Amazon Web Services continues to gain more and more momentum with each passing day. Lots of companies are looking to move to AWS and they are looking for seasoned developers to help them do so. It isn't surprising that AWS certifications have become very popular.
There are different certifications across different disciplines that you can take:
- Certified Solutions Architect (Associate & Professional)
- Certified Developer (Associate)
- Certified SysOps Administrator (Associate)
- Certified DevOps Engineer (Professional)
I am going to focus on the Associate Solutions Architect and share the notes I used to study. In a later post I will cover the Professional Solutions Architect certificate.
Associate Solutions Architect Domains
The exam consists of four domains:
- Design (60%)
- Implementation/Deployment (10%)
- Security (20%)
- Troubleshooting (10%)
The percentages let you know what percent of the exam covers that domain. You won't know how many questions are on the exam until you sit for it. There is also not a published "passing score". Your score is based on how you do across the different domains.
Get Familiar With Amazon Web Services
Packed into each domain is enough information to make your head spin. I focused on the practical things and knowing a little bit about each service within each domain. I had about three years of full time development with AWS before taking the exam. This definitely helped me but it is possible to pass the exam without that much experience.
You should not take the exam without experimenting with various services before hand. You should at least experiment with the following core services:
- Elastic Compute Cloud (EC2)
- Simple Storage Service (S3)
- Relational Database Service (RDS)
- Elastic Block Store (EBS)
- Virtual Private Cloud (VPC)
- Identity Access Management (IAM)
There is enough features, gotchas, and use cases for each of these services. You won't know everything about each one. That isn't the goal. The goal is to know what problem each service aims to solve and the basics of using it to solve that problem.
Domain 1: Design
This domain focuses on identifying and recognizing architecture considerations in the cloud. Cost, networking, and security are all considerations that you need to be aware of. For this domain, focus on those considerations within the context of AWS.
There is a need to know two important terms as it relates to system design in AWS.
Highly Available: The system must continue to function, but it can continue in a degraded state.
Fault Tolerant: The system must function without degradation despite complete component failure.
You need to know how to differentiate between these two design considerations. It is almost a guarantee that there will be questions where you must know the differences. Be prepared to reason about these. A good white paper on this can be found here.
Exam tip: If the question mentions fault tolerance in anyway, then design for FT.
Another aspect of the Design domain that you should know for the exam is cost. A big driver for cost on AWS is the elasticity it provides. Questions asking how to make things cost effective often comes down to elasticity on demand. Also know that most things that will cost more more money in a service are typically off by default.
Domain 2: Implementation/Deployment
The focus here is on knowing how to leverage a collection of AWS services to build a cloud solution. There are some heavy hitter services that could come up in questions. Know how each of these services play into the implementation and deployment concept. Services you need to know about for this section in my experience are:
- Know about On Demand vs Reserved vs Spot Instances.
- Elastic Block Store (EBS) backed instances versus instance store.
- You need to know what t2. instance class is used for and how CPU credits can impact you.
- You need to know how to leverage instance user data to configure instances when they launch.
- It is important to know how EC2 IP addressing works (i.e. by default there is no public IP address).
- Be familiar with how subnets in a VPC work and what it means to have a public or private subnet.
- Security groups and ACL's are very important in the context of VPC. Know the difference and the problems each one is trying to solve.
- There may be a question on how to peer from one VPC into another. Understand the use case for doing this.
- When leveraging S3 you must know the eventual consistency model it uses. Read after write on new files.
- Know the differences between Standard, Infrequent Access (IA), and Glacier storage classes. Key things to know about each are durability, availability, and time to first byte.
- In hot topics, know how to control access to buckets.
- Lifecycle policies are important when it comes to moving data automatically in S3.
- Know the use cases and benefits to CloudFront as well as the limitations when compared to other CDN offerings.
- Understand the types of origins it can support (static and dynamic content).
- Be able to reason about how you can protect private content stored in S3 by fronting it with CloudFront.
- You need to know the basic concepts behind NoSQL key-value stores and how to query them.
- Know the most common use cases. Storing sessions data, storing S3 object metadata, and high-scale databases.
- Know the benefits associated with Dynamo. Single digit millisecond read and write latency at any scale.
- Understand the pricing structure and what a write and read unit are.
- It is important to know how to configure multi-AZ deployments. A primary in one AZ with a sync secondary in a different AZ.
- Know how the fail over process works in multi-AZ RDS deployment.
- Always use DNS endpoints over IP Addresses. This goes for EC2 as well.
- Be familiar with the differences between automated backups and DB snapshots you create.
- Understand the recovery process for an RDS database.
This is not a comprehensive list. These are the services that I studied. There are more services worth reading about and understanding. A few are, OpsWorks, CloudFormation, and Elastic Beanstalk. Each of these has a deployment and implementation piece that is worth knowing for the exam.
Domain 3: Security
This is a very hot domain in the AWS space right now. There have been enough leaky S3 buckets making the news that people are becoming a bit uneasy. This domain focuses on knowing what AWS handles and what you are responsible for.
AWS Shared Responsibility Model
AWS takes care of the security OF the Cloud. You define your controls IN the cloud. whitepaper
This is a rather simple statement to make given the complexity of AWS. Yet it is one of the most important statements you can remember. What it boils down to is that you are responsible for securing your system. AWS will secure the data center, networking, virtualization, and storage devices. But things like encryption at rest, SSL all the way through, and what IP addresses can access a set of servers is on you.
Knowing the shared responsibility model is going to help on the exam. Thinking through questions in this domain often requires referring back to this. What will Amazon take care of for me versus what I need to do.
Other things that are relevant to this domain that you should know.
- Identity Access Management (IAM): Know how to create users, roles, and most importantly policies to control access.
- Security Token Service (STS): Grant a person or process temporary rights to your AWS resources.
- Federated identities: Use these to avoid having to create IAM user accounts and leverage your own user directories.
- Security Groups vs ACL's: Know what each one solves and where the differences are.
- VPC: We touched on this earlier but really knowing this topic will benefit the security domain as well.
- Encryption at rest: You need to know which services offer this and which do not.
Knowing the security principles to the core services is going to pay dividends. Knowing things like S3 access policies and IAM instance profiles are going to come in handy as well. Don't be afraid to over study.
Domain 4: Troubleshooting
The last domain is why it is so important you study for this exam by actually using the services. How can you troubleshoot a scenario if you have never used the services mentioned? You can't. This domain is all about how do you debug common scenarios that pop up in AWS. Some things that are worth knowing how to troubleshoot are:
- Not being able to connect to an EC2 instance.
- How to recover data from an EC2 instance that has stopped. How to do that if it is EBS backed.
- Not being able to create more EC2 instances in a given region due to service limits.
- Debugging an error that happened in a Lambda function via CloudWatch logs.
These are only four examples but I can assure you that there are hundreds of these. The only way to study for this domain is to play with things, make mistakes, and then learn from them.
There is lucrative opportunities for developers that know how to leverage cloud providers. Whether that provider is AWS, Azure, or Google Cloud is irrelevant. A certification in either one of them shows commitment. It shows you have a better than documentation level understanding of the platform. Reading the documentation is not good enough. You must understand the services available to you by using them. Only then can you design systems in the cloud that take full advantage of it.
The Solutions Architect exam is one of many. It covers a wide range of topics that will teach you a lot. Reading books, watching videos, and going through the documentation are great study tactics. That said, you should also use the services your learning about. Nothing builds up scar tissue and exam answers quite like experience.