AWS Certified Developer Associate Notes
AWS Certified Developer Associate
- https://read.acloud.guru/what-you-need-to-get-aws-certified-5937e613b10f#.3cpabqpyq
- http://www.rightbrainnetworks.com/blog/tips-for-passing-amazon-aws-certified-solutions-architect-exam/
- http://venturebeat.com/2015/05/17/why-youll-never-nail-that-devops-interview/
90% compute capacity on internet provided by AWS.
AWS certifications are the most popular IT certifications.
AWS changes and updates are growing exponentialy.
https://aws.amazon.com/certification/certified-developer-associate/
AWS History
AWS having a massive effect on traditional services.
1000+ new service announcements on AWS
Blog: https://aws.amazon.com/blogs/aws/
Google certs coming out in 2017 and 2018
AWS 10,000 Feet Overview
In order to pass the exam, you need to pay attention to these AWS service areas:
- Messaging
- Security & Identity
- Management Tools
- Storage
- Databases
- Networking & Content Delivery
- Compute
- AWS Global Infrastructure
AWS Global Infrastructure
Region: is a geographical area. Each region consists of 2 or more availability zones
Availability Zone: is simply a data center
Edge locations: are CDN end points for CloudFront
There are many more edge locations than regions.
Network and Content Delivery
VPCs (Virtual Private Cloud)
A virtual datacenter
Multiple VPCs per region. Can connect one VPC up to another.
BIG PART OF EXAM!
Need to be able to build a VPC from memory
Route53 (DNS Service)
Cloudfront (caching)
Direct Connect
Connecting your office or data center to AWS
Compute
EC2: Elastic Compute Cloud (VMs in the cloud)
EC2 Container Services: not in test
Elastic Beanstalk: comes up in developer exam quite a bit
Lambda: not in the test
Lightsail: wp or joomla. not in the test
Storage
S3: Virtual disk in the cloud. Where you can store objects. Not block based storage
Glacier: archive for S3
EFS: Block based storage, could install databases and applications.
Storage gateway: a way of connecting S3 to on-premise data center
Database
RDS: postgres, aurora, mysql, etc (not much in dev exam)
DynamoDB: (features heavily on test)
Redshit: big data storage/archival for storing data for running reports on so that it doesn't slow down your prod db
Elasticache: a way to cache data in the cloud. Db calls and resources such as generated html and images (comes up in dev exam)
Snowball: transfer physical disks to S3.
DMS: database migration service, don't have to stay with the database that you're migrating from (e.g. Oracle to MySql)
SMS: server migration service. Moving VMs out to the cloud
Athena: allows you to run SQL queries on csv or json on s3
EMR: used to process large amounts of data (using hadoop)
Cloud Search: fully managed
Elastic Search: using an open source framework
Kinesis: streaming and analyzing data real time
Data Pipeline: allows you to move data from one place to another. e.g. s3 to dyanmodb
Quick Sight: business analytics tool
Security & Identity
IAM: how you sign-up or authenticate
Inspector: installs on your VMs and reports on the security thereof
Certificate Manager: gets you free SSL certs for your domain name
Directory Service: Active directory to AWS connection
WAF: web application firewall, application level protection (SQL injection, etc) Doesn't feature in the exams
ARtifacts: documentation in the AWS console, get certifications (PCI etc)
Management Tools
Cloud Watch: EC2 disk and ram utilization etc
Cloud Formation: way of turning your infrastructure into code (need to know it inside and out for the real world) Doesn't come up in the exams too much
Cloud Trail: used for auditing changes to your AWS (IAM changes etc)
OpsWorks: Way of automating deployments using chef
Config: way of auditing your environment, you can set alerts etc
Service Catalog: for larger orgs, place for images. Authorize images and what aren't
Trusted Advisor: cost and performance optimizations
Application SErvices
Step Functions: way of visualizing wahat's going on your app
SWF: coordinating human tasks and computer tasks (in exams)
API Gateway: door for you apps to access backend
Elastic Transcoder: transcodes media into different formats
Developer Tools
CodeCommit: git
CodeBuild: compiling your code
CodeDeploy: deploying your code
CodePipeLine: keeping track of your different versions
Mobile Services
Mobile Hub: console for mobile apps
Cognito: makes easy to sign up with apps
Device Farm: testing on real devices
Mobile Analytics: analyzing mobile data
Pinpoint: google analytics for mobile
Internet of Things
iOT: own cert?
