Documente Academic
Documente Profesional
Documente Cultură
Introduction
What is SYSOPS?
Click to edit Master title style
SYStems OPerationS
Course Prerequisites
Click to edit Master title style
Solid AWS service fundamentals
Previous AWS operations experience
CLI
Console
Command-line proficiency
Course Scope
Click to edit Master title style
In Scope Out of Scope
• Operations
• Limits • Service definition
• Trade-offs • Fundamentals
• Service scope • Global PoP
• Deployment • Architecture
choices
• Sample questions
Exam Dashboard
Click to edit Master title style
Where is the exam dashboard?
https://aws.amazon.com/certification/certified-
sysops-admin-associate/
Exam Dashboard
Click to edit Master title style
Exam Concepts
Exam Dashboard
Click to edit Master title style
Candidate Overview
Exam Dashboard
Click to edit Master title style
Exam Overview
Exam Blueprint
Click to edit Master title style
Where is the exam guide?
http://awstrainingandcertification.s3.amazonaws.co
m/production/AWS_certified_sysops_associate_blu
eprint.pdf
Exam Blueprint
Click to edit Master title style
AWS Knowledge
General IT
Knowledge
Helpful
Resources
Exam Blueprint
Click to edit Master title style
Question Domains
Exam Blueprint
Click to edit Master title style
Explanation of
question
domains
TL; DR
Click to edit Master title style
Too Long; Didn’t Read
Operations Architecture
• Deploying • Scalable
• Managing • Highly
• Operating available
• Fault tolerant
Concepts
Click to edit Master title style
Migrating an existing on-premises application to AWS
• AZ
• IAAS
• Region
• PAAS/SAAS
• Global
• No management of infrastructure
• DNS/CDN
Candidate Overview
Click to edit Master title style
Service Manageability
• Unmanaged
• Less HA/FT
• Building blocks
• Managed
• Range from PAAS to SAAS
• Less overhead
AWS Certified SysOps Administrator
Click to edit Master title style
(Associate) Crash Course
AWS Knowledge
TL; DR
Click to edit Master title style
• Exam topics can be based on outdated
information
• Command line interface is rich with subtle options
• Know what they are and when to use them
• Focus on solutions using automation
• CLI and SDK have similar functionality
• Benefits and drawbacks of each
7 Tenets (Legacy)
Click to edit Master title style
1. Design for failure and nothing will fail
2. Implement elasticity
3. Leverage different storage options
4. Build security in every layer
5. Think parallel
6. Loose coupling sets you free
7. Don’t fear constraints
10 Design Principles (Current)
Click to edit Master title style
1. Scalability 8. Optimizing for Cost
2. Disposable Resources 9. Caching
3. Automation 10. Security
4. Loose Coupling
5. Services, not Servers
6. Databases
7. Removing Single
Points of Failure
AWS CLI & SDK
Click to edit Master title style
AWS AWS AWS
Console CLI SDK
Standalone installer
curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-
bundle.zip
unzip awscli-bundle.zip
./awscli-bundle/install -b ~/bin/aws
AWS CLI Windows Install
Click to edit Master title style
Python module install (same as Linux and MacOS)
pip install awscli --upgrade --user
[profile securityadmin]
role_arn =
arn:aws:iam::123456789012:role/securityadmin
source_profile = default
AWS CLI Configuration
Click to edit Master title style
Advanced
IAM Role in .aws/config using a named profile
Cross-account access
With MFA
[profile otheraccount]
role_arn = arn:aws:iam::234567890123:role/otheraccount
source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/chadsmith
external_id = 456789
AWS CLI Command Help
Click to edit Master title style
aws <service> <action> help
