AWS Certifications

Columbus Amazon Web Services Meetup - February 2018

Presenter: Andrew May

● Senior Solutions Architect & Cloud

Solutions Lead @ Leading EDJE

● Java developer since 2000

● 2 ½ years AWS experience

● www.leadingedje.com

● andrew.may@leadingedje.com

● AWS Cloud Practitioner

● AWS Developer (associate)

● AWS Solutions Architect (associate)

Agenda

❏ Why get Certified?❏ Certification Roadmap❏ Details of the Certifications❏ Exam Preparation❏ AWS Partner Network

Record of AWS experience

Image via Mario Lurig (CC BY)

Learn about AWS

Résumé

Image via FlazIngo Photos (CC BY-SA)

Roadmap

● Certifications expire after 2 years○ Recertification exams are cheaper

● You may choose to take Professional Certification instead of renewing Associate Certification○ This mostly applies for Solutions Architect

Foundational Certifications

Cloud Practitioner

● Introductory Certification● Recommended for anyone including technical, managerial, and sales● Covers general cloud principals, an overview of a range of AWS

services, security, architecture, pricing and support● Free online training at http://aws.training (~7 hours of videos)

Breakdown from Exam Guide

Sample Question (1) - Technology

Which service can identify the user that made the API call when an Amazon Elastic Compute Cloud (Amazon EC2) instance is terminated?

A) Amazon CloudWatchB) AWS CloudTrailC) AWS X-RayD) AWS Identity and Access Management (AWS IAM)

Sample Question (2) - Security

Which of the following is AWS's responsibility under the AWS shared responsibility model?

A) Configuring third-party applicationsB) Maintaining physical hardwareC) Securing application access and dataD) Managing custom Amazon Machine Images (AMIs)

My impressions:● Most questions were “guess the service”● Skip if you are planning to take one of the associate certifications● Too much technical detail for most non-technical roles● Useful for those working alongside technical staff (e.g. project

managers)● Free training is a mixed bag, but Bonus Materials has some great videos

on VPC design

Associate Certifications

Developer (Associate)

● Recommended to have 1+ years of AWS experience● Focus on certain core AWS services:

EC2, DynamoDB, S3, SQS, SNS, Route 53, ElasticBeanstalk, IAM,Simple Workflow, CloudFormation, ElastiCache

● (Currently) very little Lambda● Knowledge of SDKs and APIs

Breakdown from Exam Guide

Sample Question (1) - Designing & Developing

Your web application reads an item from your DynamoDB table, changes an attribute, and then writes the item back to the table. You need to ensure that one process doesn't overwrite a simultaneous change from another process.

How can you ensure concurrency?

A) Implement optimistic concurrency by using a conditional writeB) Implement pessimistic concurrency by using a conditional writeC) Implement optimistic concurrency by locking the item upon readD) Implement pessimistic concurrency by locking the item upon read

Sample Question (2) - Debugging

Your CloudFormation template launches a two-tier web application in us-east-1. When you attempt to create a development stack in us-west-1, the process fails.

What could be the problem?

A) The AMIs referenced in the template are not available in us-west-1B) The IAM roles referenced in the template are not valid in us-west-1C) Two ELB Classic Load Balancers cannot have the same Name tagD) CloudFormation templates can be launched only in a single region

My impressions:● Most questions are about the details of a specific service● Know how to calculate DynamoDB read/write capacity units usage● Know how to optimize S3 keys for performance● Know which languages have an SDK● You’ll get a few questions about

SWF/ElastiCache/CloudFormation/Route 53

Solutions Architect (Associate)

● Recommended to have 1+ years of AWS experience● New version of Exam has just been released

○ You can choose which you take until August 12th 2018● Covers wider range of services● More focus on combining services, architectural issues (e.g. VPC

design), security and migration

Breakdowns from Exam Guide

Sample Question (1) - Data Security

You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publicly accessible from S3 directly?

A) Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI

B) Add the CloudFront account security group “amazon-cf/amazon-cf-sg” to the appropriate S3 bucket policy

C) Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User

D) Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN)

Sample Question (2) - Designing

Which of the following will occur when an EC2 instance in a VPC (Virtual Private Cloud) with an associated Elastic IP is stopped and started? (Choose 2 answers)

A) The Elastic IP will be dissociated from the instanceB) All data on instance-store devices will be lostC) All data on EBS (Elastic Block Store) devices will be lostD) The ENI (Elastic Network Interface) is detachedE) The underlying host for the instance is changed

My impressions:● Expects a deeper level of understanding about how AWS services work● Know how to design a VPC● Wrong answers in questions are harder to spot (especially when you

have to pick multiple)

● I got a lot of questions about EBS, someone else got a lot of S3 questions

New Exam:● More questions (55->65), longer (80 min -> 130 min)● Different distribution of content (but hard to say how this affects the

questions)● More up to date services (Lambda, ALB, DynamoDB DAX, SQS FIFO,

EFS)● More difficult? (based upon comments on forums)● Recommended if you haven’t already been studying for the old exam

SysOps Administrator

● Recommended to have 1+ years of AWS experience● Operational focus:

○ Deployment, configuration, monitoring and security● Choose between different options for price/performance

○ Understand different EC2 instance types○ IOPS limits and calculations

Breakdown from Exam Guide

Example Question (1) - Provisioning

You have been tasked with identifying an appropriate storage solution for a NoSQL database that requires random I/O reads of greater than 100,000 4kB IOPS.

