2022 AWS Solution architect associate exam guides and tips

The 2022 exam guide includes the latest tips and certification guide. I have included some extra tips for your day to day cloud operations, so please enjoy the article ūüôā and if you need any help just please get in touch with me

The guide begins:

This year, AWS has updated the sections in the exam. There are four main sections:

Design Resilient Architectures 30%
Design High-Performing Architectures 28%
Design Secure Applications and Architectures 24%
Design Cost-Optimized Architectures 18%

As an overview, the first three are very important. If you planning to get into a DevOps job building highly scalable architecture is important! By scalable I mean systems that can easily scale with no manual intervention.

 

1. Design Resilient Architectures

In this section, AWS will question your knowledge on storage, decoupling systems so if one component fails it won’t cause major system downtime, how to design a multi-tier architecture, so systems can scale independently. It is more understanding what services you’re familiar with and which one would you pick. A solid understanding of AWS services is important:

Storage types:

1. Instance store:  Block storage volume attached to some EC2 instances. Very cheap and ideal for temporary storage. Data is lost when the instance is restarted.

2. EBS volume: This type of storage can be mounted on a single server. Data on EBS can persist beyond the EC2 lifecycle! Key point: Only one instance can be attached to a volume.

There are four types of EBS volumes: (use cases are important and the IOPS)

    1. Cold HDD (sc1)
      • Use case: great for infrequent accessed, throughput intensive workloads.
      • Max IOPS / Volume 250.
      • Cannot be used as a boot volume.
    2. Throughput HDD (st1)
      • Use case: Big data, log processing, Log processing
      • Max IOPS / Volume 500.
    3. General Purpose SSD (gp2)
      • Use case: OS boot volume, databases.
      • Max IOPS / Volume 10,000
    4. Provisioned IOPS SSD. (io1)
      • Use case: Critical application, hosting ELK, Applications that need very fast data access
      • Max IOPS/ Volume 32,000

You will be most likely be using General Purpose SSD for your webservers, only in rare use cases Provisioned IOPS SSD

Bonus Point: If the access pattern is random, SSD is best! HDD good for sequential access.

3. EFS volume:  are similar to EBS but with one major difference! One single EFS can be mounted on multiple EC2 instances.
EFS data can be backed up in two options:
1) AWS Backup service
2) EFS – EFS backup solution.

4. AWS S3:

  • acts as object storage.
    • Each object consists of a MetaData (created by Amazon)¬† and Data (custom data).
    • An object size could be from 0 to 5 TB.
    • S3 Objects are replicated across multiple devices within a region!
    • S3 Objects are saved in a container called “Bucket“, consider Bucket as the root folder.
    • To prevent accidental object deletion, enable versioning and MFA.
    • S3 data can be replicated across other regions, this is usually done for compliance. Note: Only new objects will be replicated.
    • Bucket names are unique across all AWS Accounts!
    • The bucket name must be between 3 and 63 characters and can contain numbers, hyphens or periods.
    • Consistency Model of S3
      • When you create a new object, you will receive the latest object. (Read After Write Consistency) – PUTS to the new object
      • When you PUT or DELETE a current object,¬† AWS provides Eventual consistency, it might take a while for the changes to be affected.
    • There are eight S3 storage classes:
      1. S3 Standard: 99.99% availability, ideal for frequently accessed data.
      2. S3 Intelligent-Tiering: Consider it as an automated AI which monitors the object lifecycle in S3 and moves them to the appropriate class. For example: When an object is not accessed for more than 30 days it will be migrated to the infrequent access class. S3 Intelligent-Tiering has no impact on performance. This is a great service when the understanding of object storage duration is unknown and you would like to save cost in the long term run.
      3. S3 Standard-IA Infrequent Access: 99.9% availability, ideal for less frequently accessed data, cheaper than S3 Standard, minimum object size 128kb
      4. S3 One Zone-Infrequent-IA Access: 99.5% availability. It is 20% cheaper than S3 Standard. Data is stored in a single Availability Zone. Ideal for objects that are accessed less frequently but requires sudden access. If data resilience is not important and you would like to reduce cost this is the ideal class.
      5. S3 Glacier Instant Retrieval: Provides the quickest time to archive storage! (this is important to note). 128kb minimum object size.
      6. S3 Glacier Flexible Retrieval: Used for data archiving such as long term compliance. There is no upfront cost, pricing is based upon per GB storage. Data is encrypted by default. This is good for data that needs to be accessed 1 or 2 times a day. Provides three methods to access data
        1) Expedited: Retrieve data within 1 to 5 minutes
        2) Standard: Retrieve data within 3-5 hours
        3) Bulk: Retrieve data within 5 to 12 hours.
      7. S3 Glacier Deep Archive: Lowest cost of all S3 storage methods.
      8. S3 on Outposts: lets S3 deliver files to on-premises AWS Outposts environment.

AWS CloudFormation

Declare AWS resources in JSON or YAML format. Allows you to manage resources in AWS through Code.