• Context-sensitive
• Paginated
• Examples
AWS CLI Command Format
Click to edit Master title style
--profile
great for assuming roles
--region
specify the region of the resource acted upon
--output
json for schema and structured output
text to remove formatting
table for human readable format
--endpoint-url
can help avoid latency issues
AWS CLI Command Format
Click to edit Master title style
--generate-cli-skeleton
works with --cli-input-json
used for many actions
output includes all possible options
provides more structure than cli options
great for operations and automation
AWS CLI Queries
Click to edit Master title style
--query
restrict output to specific properties
requires JSON schema for specific API
method
JMESPath query expressions supported
use for chaining commands together
use for setting variables in scripts
AWS CLI Filters
Click to edit Master title style
--filter
restrict output to specific objects
reduces the response set, which can save
time
different for every API operation
contextual help for documentation
AWS CLI Example
Click to edit Master title style
aws ec2 describe-instances --output text \
--query 'Reservations[*].Instances[?not_null(Tags[?Key ==
`Name`].Value)].[join(`,`,Tags[?Key==`Name`].Value),InstanceI
d,PublicDnsName,PrivateDnsName]' \
--filter Name=group-name,Values=secgroupprefix* \
Name=instance-state-code,Values=16
--query 'Reservations[*].Instances[?not_null(Tags[?Key ==
`Name`].Value)].[join(`,`,Tags[?Key==`Name`].Value),InstanceI
d,PublicDnsName,PrivateDnsName]’ \
--filter Name=group-name,Values=secgroupprefix* \
Name=instance-state-code,Values=16
--query 'Reservations[*].Instances[?not_null(Tags[?Key ==
`Name`].Value)].[join(`,`,Tags[?Key==`Name`].Value),InstanceI
d,PublicDnsName,PrivateDnsName]’ \
--filter Name=group-name,Values=secgroupprefix* \
Name=instance-state-code,Values=16
--query 'Reservations[*].Instances[?not_null(Tags[?Key ==
`Name`].Value)].[join(`,`,Tags[?Key==`Name`].Value),InstanceI
d,PublicDnsName,PrivateDnsName]’ \
--filter Name=group-name,Values=secgroupprefix* \
Name=instance-state-code,Values=16
--query 'Reservations[*].Instances[?not_null(Tags[?Key ==
`Name`].Value)].[join(`,`,Tags[?Key==`Name`].Value),InstanceI
d,PublicDnsName,PrivateDnsName]’ \
--filter Name=group-name,Values=secgroupprefix* \
Name=instance-state-code,Values=16
CLI SDK
•Text •Objects
•Easy •Portable
CLI vs SDK Bash
Click to edit Master title style
#!/bin/bash
region=$1
vols=`aws ec2 describe-volumes --region $region --filters
\ Name=status,Values=available \
--query Volumes[].VolumeId | tr -s '\t' '\n'`
for i in $vols; do
aws ec2 delete-volume --region $region --volume-id $i --
dry-run
done
CLI vs SDK Python
Click to edit Master title style
#!/usr/bin/python
import boto3, sys
region = sys.argv[1]
ec2 = boto3.resource("ec2", region_name=region)
available_volumes = ec2.volumes.filter(
Filters=[{'Name': 'status', 'Values': ['available']}]
)
for volume in available_volumes:
volume.delete(DryRun=True)
CLI vs SDK Python (Lambda)
Click to edit Master title style
import boto3
def lambda_handler(event, context):
regionid = event['region']
ec2 = boto3.resource("ec2", region_name=regionid)
available_volumes = ec2.volumes.filter(
Filters=[{'Name': 'status', 'Values': ['available']}]
)
for volume in available_volumes:
volume.delete(DryRun=True)
Networking in AWS
Click to edit Master title style
Covered later
Security in AWS
Click to edit Master title style
Covered later
Question Breakdown
Click to edit Master title style
Which command can you run to understand syntax and task-
specific options for creating an EBS volume?