Which EC2 option will meet this requirement?

A) EBS provisioned IOPSB) SSD instance storeC) EBS optimized instancesD) High Storage instance configured in RAID 10

Example Question (2) - Networking

Instance A and instance B are running in two different subnets A and B of a VPC. Instance A is not able to ping instance B.

What are two possible reasons for this? (Pick 2 correct answers)

A) The routing table of subnet A has no target route to subnet BB) The security group attached to instance B does not allow inbound ICMP trafficC) The policy linked to the IAM role on instance A is not configured correctlyD) The NACL on subnet B does not allow outbound ICMP traffic

My impressions:● Took practice test of 20 questions

● Networking and DNS are not my strong points!

● Multiple questions about tuning infrastructure to meet

performance needs while minimizing costs

● Need to understand the details of failover, routing etc.

(e.g. what happens during multi-AZ RDS failover)

Practice Test results:

Overall Score: 80%

Topic Level Scoring:1.0  Monitoring and Metrics: 66%2.0  High Availability: 66%3.0  Analysis: 100%4.0  Deployment and Provisioning: 100%5.0  Data Management: 100%6.0  Security: 100%7.0  Networking: 33%

Professional Certifications

Solutions Architect (Professional)

● 2+ years experience & Solutions Architect (Associate)● Requires deeper understanding of AWS services and architecture● Questions and answers are more complex● Probably the most difficult Certification to obtain

Breakdown from Exam Guide

DevOps Engineer (Professional)

● 2+ years of experience & either Developer (Associate) or SysOps Engineer (Associate) certifications

● Focus on Automation and Continuous Delivery using AWS tools:○ CloudFormation, ElasticBeanstalk, OpsWorks, CodeDeploy, Data

Pipeline● Not yet updated to cover Lambda/ECS/CodePipeline/CodeBuild

Breakdown from Exam Guide

Specialty Certifications

Advanced Networking Specialty

● Recommended to have 5 years of Networking experience● Focus on Hybrid Networks for Enterprises● Design Networks to support required performance and security

○ E.g. how many Direct Connect links do you need?

Big Data Specialty

● Recommended to have 5 years of Data Analytics experience● Domains:

○ Collection, Storage, Processing, Analysis, Visualization, Security● Services:

○ S3, Redshift, Kinesis, Data Pipeline, EMR, QuickSight

Security Specialty (Beta)

● There was a previous Beta in 2016 but this was scrapped● Current Beta available until March 2018● Key Areas:

○ Networking (Security Groups/NACLs)○ Encryption (KMS, CloudHSM)○ Audit (CloudTrail)○ Denial of Service, Intrusion Detection

Preparing for Exams

Explore AWS

● Pick a service in the AWS Console you’ve never used and try it out● Check pricing page - there may be a free tier

○ Some services have temporary free tiers, some are permanent● Remember to shutdown/delete everything when you’re done● Monitor your costs before you get a bill

Read Documentation

● AWS Developer Documentation○ Often contains Tutorials that you can try out

● FAQs for individual services● AWS Whitepapers cover a lot of different use cases

○ Architecting for the Cloud: AWS Best Practices● AWS Blogs cover new services and changes to existing service

Books

Published Oct 2016 Published Oct 2017 Due March 2018

Training

● Classroom (in-person or virtual) training course available ($$$)○ Content determined by AWS, provided by partners○ Hands on Labs

● Online Courses (e.g. A Cloud Guru) ($)○ Certification specific and more general technology courses○ Exercises (using your own AWS Account)

● Quiklabs - hands on training using provided AWS account ($$)

Practice Exams

● Register the same was as for Certification Exams● 20 questions for $20● Same format and software as real exams● Possibly some of the same questions you will get● Instant pass/fail result, email with % for different domains

Taking the Exams

Registering

● Create AWS Training account and from there select “Certifications”○ This will create a linked certification account○ APN members should create training account via APN portal○ Can use existing Amazon account

● Select Certification, Language and Location and schedule exam● Multiple locations in Columbus● Practitioner: $100, Associate: $150, Professional: $300

Test Centers

● Run by PSI● Lots of different tests being taken in same facility

○ You will probably be the only person taking an AWS certification● Empty everything from your pockets

○ Limited storage for valuables

The Test

● Make sure you’re taking the right test● Accept NDA!● Read questions carefully, you have plenty of time

○ Questions can be marked for later and gone back to○ Timer in top right

● Questionnaire at end● Pass/fail result immediately, email soon after

Benefits

From Certification Portal

● These take a few days to become available● Certification Certificate● Digital Badge● Generate a public Transcript to share your Certification(s)● Practice Exam Credit (not Practitioner)● Access to AWS Certified Store

For AWS Partner Network members

● If Training account created via APN and with same email, new certifications should automatically update APN account

● Consulting Partner levels:○ Standard: 2 Associate Certifications○ Advanced: 2 Professional, 4 Associate○ Premier: 8 Professional, 20 Associate

(but certifications are the easy part of the higher levels)

Questions/Discussion

How did you train for your Certification?