Lambda

Lambda is a fully managed compute ecosystem by AWS which lets you just deploy code (Node.js, Go,Python, Java and C#). With Lambda AWS looks after the underlying system.


2. Design Performant Architectures

AWS EC2

Key points to remember:

  1. Understand the difference between the three payment plans:
    • On-Demand instances:¬†
      • pay per hour
      • Use cases: development/ testing environment.
      • Going to production not 100% confident of your resource utilisation, go for On-demand first then Reserved
    • Reserved¬†instances
      • 1 or 3-year agreement (up to 75% discount in 2020 this has increased to 75%)
      • Capacity reservation is possible with Reserved instances!
      • Use cases: production-ready applications, applications that will be live for a long time.
    • Spot Instances
      • ¬†bid on the price
      • Use cases: applications that termination of an instance won’t cause an issue.
    • Saving Plans
      • ¬†This is a new pricing plan: It’s a flexible plan, it is similar to the Reserved plan. The discount is not tied to the instance type but to the usage. This also applies to Fargate
    • Dedicated Hosts
      • You purchase the physical EC2 machine. Ideally, this is used for compliance purposes only/li>
  2. How does Spot Instance works: If the price of the spot instance goes above the bid price, or there is not enough capacity, the AWS EC2 instance will receive a termination notice and will be terminated in two minutes.
  3. There are three tenancy options:
    1. Shared Tenancy: Multiple instances run on the same hardware (default option)
    2. Dedicated instance: A dedicated hardware that runs only a single customer instance
    3. Dedicated host: Physical server with full EC2 capacity dedicated to the user. It’s mostly used for Licensing reasons.
  4. Launch Templates Similar to Launch config but it comes with Versioning. Launch templates can have different versions with each can have different parameters. They are used in autoscaling policies. You can set the auto-scaling to pick up the latest launch template.Note: only 5,000 launch templates per Region are allowed and 10,000 versions of a single launch template can exist.
    Launch templates cannot be validated! Please try them before using them in autoscaling.
  5.  Instance store data is lost when an Amazon EC2 instance is restarted or terminated. It is temporary data!
  6. There are four types of AMI’s
    1. AMI’s that are published by AWS:¬†These are maintained and managed by AWS and are very reliable.
    2. AWS Marketplace:¬†You could purchase AMI’s from other providers such as Bitnami, Drupal. You don’t need to install the applications.
    3. Existing Instance AMI’s: AMI’s from a current EC2.
    4. Uploaded AMI’s from Virtual Servers:¬† These are AMI’s that have been Imported or Exported via AWS Import/Export Service.
  7. Public IP is changed on a stop/start of an instance. To avoid the change of IP,  associate an Elastic IP to your instance.
  8. Elastic IP attached to an EC2 instance will not incur any charge! But, if it is not associated you will be charged.
  9. A newly launched Window Instance can be accessed via the Random Password which AWS generates upon the completion of the instance creation.
  10. Bootstrapping: This allows you to execute a script when an instance is booted.  Usually, it involves installing certain packages or configuring Chef/Puppet.
    Ideally, you would write a cloudinit script that would install Chef/Puppet or Ansible then they would handle the provisioning of the instances
  11. Enhanced Networking: This is a feature in AWS EC2 which improves network connectivity. Note: Only specific EC2 types support it and can be enabled in a VPC only.
  12. Termination Protection prevents accidental deletion of an EC2 instance.
  13. Placement Group:¬† Let’s you place multiple AWS EC2 instances in a group, this will provide a lower network latency.

AWS Databases:

AWS Aurora Serverless is a database type that you don’t need to manage the scaling of it. Unlike RDS which you pay for the instance type, in Aurora Serverless you pay for the storage and capacity only.

In my experience these are the most common point that you should know before taking up the exam:

  1. Understand the difference between
    1. OLTP – Online Transaction Processing (database types: AWS RDS, AWS Aurora)
    2. OLAP – Online Analytic Processing (AWS Redshift)
  2. Understand the difference between
    • RPO (Recovery Point Objective) – the acceptable data loss.
    • RTO (Recovery Time Objective) – the time in future that your application can be live from failure.
  3. Manual DB Snapshots are not deleted automatically compared to Automated DB Snapshots!
  4. To create a fault-tolerant and high available database architecture, implement Multi-AZ. When the master database fails, the slaves will become the master.
  5. Use the DNS name in your application to connect to the database. If the database fails, AWS will update the records so it won’t impact your application. (Used in Multi AZ)
  6. Use Read Replicas in a heavy read traffic website. To offload the load from the master database
  7. Using AWS Redshift bulk import command is much more efficient than raw SQL Queries.
  8. Amazon DynamoDB is the AWS Managed NoSQL database.
  9. Increase the write efficiency of an Amazon DynamoDB by randomizing the primary key value.
  10. Using DynamoDB needs planning ahead. Access pattern on data retrieval is important
  11. Using DynamoDB needs planning ahead. Access pattern on data retrieval is important
  12. PostgresSQL, Aurora, MariaDB and MySQL support read replica.
  13. Oracle and Microsoft SQL Server do not support read replica

The exam will ask you which database is best suited for NoSQL (Non-relationship database) – it’s always AWS DynamoDB !