Domain 1 - Monitoring
and Metrics
Monitoring and Metrics
Click to edit Master title style
• Demonstrate ability to monitor availability and
performance
• Demonstrate ability to monitor and manage
billing and cost optimization processes
TL; DR
Click to edit Master title style
• CloudWatch metrics can be viewed in different
ways
• Learn the common metrics for covered services
• Know which services have status checks
• Know the integration points for CloudWatch and
Billing
CloudWatch Entry Points
Click to edit Master title style
CloudWatch
Console
CloudWatch Entry Points
Click to edit Master title style
Resource
Dashboards
CloudWatch Entry Points
Click to edit Master title style
CLI
CPUCreditBalance
CPUUtilization
NetworkIn
NetworkOut
EC2
CloudWatch Metric Highlights
Click to edit Master title style
VolumeIdleTime
VolumeQueueLength
VolumeReadBytes
VolumeReadOps
VolumeWriteBytes
VolumeWriteOps
EBS
CloudWatch Metric Highlights
Click to edit Master title style
BackendConnectionErrors
HTTPCode_Backend_2XX, 3XX, 4XX, 5XX
HTTPCode_ELB_4XX,5XX
RequestCount
SpilloverCount
SurgeQueueLength
Classic LB UnHealthyHostCount
CloudWatch Metric Highlights
Click to edit Master title style
ActiveConnectionCount
ConsumedLCUs
HealthyHostCount
HTTPCode_ELB_4XX_Count,5XX_Count
HTTPCode_Target_2XX_Count,3XX_Count
HTTPCode_Target_4XX_Count,5XX_Count
NewConnectionCount
Application LB RejectedConnectionCount
RequestCount
RequestCountPerTarget
RuleEvaluations
TargetConnectionErrorCount
TargetResponseTime
UnHealthyHostCount
CloudWatch Metric Highlights
Click to edit Master title style
ActiveFlowCount
ConsumedLCUs
HealthyHostCount
NewFlowCount
TCP_Client_Reset_Count
TCP_ELB_Reset_Count
TCP_Target_Reset_Count
Network LB UnHealthyHostCount
CloudWatch Metric Highlights
Click to edit Master title style
CPUUtilization
DatabaseConnections
FreeStorageSpace
ReadIOPS
WriteIOPS
RDS (Non-Aurora)
CloudWatch Metric Highlights
Click to edit Master title style
ActiveTransactions
BlockedTransactions
CommitThroughput
DeleteThroughput
InsertLatency
RDS (Aurora) (Lots of Latency/Throughput)
CloudWatch Metric Highlights
Click to edit Master title style
ConsumedReadCapacityUnits
ConsumedWriteCapacityUnits
ReadThrottleEvents
WriteThrottleEvents
DynamoDB
CloudWatch Custom Metrics
Click to edit Master title style
• Required for anything generated inside the OS
• Shared Responsibility Model coming later
• Can be pushed from on-prem resources
• Good for application metrics
SNS – Notifications
Email
HTTP/HTTPS
Lambda
CloudWatch Events
Click to edit Master title style
Doesn’t require metrics
More like a transaction log
Kinesis Firehose
And more!
CloudWatch Logs
Click to edit Master title style
Action Details
Aggregate Multiple sources
Stored in
API Gateway CloudWatch
Logs
Log Monitoring and Storage
Click to edit Master title style
Lambda
CloudWatch S3
Logs
Operational ramifications
• Automated cross-account service integration
• Programmatic account creation
• Disables Detailed Billing console for child
accounts
Consolidated Billing
Click to edit Master title style
• Multiple linked accounts
• Designated payer account
• Combined volume discounts
• Combined EC2 reservations
• NOT HIERARCHICAL
Cost Optimization
Click to edit Master title style
• EC2 cost models
• Temporary resources
• Managed services
• Trusted Advisor dashboard reports
Domain 2 - High
Availability
High Availability
Click to edit Master title style
• Implement scalability and elasticity based on
scenario
• Ensure level of fault tolerance based on business
needs
TL; DR
Click to edit Master title style
• Learn common deployment patterns for HA
• Just in time provisioning
• Trend toward temporary resources
• Trend toward managed services
• Trend toward regional scope over AZ scope
• Multi-regional deployments increase availability
and cost
• Focus on details over strategy
• How does HA affect operations?
Terms
Click to edit Master title style
Fault Tolerance - The system will continue to
function without degradation in performance
despite the complete failure of any component of the
architecture.
High Availability - The system will continue to
function despite the complete failure of any
component of the architecture.
Multiple AZ
VPC
Click to edit Master title style
Multiple
subnets with
different
internet
accessibility
VPC
Click to edit Master title style
NAT GW
per AZ
VPC
Click to edit Master title style
Internet Gateway
VPC Endpoint
Virtual
Private
Egress Gateway
points are
all HA/FT
ELB
Click to edit Master title style
Helps create HA/FT infrastructure
• Classic
• Can deploy into multiple AZ
• Supports EC2 Classic
• ALB
• Deploy into multiple AZ
• Layer 7
• NLB
• Deploy into multiple AZ
• Targets can be IP addresses on-premises
Decoupling with SNS and SQS
Click to edit Master title style
Decoupling with SNS and SQS
Click to edit Master title style
Publish message
to start workflow
SNS topic
Decoupling with SNS and SQS
Click to edit Master title style
SQS Queues
Same message to
3 queues for 3
tasks
Decoupling with SNS and SQS
Click to edit Master title style
3 ASG perform
tasks
independently
Domain 3 - Analysis
Analysis
Click to edit Master title style
• Optimize the environment to ensure maximum
performance
• Identify performance bottlenecks and implement
remedies
• Identify potential issues on a given application
deployment
TL; DR
Click to edit Master title style
• Group services into similar functions
• Understand operational effects of tradeoffs
• Learn performance design patterns
• Recognize design bottlenecks
Tradeoffs – Block Volumes
Click to edit Master title style
Tradeoffs – Database Services
Click to edit Master title style
Tradeoffs – Container Services
Click to edit Master title style
Maximize Performance
Click to edit Master title style
• Single AZ
• Placement group
• Enhanced networking
• Jumbo frames
• Keep traffic inside VPC
• VGW vs Direct Connect
Identify Bottlenecks
Click to edit Master title style
• Undersized NAT instance
• Undersized RDS instance
• Undersized EC2 instance
• Old EC2 instance type
• Underprovisioned EBS volume
• Latency from cross-AZ traffic
• Serving static assets from EC2
• Aggregating S3 requests from single instance
Question Breakdown
Click to edit Master title style
Your application consists of two EC2 instances that
require high node-to-node network throughput and
low latency. What configuration choices can meet
these requirements?