Artificial Intelligence
SuperIntelligence by Nick Bostrom on AI
Alexa: voice services in the cloud (driven by lex)
Polly: text to speach as a service
Machine Learning: data sets given outcomes analysis
Rekognition: image recognition, and faces
Messaging
SNS: messagin
SQS: queue system
SES: simple email service
IAM
- Centralized control of your AWS account
- Shared access to your AWS account
- Granular Permissions
- Identity Federation (including Active Directory, Facebook, Linkedin, etc)
- Multifactor auth
- Provide temp access for users/devices and services where necessary
- Allows you to set up your own password rotation policy
- Integrates with AWS services
- Supports PCI DSS compliance
IAM is global and is not bound by region
Terms
- Users
- Groups - a collection of users under one set of permissions
- Roles - you create roles and can then assign them to AWS resources (e.g. an EC2 instance) for service to service interaction permissions
- Three types
- Service roles - inter AWS account
- Cross-account
- Identity Provider - access to AWS resources for FB, Google, Twitter authenticators, etc
- Policies - a document that defines one or more permissions
Root Account
Only ever login once or twice when you need to
Use MFA - google authenticator
Security Token Service (STS)
Grants users limited and temp access to AWS resources. Users can come from three sources
Most of the time you have to develop your own identity brokers
Review Information on identity brokers before exam
GetFederationToken function using IAM credentials -> duration 1 to 36 hours
Just need to have a basic understanding of how it works
SAML/Active Directory
Active directory federation
Takeaways:
- can you auth with active directory: yes and it is using SAML
- are you authenticating to active directory first and then given a temp security credential or if you get the temp credential first and then authenticated against active directory
- you always authenticate against AD first
The AWS sign-in endpoint for SAML is https://signin.aws.amazon.com/saml
SAML stands for Security Assertion Markup Language.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html
https://aws.amazon.com/blogs/aws/aws-identity-and-access-management-using-saml/
Web Identity Federation
You just need to know that you can authenticate your applications against FB, LinkedIn, Google, etc
You have to do a fair bit of coding.
You basically need to know if it is possible.
EXAM: You authenticate first with your identity provider, then you get your security credential, then you call AssumeRoleWithWebIdentity, and then you can access AWS resources
EXAM: AssumeRoleWithWebIdentity
EC2
- Most important part of any of the associate exams*
VMs in the cloud
Instance Types: Dirty MCG
Dr mcgift pic give out pictures of his homeland in Scottland.
Going to get scenarios to choose the correct instance
Instance numbers are the generation
EBS
In specific AZs
Launching an instance
Two types of virtualization:
- PV - para-virtualization
- HVM - hyper-virtualization
Need to know how to create a VPC from memory
EXAM: One Subnet is always equal to one availability Zone
A subnet cannot go across multiple AZs
EXAM: By default, EBS volumes are deleted on EC2 instance termination. Delete on Termination checkbox
Tags are good to control costs. Tag everything.
Security groups are virtual firewalls
ssh -i ~/.ssh/aws-andy.pem ec2-user@34.211.66.99
yum update -y
yum install httpd
service httpd start
chkconfig httpd on
Status Checks
- System status checks
- verifies that the instance is reacheable. No AWS or infrastructure problems
- Instance status checks
- verifies that the instance OS is accepting packets
Can't encrypt the root device volume unless you create an AMI and encrypt it yourself
You can't encrypt the AMIs provided by Amazon
Security Groups
1 instance can have multiple security groups
Security group changes happen immediately
Inbound rules are automatically allowed back out, they are stateful
With VPCs and NACLs (network access control lists), they are stateless - you must define both in and outbound roules
Everything is blocked by default
Security groups are per region!
Key pairs
SSH key pairs are per region!
Volumes and Snapshots
You must keep the volume in the same AZ as the EC2 instance.
lsblk
cd / && mkdir myfileserver
# check the volume for data
file -s /dev/xvdf # if response is `/dev/xvdf: data` then there is no data on it
# format the device
mkfs -t ext4 /dev/xvdf
# mount
mount /dev/xvdf /myfileserver
# unmount
umount /dev/xvdf
Volume snapshots are incremental changes.
If you make a snapshot into a volume again, you're not locked into the same storage medium.
EFS (Elastic File System)
Allows you to connect a volume to multiple EC2 instances
Data is stored across multiple AZ's
EC2 instances need to be in the same security group as the EFS volume
http://docs.aws.amazon.com/efs/latest/ug/mounting-fs.html
http://docs.aws.amazon.com/efs/latest/ug/troubleshooting.html
Need to allow NFS on SGs for both NFSs and EC2 instances: http://docs.aws.amazon.com/efs/latest/ug/accessing-fs-create-security-groups.html
You're using EFS as a fileserver - multiple ec2
user level perms and directory level perms
universal across all instances
IAM Roles
IAM Roles are Global EXAM
You can attach/replace a role on a running EC2 instance
roles are better than programmatic key access.
CLI Commands
EXAM Remember language of commands. i.e. what the command phraseology is
http://docs.aws.amazon.com/cli/latest/reference/ec2/
start-instances && stop-instances only starts or stops an instance and doesn't create them.
run-instances creates and starts instances.
http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-images.html
ws ec2 run-instances --image-id ami-4836a428 --count 1 --instance-type t2.micro --key-name aws-andy --security-group-ids sg-29674452 --subnet-id subnet-c0da9998
aws ec2 describe-images --owners amazon --filters "Name=platform,Values=windows" "Name=root-device-type,Values=ebs"
Instance Meta Data
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
EXAM Need to know url to access instance meta data
http://169.254.169.254/latest/meta-data/public-ipv4
Looking for meta data, not user data
Load Balancer
Two types of load balancers
- Application
- Works at layer 7 and the preferred method.