Caching

At different levels of an application, we can implement caching.

CloudFront

  • CDN of AWS
  • To reduce the distance between the user and the webserver, CDN stores the cached version
    of the content in various locations called ‚Äúedge locations‚ÄĚ . The user is routed to the nearest
    edge location.
  • Cloudfront can work with AWS resources such as S3 or non-AWS resources (websites not
    hosted on AWS)

Key points in CloudFront

  • Distributions: the CDN domain name. In order to use CloudFront you would need to create a
    distribution d123123.cloudfront.net . All you need to do is replace your domain name with
    the distribution name. ex: https://infinitypp.com/media/user-pic.jpg would be
    https://d123123.cloudfront.net/media/user-pic.jpg
  • Origins: the location¬†in which CloudFront fetches files. CloudFront can fetch files from the
    below:

    • S3 Bucket.
    • Custom origin.
    • EC2 Instance.
    • ELB
    • AWS Elemental MediaPackage Endpoint
    • AWS Elemental MediaStore container
  • Cache Control: the default expiry time is after 24 hours. This can be controlled by using the
    Cache-Control Header. To remove files from the cache the invalidation API needs to be
    called.

ElastiCache

Managed in-memory cache which lets you store data. To offload database load, you can cache the DB results in ElastiCache

There are two types of ElastiCache
  • Redis Fully managed Redis engine.
    1. Allows persistence data storage
    2. Atomic operations
    3. Pub/sub messaging
  • Memcached
    1. Low maintenance
    2. Multithreading
    3. Memcached doesn’t support persistence storage!

Domain 3: Specify Secure Applications and Architectures

Shared responsibility model

AWS manages the security of the underlying ecosystem. Anything that the customer creates, or puts on the cloud is the sole responsibility of the customer. For example: when uploading a file to S3 it is the customer’s responsibility to think about its security, should the file be encrypted? should it be private?

IAM ‚Äď Identify and Access Management

IAM is used to access AWS resources. It cannot be used to access OS of servers. Like other AWS
resources, IAM falls under the shared responsibility model. This means you are responsible for assigning
the right access to the right user or resources, AWS is not.

You might be asked the authentication type for the below use cases in the exam:/p>

Use Case Solution
Operating System Access
  • Active Directory LDAP
  • Machine‚Äďspecific accounts
Application Access
  • Active Directory
  • Amazon Cognito
AWS Resources IAM

 

Principals

IAM entity which lets you manage AWS resources. It can be temporary or permanent.

There are three types of principles:

  • Root users
  • IAM Users
  • Roles
Root user
  • The account which you create your AWS Account
  • The best practice is not to use it for daily tasks and lock it away. (Enable MFA on root account)
  • It has access to all AWS resources.
IAM User
  • User accounts are persistent.
  • A new IAM user has no access key!
Roles
  • For a set duration of time roles are granted permission. (compared to USER which has persistent access)
  • When a service (actor) tries to access a resource, AWS provides a Temporary Security Token. It is valid from 15 minutes to 36 hours.
  • Few use cases of Roles:
    • EC2-Server: Instead of saving S3 credentials in the EC2 server, a role can be attached to the EC2 server to access S3 without a username and password.
    • Grant permission to other AWS Account to access your resources.
  • It is recommended to assign roles to EC2 instances instead of storing AWS credentials in code.

 

Policies

Defines actions that allow or deny execution on resources.

{
 "Version": "2012-10-17",
 "Statement": {
 "Effect": "Allow",
 "Action": "s3:ListBucket",
 "Resource": "arn:aws:s3:::example_bucket"
 }

It is written in JSON and can be attached to a group, user or role.

  • Effects: Can be either Allow or Deny.
  • Action: Which AWS service does this policy apply
  • Resource: The Amazon Resource Name (ARN).
  • Condition: List of conditions that are required for the action to be allowed.

 

Associating a policy to an IAM user can be attached in the following methods:

  1. Inline Policy
  2. Managed Policy
  3. Managed Policy
  4. Managed Policies

 

There are 6 types of Policies:

  1. Identity-based policies: JSON policies that are attached to users or roles. Two types: Inline and Managed Policy. The managed policy is recommended because it avoids duplication and can be attached to other roles.
  2. Resource-based policies: Policies that are attached to resources.
  3. IAM Permissions Boundaries: It is used to set maximum permissions an identity-based policy can grant to an IAM entity.
  4. Service Control Policies (SCPs): JSON Policies can specify the maximum permissions for an organization or organization unit.
  5. Access Control Policies: This allows you to control which principals in another account can access a resource.
  6. Session Policies: Passed as a parameter.

 

Download the remaining part:

!

I’m a passionate engineer based in London.
Currently, I’m working as a Cloud Consultant at Contino.

Aside my full time job, I either work on my own startup projects or you will see me in a HIIT class ūüôā