Domain 4 - Deployment
and Provisioning
Deployment and Provisioning
Click to edit Master title style
• Demonstrate the ability to build the environment
to conform with the architected design
• Demonstrate the ability to provision cloud
resources and manage implementation
automation
TL; DR
Click to edit Master title style
• Know which services can meet requirements
• Tradeoffs – flexibility and manageability
• Deployment choices are not mutually exclusive
• Learn limitations of Infrastructure As Code options
Provision Cloud Resources
Click to edit Master title style
Manual Provisioning
• Chef Automate
• Puppet Enterprise
• Stacks consist of layers
• EC2
• Elastic Load Balancing
• RDS
• ECS
• Custom
OpsWorks Key Concepts
Click to edit Master title style
• Good for Chef/Puppet shops (hybrid
environments)
• Built-in auto scaling (but not the service)
• Focuses on resources similar to on-prem
networks
• Managed service = highly available
• Many integration points with AWS ecosystem
Elastic Beanstalk Basics
Click to edit Master title style
Covered earlier
Elastic Beanstalk Key Concepts
Click to edit Master title style
• Manages platform
• ELB
• Auto Scaling
• RDS
• Still requires OS management
• Does not address backups
• Does not address multi-regional deployment
EC2 Run Command Basics
Click to edit Master title style
• Renamed Systems Manager Run Command
• Runs manual or scheduled tasks
• Works in hybrid environments
• Parallelized
• Track results and errors
ECS Basics
Click to edit Master title style
• Deploy containers without managing
infrastructure
• Supports Docker and Windows containers
• Choice of deployment via EC2 or FarGate
• Supports existing VPC infrastructure
EKS Basics
Click to edit Master title style
• Similar to ECS
• Deploy Docker containers without managing
infrastructure
• Designed around Kubernetes
• Choice of deployment via EC2 or FarGate
• Supports existing VPC infrastructure
• Hybrid infrastructure support
CodeDeploy Basics
Click to edit Master title style
• Deploy to EC2, Lambda, or on-premises
• File and command-based framework
• Rolling updates
• Blue/green deployments
• Stop and rollback
Blue-Green Deployment
Click to edit Master title style
Weighted
RR Routing
Elastic Beanstalk
Blue-Green Deployment
Click to edit Master title style
Weighted
RR Routing
CloudFormation
Blue-Green Deployment
Click to edit Master title style
Launch Config 1
Launch Config 2
Auto Scaling
Blue-Green Deployment
Click to edit Master title style
How many other possibilities?
• ECS
• OpsWorks
• CodeDeploy
• Multiple options for Elastic Beanstalk
• Multiple options for CloudFormation
• Multiple options for Autoscaling
• And others!
Question Breakdown
Click to edit Master title style
Your R&D team wants to deploy a new application
using Docker containers. Which services can be
used to deploy and manage the containers? (pick
three)
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Key Terms
Click to edit Master title style
Your R&D team wants to deploy a new application
using Docker containers. Which services can be
used to deploy and manage the containers? (pick
three)
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Answer Selection
Click to edit Master title style
Your R&D team wants to deploy a new application
EC2 containers.
using Docker is the Swiss army
Which knifecan be
services
of AWS,
used to deploy and supports
and manage the containers? (pick
three) containers
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Answer Selection
Click to edit Master title style
Your R&D team wants to deploy a new application
using Docker Lambda
containers.isWhich
entirely
services can be
serverless,
used to deploy withthe
and manage nocontainers?
control (pick
three) over infrastructure
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Answer Selection
Click to edit Master title style
Your R&D team wants to deploy a new application
using Docker
EMRcontainers. WhichHadoop
is a managed services can be
used to deploy and manage the containers? (pick
three)
framework, not Docker
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Answer Selection
Click to edit Master title style
Your R&D team wants to deploy a new application
using Docker containers.