- Classic
- Layer 4 - TCP-IP (can do some layer 7 briging but it's essentially layer 4)
You don't get an IP address for an ELB, only a DNS name.
Exam questions will be focused around classic load balancers, most likely
https://aws.amazon.com/elasticloadbalancing/classicloadbalancer/faqs/
https://aws.amazon.com/elasticloadbalancing/applicationloadbalancer/faqs/
Tools
Browse around SDK's
Know the available SDK's
Review
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Storage.html
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html
https://aws.amazon.com/cloudfront/custom-ssl-domains/
S3
S3 Object tagging:
101
Updates to S3 are atomic, you might get the new data or the old data. New objects are immediately available.
S3 is designed to sort in alpha order. Adding random letters and numbers at the start of a filename ensures and even sort order.
Storage Tiers/Classes will come up in the exam
https://aws.amazon.com/s3/faqs/
^^^ Read S3 FAQs for Exam
Creating a website
EXAM Need to know ARN that would be generated for an s3 bucket website
Need to make sure objects are public.
Cors
Allows code in one S3 bucket to access the code in another S3 bucket.
Make sure that you are using the website url and not the S3 url!
Versioning
EXAM You cannot remove versioning, you can only disable it.
Versions are essentially two or more different objects in a bucket.
Don't have versioning turned on with large files without a lifecycle management policy!
If you delete the current version, it automatically goes back to the previous version
Cross Region Replication
Versioning must be enabled on both buckets if you are to use versioning.
ONLY new objects will be replicated. Not existing - but it will replicate all versions when there is a new version of an object.
Deleting delete markers does not replicate to other buckets.
Lifecycle Management
Cloudfront
First request/user suffers the performance penalty until the data is cached in the edge location for the time of the TTL for the second request/user.
Origins can be someone else's server. You can also write to Edge locations
WAF Web ACL allows you to stop certain attacks such as SQL injection etc
GEO Restrictions on the exam about Cloudfront
Security and Encryption
Need to know the 4 types of encryption!
Storage Gateway
Exam questions haven't been updated to current terminology possibly.
Review storage gateway
Virtual Tape Library sits on S3 - instantaneous
Virtual Tape Shelf sits on Glacier - 24 hours
Snowball
Snowball - 50TB or 70TB data transfer appliance
Snowball Edge - 100TB + compute (think Lambda functions) appliance
Snowmobile - Exabyte scale data transfer
Transfer Acceleration
Upload to an Edge location
S3 Summary
S3 website bucket url format: http://bucketname.s3-website.eu-west-2.amazonaws.com
S3 bucket url format: https://s3.eu-west-2.amazonaws.com/bucketname
Largest file that can be PUT is 5GB
Largest file that can be stored is 5TB
Smallest file size for regular S3 is 0B
Smallest file size for IA is 128KB
Pay-as-you-go pricing and unlimited capacity
Database Essentials
Six relational databases on AWS
Look up OLAP
Questions about how to improve the performance of a DB
DMS converts Oracle and other databases to free open source DBs
https://aws.amazon.com/rds/faqs/
Dynamo DB
Spread across 3 data center
If your data can wait for up to a second to be updated, then eventually consistent works just fine. Otherwise, use strongly consistent.
You can have up to 35 levels of nesting in DynamoDB data
Hash key is the same thing as the partition key but it is the older term
DynamoDB Streams only stored for 24 hours
When primary key is unique then each item is stored a different area in DynamoDB
You can scale quickly with DynamoDB
You can only create a LSI (up to 5) at the time of table creation. GSIs (up to 5) can be created anytime
You can't delete an LSI but you can delete GSIs
Queries and Scans
ScanIndexForward to change the sort order exam ONLY ON A QUERY!
Can use the ProjectionExpression to limit the results of a scan
Provisioned Througput
You will be asked about this on the exams and you will be given scenarios to solve for.
Capacities must be even integers.
The formula is: (Size of Read rounded to nearest 4 KB chunk / 4kb) x no of items = read throughput
Divide by 2 if eventually consistent.
400 HTTP Status Code - ProvisionedThroughputExceededException
Web Identity Providers
Uses the AssumeRoleWithWebIdentity API
Can connect from 15 minutes to 1 hour
Need to remember basic steps to authenticate
Other facts
Conditional writes: if item.price == 10 then update else don't
Atomic Counters are not idempotent.
Use Atomic counters if you don't need 100% data accuracy (think website counter); use conditional writes if you do need 100% accuracy.
Summary
Most important topic!