy.
Most important topic!