Containers areWhich services can be
the primary
used to deploy and manage the containers? (pick
three)
function of ECS
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Answer Selection
Click to edit Master title style
Your R&D team wants to deploy a new application
using Docker
SSM iscontainers. Which services
for inventory, patches, can be
used to deploy and manage the containers? (pick
three)
parameters, and updates
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Answer Selection
Click to edit Master title style
Your R&D team wants to deploy a new application
Elastic
using Docker Beanstalk
containers. supports
Which services can be
Docker
used to deploy as a choice
and manage for
the containers? (pick
three) deployment
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
Breakdown – Answer Selection
Click to edit Master title style
Your R&D team wants to deploy a new application
using Docker containers. Which services can be
Answers:
used to deploy and ADF
manage the containers? (pick
three)
A. EC2
B. AWS Lambda
C. Elastic MapReduce
D. Elastic Container Service
E. AWS Systems Manager
F. Elastic Beanstalk
AWS Certified SysOps Administrator
Click to edit Master title style
(Associate) Crash Course
Domain 5 - Data
Management
Data Management
Click to edit Master title style
• Demonstrate ability to create backups for
different services
• Demonstrate ability to enforce compliance
requirements
• Manage backup and disaster recovery processes
TL; DR
Click to edit Master title style
• Learn differences between automated and manual
backups
• Learn how to copy backups between regions
• Understand impact of encryption on backups
• Identify which backups impact availability
• Know which services enforce compliance
• Learn the four DR scenarios
• HA and FT still apply to DR environments
Backups – EC2
Click to edit Master title style
• EBS snapshots
• Increase durability
• Option to share across accounts
• Option to copy to different region
• May require volume quiesce (service interruption)
• Ephemeral volumes
• No native backup functionality
• Can do file level sync to S3 or EBS
Backups - RDS
Click to edit Master title style
• No interruption of service
• Daily snapshot
• Can only restore
• Deleted if DB instance terminated
• Manual snapshot
• Share across accounts
• Copy to different region
• Retained after DB instance termination
Backups - Redshift
Click to edit Master title style
• No interruption of service
• Automated snapshot
• Taken after 8 hours or 5Gb/node data change
• Can be automatically copied to different region
• Manual snapshot
• Can be automatically copied to different region
• Can be shared across accounts
• Retained after cluster termination
Backups – DynamoDB
Click to edit Master title style
• No interruption of service
• Legacy – export to S3
• Current - Point-in-time recovery (PITR)
• 35 day retention
• Current – On-demand backup
• Automatically encrypted
Backups – S3
Click to edit Master title style
• Bucket versioning
• Increases cost
• Lifecycle policies for versions
• Cross-region replication
• Even across accounts
• CLI-based copy or sync
Backups – Onsite VMs
Click to edit Master title style
• VM Import/Export
• AWS Connector for vCenter (VMware)
• Mileage may vary
• Launching from AMI and bootstrapping may be
cleaner
Backups – Storage Gateway
Click to edit Master title style
• File gateway
• S3 buckets available as NFS mounts
• Run on-premises or in EC2
• No need for explicit backups
• Volume gateway
• Cached mode – data written to S3, cached locally
• No need for explicit backups
• Stored mode – async backup to S3
• May need file level backups
• Tape gateway
• Backed up automatically to S3
Manage Backup Workflows
Click to edit Master title style
• CLI
• EC2 run command
• Lambda functions
• Data Pipeline
• 3rd party backup software
DR Processes
Click to edit Master title style
Learn the 4 DR scenarios
• Backup and restore
• Pilot light
• Warm standby
• Multi-site solution
https://media.amazonwebservices.com/AWS_Disaster_Recovery.pdf
pages 9-18
DR Scenarios - Highlights
Click to edit Master title style
Backup and restore - preparation
Create AMIs
and network
infrastructure
Create ELB
Launch
EC2/RDS
Restore data
corporate data center AWS cloud
DR Scenarios - Highlights
Click to edit Master title style
Backup and restore - execution
Consideration Score
RTO 4
RPO 4
Cost 1
Time to implement 1
Complexity to manage 1
1 is best, 4 is worst
DR Scenarios - Highlights
Click to edit Master title style
Pilot light - preparation
Create AMIs
and network
Infrastructure
Create ELB
corporate data center AWS cloud
DR Scenarios - Highlights
Click to edit Master title style
Pilot light - preparation
Launch DB
Configure DB
replication
Provision EC2
Scale DB
Promote DB replica
Perform DNS cutover
Configure monitoring
corporate data center AWS cloud
Configure CI/CD
DR Scenarios - Highlights
Click to edit Master title style
Pilot light strategic summary
Consideration Score
RTO 3
RPO 3
Cost 2
Time to implement 2
Complexity to manage 2
1 is best, 4 is worst
DR Scenarios - Highlights
Click to edit Master title style
Warm standby - preparation
Create AMIs
and network
Infrastructure
Create ELB
corporate data center AWS cloud
DR Scenarios - Highlights
Click to edit Master title style
Warm standby - preparation
Launch DB
Configure 2-
way DB
replication
Provision EC2
Configure DNS
”trickle” of traffic to
AWS
Configure monitoring
corporate data center AWS cloud
Configure CI/CD
DR Scenarios - Highlights
Click to edit Master title style
Warm standby - execution
Consideration Score
RTO 2
RPO 2
Cost 3
Time to implement 3
Complexity to manage 3
1 is best, 4 is worst
DR Scenarios - Highlights
Click to edit Master title style
Multi site - preparation
Create AMIs
and network
Infrastructure
Create ELB
corporate data center AWS cloud
DR Scenarios - Highlights
Click to edit Master title style
Multi site - preparation
Launch DB
Configure 2-
way DB
replication
Provision EC2
Configure CI/CD
DR Scenarios - Highlights
Click to edit Master title style
Multi site - execution
Consideration Score
RTO 1
RPO 1
Cost 4
Time to implement 4
Complexity to manage 4
1 is best, 4 is worst
Enforcing Compliance
Click to edit Master title style
Config Rules
• Passive
• Configuration change or periodic triggers
• Evaluate changes through AWS Config
• Apply built-in rules or custom (Lambda function)
• View Compliance Dashboard for results
Enforcing Compliance
Click to edit Master title style
Service Catalog
• Active
• CloudFormation templates as products
• Constraints act upon provisioning
• Users access Service Catalog, not individual
services
Enforcing Compliance
Click to edit Master title style
S3 Lifecycle Policies
• Active
• Rules apply according to object age
• One-way flow of transition/expiration
• Rules can apply to prefixes or full bucket
• Does not require rule for every storage class
S3
Enforcing Compliance
Click to edit Master title style
Glacier Vault Lock
• Active
• Use for delete denial (for example)
• 24 hours to verify lock
• Can never be changed once locked
Question Breakdown
Click to edit Master title style
Your application requires access to images stored in S3.
The frequency of access will be no more than 4 times per
year, and the image originals have already been placed
in Glacier. Which S3 storage class would be the most
cost-effective for application access?
A. S3 Standard
B. S3 Infrequent Access
C. S3 One Zone-Infrequent Access
D. Reduced Redundancy Storage
Breakdown – Key Terms
Click to edit Master title style
Your application requires access to images stored in S3.
The frequency of access will be no more than 4 times per
year, and the image originals have already been
archived in Glacier. Which S3 storage class would be the
most cost-effective for application access?
A. S3 Standard
B. S3 Infrequent Access
C. S3 One Zone-Infrequent Access
D. Reduced Redundancy Storage
Breakdown – Answer Selection
Click to edit Master title style
Your application requires access to images stored in S3.
The frequency of access will be no more than 4 times per
Standard is the most
year, and the image originals have already been
archived expensive
in Glacier. WhichS3 S3
storage class
storage class would be the
most cost-effective for application access?
A. S3 Standard
B. S3 Infrequent Access
C. S3 One Zone-Infrequent Access
D. Reduced Redundancy Storage
Breakdown – Answer Selection
Click to edit Master title style
Your application requires access to images stored in S3.
The frequency of access will be no more than 4 times per
S3-IA is a good option, not
year, and the image originals have already been
goingWhich
archived in Glacier. to eliminate
S3 storage yet
class would be the
most cost-effective for application access?
A. S3 Standard
B. S3 Infrequent Access
C. S3 One Zone-Infrequent Access
D. Reduced Redundancy Storage
Breakdown – Answer Selection
Click to edit Master title style
Your application requires access to images stored in S3.
Z-IAofisaccess
The frequency a good option
will be no morealso,
than 4 times per
and
year, and the cheaper
image originals than S3-IA,been
have already
archived in Glacier. Which S3 storage class would be the
eliminating B as a choice
most cost-effective for application access?
A. S3 Standard
B. S3 Infrequent Access
C. S3 One Zone-Infrequent Access
D. Reduced Redundancy Storage
Breakdown – Answer Selection
Click to edit Master title style
Your application requires
RRS was access option
a legacy to images
forstored in S3.
The frequency of access will be no more than 4 times per
cheaper storage but due to price
year, and the image originals have already been
archiveddecreases
in Glacier. on Standard
Which and
S3 storage S3-IA,
class would be the
nofor
most cost-effective longer relevant
application access?
A. S3 Standard
B. S3 Infrequent Access
C. S3 One Zone-Infrequent Access
D. Reduced Redundancy Storage
Breakdown – Answer
Click to edit Master title style
Your application requires access to images stored in S3.
The frequency of access will be no more than 4 times per
All other choices eliminated
year, and the image originals have already been
Answer:
archived in Glacier. Which C
S3 storage class would be the
most cost-effective for application access?
A. S3 Standard
B. S3 Infrequent Access
C. S3 One Zone-Infrequent Access
D. Reduced Redundancy Storage
AWS Certified SysOps Administrator
Click to edit Master title style
(Associate) Crash Course
Domain 6 - Security
Security
Click to edit Master title style
• Implement and manage security policies
• Ensure data integrity and access controls when
using the AWS platform
• Demonstrate understanding of the shared
responsibility model
• Demonstrate ability to prepare for security
assessment use of AWS
TL; DR
Click to edit Master title style
• Protect your data using multiple strategies
• There are both active and passive options
• Shared responsibility model defines strategy for
services and features
• Multiple choices for encryption and access
control
IAM Policy Statements
Click to edit Master title style
SID
Effect
Principal
Action
Resource(s)
Condition(s)
IAM Policy Tips
Click to edit Master title style
• Learn where to use “not”
• NotAction, NotIpAddress, NotResource, etc
• Combine statements
• Policy length limited to 6144 characters
• Edit policies in console to auto-validate JSON
• Learn all condition types and appropriate use
IAM Policy Example Part 1
Click to edit Master title style
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow", Ability to
"Action": "s3:ListAllMyBuckets", list the
"Resource": "arn:aws:s3:::*",
"Condition": {
bucket
"StringLike": { itself
"s3:prefix": [
”s3bucketname"]}}
},
IAM Policy Example Part 2
Click to edit Master title style
{
"Effect": "Allow",
"Action": [
"s3:ListBucket", Allow
"s3:PutObject", operations
"s3:GetObject",
"s3:GetObjectVersion"],
within the
"Resource": [ bucket
"arn:aws:s3::: s3bucketname /*",
"arn:aws:s3::: s3bucketname"]},
IAM Policy Example Part 3
Click to edit Master title style
{
"Effect": ”Deny",
”NotAction": ["s3:*"],
”NotResource": [
"arn:aws:s3::: s3bucketname /*",
"arn:aws:s3::: s3bucketname "]}]}
A. AWS Config
B. KMS
C. Amazon Inspector
D. AWS CloudFormation
Breakdown – Key Terms
Click to edit Master title style
AWS Cloudtrail logs API requests to resources in
your account. Which additional service can you use
to track and visualize changes made on those
resources?
A. AWS Config
B. KMS
C. Amazon Inspector
D. AWS CloudFormation
Breakdown – Answer Selection
Click to edit Master title style
AWS Cloudtrail logs API requests to resources in
Config
your account. allows
Which for resource
additional service can you use
changechanges
to track and visualize tracking and
made on those
resources? visualization
A. AWS Config
B. KMS
C. Amazon Inspector
D. AWS CloudFormation
Breakdown – Answer Selection
Click to edit Master title style
AWS Cloudtrail logs API requests to resources in
your account.
KMSWhich
managesadditional service can you use
encryption
to track and visualize changes made on those
resources?
keys
A. AWS Config
B. KMS
C. Amazon Inspector
D. AWS CloudFormation
Breakdown – Answer Selection
Click to edit Master title style
AWS Cloudtrail logs API requests to resources in
your account. Which additional
Inspector is used service
for OScan you use
to track and visualize changes made on those
resources?
security audit tasks
A. AWS Config
B. KMS
C. Amazon Inspector
D. AWS CloudFormation
Breakdown – Answer Selection
Click to edit Master title style
AWS Cloudtrail logs API requests to resources in
CloudFormation
your account. is designed
Which additional service can you use
to trackfor
andautomated deployment
visualize changes of
made on those
resources? resources
A. AWS Config
B. KMS
C. Amazon Inspector
D. AWS CloudFormation
Breakdown – Answer
Click to edit Master title style
AWS Cloudtrail logs API requests to resources in
your account. Which additional service can you use
Answer:
to track and visualize changes A
made on those
resources?
A. AWS Config
B. KMS
C. Amazon Inspector
D. AWS CloudFormation
AWS Certified SysOps Administrator
Click to edit Master title style
(Associate) Crash Course
Domain 7 - Networking
Networking
Click to edit Master title style
• Demonstrate ability to implement networking
features of AWS
• Demonstrate ability to implement connectivity
features of AWS
TL; DR
Click to edit Master title style
• Most of your resources could be outside VPC
• VPC security groups for whitelisting, NACLs for
blacklisting
• VPC route tables are for traffic egress
• ELB/ALB/NLB each have specific use cases
Implement Networking Features
Click to edit Master title style
• Understanding service scope
• Many services don’t allow network choices
• VPC networking
• CloudFront
• Elastic Load Balancing
• Route 53
VPC Networking Limits
Click to edit Master title style
Learn the default limits and which can be
increased when required
• Internet Gateway
• Virtual Private Gateway
• VPC Endpoint
• VPC Peering Connection
VPC Internal Egress/Ingress
Click to edit Master title style
• NACLs operate at subnet boundary
• Security groups operate at EC2 host OS boundary
• Host-based firewalls operate at EC2 guest OS
boundary
• In-line gateways and proxy servers can provide
Layer 7 customization
• NAT Gateways integrate with route tables
• Route tables cannot allow/deny traffic between
VPC subnets
VPC Route Table Operations
Click to edit Master title style
• Update route tables when external networks
change
• Can be automated (think Lambda functions)
• Consider one route table per subnet to minimize
impact of improper change
VPC NACL Operations
Click to edit Master title style
• Use NACL for blacklisting (deny traffic)
• Can automate blacklist updates by integrating
with VPC Flow Logs and Lambda
• Maintain gaps between rule numbers as they are
evaluated in order
VPC Security Group Operations
Click to edit Master title style
• Delegate ownership to devops team
• Use for whitelisting (no deny allowed)
• Consider deleting default outbound rule that
allows all traffic
• Replace with least privilege outbound rules
• Monitor changes with AWS Config
VPC Troubleshooting Operations
Click to edit Master title style
• Enable VPC Flow Logs on ENI, Subnet or VPC
• Use host-based tools for testing network
connectivity
• Check CloudTrail logs
• Enable AWS Config and view resource
configuration
VPC Costs
Click to edit Master title style
Free Charged
Internet Gateway Virtual Private Gateway
VPC Endpoints for S3 and DDB All other VPC Endpoints
Same-AZ traffic within VPC Cross-AZ traffic
VPC Peering traffic
Nat Gateway
Flow Logs
CloudFront Operations
Click to edit Master title style
• Modify DNS cname list
• Update SSL certificate
• Change allowed edge locations
• Associate a Web ACL
Further Study
AWS Whitepapers
Click to edit Master title style
https://aws.amazon.com/whitepapers/
• Main whitepaper
• Whitepaper for each of the 5 pillars
• Focus on Operational Excellence!
• Well-Architected lens whitepapers (2 more!)
Get Out and Do Something!
Click to edit Master title style
https://aws.amazon.com/free/
Create an account
https://aws.amazon.com/getting-started/labs/
Self-paced labs hosted by qwikLABS
https://aws.amazon.com/getting-started/tutorials/
10-Minute Tutorials
AWS Certified SysOps Administrator
Click to edit Master title style
(Associate) Crash Course
Q&A
AWS Certified SysOps Administrator
Click to edit Master title style
(Associate) Crash Course
BREAK TIME