Embed Size (px)
Citation preview
AWS Certified SysOps
Administrator
ASSOCIATE (SOA-C01) EXAM
Includes one year of FREE access after activation to online learning environment and study tools:
2 custom practice exams100 electronic flashcards
Searchable key term glossary
STUDY GUIDE
SARA PERROTTBRETT McLAUGHLIN
Second Edition
AWSCertified SysOps Administrator
Study GuideSecond Edition
AWSCertified SysOps Administrator
Study GuideSecond Edition
Sara Perrott
Brett McLaughlin
Copyright © 2020 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-56155-2 ISBN: 978-1-119-56157-6 (ebk.) ISBN: 978-1-119-56152-1 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit-ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war-ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley prod-ucts, visit www.wiley.com.
Library of Congress Control Number: 2020931495
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. AWS is a trademark of Amazon.com, Inc. or its affiliates in the United States and/or other countries. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
10 9 8 7 6 5 4 3 2 1
I dedicate this book to my husband for his patience and encouragement
throughout the writing process. Getting this book finished meant many
missed nights in Azeroth; it’s a labor of love for sure!
—Sara Perrott
This one is for Addie, who has literally grown up before my eyes while I’ve
been working on this book. Addie, I’m so proud of you, and love you tons,
even though you won’t understand a word of what’s in this giant tome.
—Brett McLaughlin
AcknowledgmentsWhile a book may be a labor of love for an author, there is a fantastic team of people behind the author or authors that makes the book a reality. First off, a shout-out to our team at Wiley, who put in a lot of hard work to take the book from a manuscript to the fin-ished book in front of you now. My gratitude to our editor, Adaobi Obi Tulton, who kept us on task and helped to polish the text. Another shout-out to our technical editor, John Mueller, whose guidance and keen eye helped to make this book better.
My personal thanks also to my agent, Carole Jelen, and to my coworkers, who put up with my need to take extra personal days to finish the book.
—Sara Perrott
Sara speaks the truth when she says that it’s rarely clear to anyone but the authors just how much help is needed to pull off a book. In this case, Sara is both a great author and some-one who came in to help when I was frankly drowning! She’s made this book tremendously more valuable and you wouldn’t have it in your hands without her saving the day.
Adaobi also deserves more praise than can fit into a short paragraph. From helpful com-ments to gentle nudges to (at times) much-needed, “Look, I really need that chapter, Brett,” every email I received from Adaobi was right on time and just what was needed.
The rest of my thanks to the entire Wiley team, our technical editor, John, and my own agent (and Sara’s), Carole. Until next time, when we can all do it again!
—Brett McLaughlin
About the AuthorsSara Perrott is an information security professional with a sys-tems and network engineering background. She shares her pas-sion for all things information technology by teaching classes related to Windows Server, Amazon Web Services, networking, and virtualization, as well as other classes when needed at a local community college. She enjoys speaking at public events and presented most recently at the RSA Conference in 2019. Sara also enjoys technical editing and technical proofreading and has had the pleasure to work on a few projects doing this type of work.
When Sara is not working or writing, she enjoys spending time with her husband playing World of Warcraft, building robots, and playing with her ham radio. She also loves playing with her two pugs. Sara has a website where you can see some of the things she has been up to at www.saraperrott.com. You can also follow her on Twitter (@PerrottSara) and Facebook (@PerrottSara).
Brett McLaughlin has been working and writing in the technol-ogy space for over 20 years. Today, Brett’s focus is squarely on cloud and enterprise computing. He has quickly become a trusted name in helping companies execute a migration to the cloud—and, in particular, Amazon Web Services—by translating confus-ing cloud concepts into a clear, executive-level vision. He is the chief technical officer (CTO) of Volusion, an e-commerce plat-form company based in Austin, Texas. Prior to Volusion, Brett has led large-scale cloud migrations for NASA’s Earth Science program and the RockCreek Group’s financial platform.
In addition to his work with technology, Brett is a gifted and in-demand author and video educator. In addition to numerous AWS-specific projects for Wiley, he has recently completed over 12 hours of certification training, also for Wiley, and is in preproduction on two cloud-based introductory courses for LinkedIn Learning. He is an AWS Certified Solutions Architect, Business Professional, and has managed the advancement of small businesses to AWS Partners, at both the standard and advanced tiers. You can find Brett online most easily at www.brettdmclaughlin.com.
About the Technical EditorJohn Mueller is a freelance author and technical editor. He has writing in his blood, having produced 114 books and more than 600 articles to date. The topics range from networking to artificial intelligence and from database management to heads-down programming. Some of his current books include discussions of data science, machine learning, and algorithms. His technical editing skills have helped more than 70 authors refine the content of their manuscripts. John has provided technical editing services to various magazines, performed various kinds of consulting, and writes certification exams. Be sure to read John’s blog at http://blog.johnmuellerbooks.com/. You can reach John on the Internet at [email protected]. John also has a website at www.johnmuellerbooks.com/.
Contents at a GlanceIntroduction xxvii
Assessment Test xxxiv
Part I AWS Fundamentals 1
Chapter 1 Introduction to Systems Operations on AWS 3
Part II Monitoring and Reporting 29
Chapter 2 Amazon CloudWatch 31
Chapter 3 AWS Organizations 61
Chapter 4 AWS Config 77
Chapter 5 AWS CloudTrail 101
Part III High Availability 119
Chapter 6 Amazon Relational Database Service 121
Chapter 7 Auto Scaling 141
Part IV Deployment and Provisioning 163
Chapter 8 Hubs, Spokes, and Bastion Hosts 165
Chapter 9 AWS Systems Manager 187
Part V Storage and Data Management 209
Chapter 10 Amazon Simple Storage Service (S3) 211
Chapter 11 Elastic Block Store (EBS) 237
Chapter 12 Amazon Machine Image (AMI) 253
Part VI Security and Compliance 269
Chapter 13 IAM 271
Chapter 14 Reporting and Logging 295
Chapter 15 Additional Security Tools 315
Part VII Networking 331
Chapter 16 Virtual Private Cloud 333
Chapter 17 Route 53 361
Part VIII Automation and Optimization 381
Chapter 18 CloudFormation 383
Chapter 19 Elastic Beanstalk 401
Appendix Answers to Review Questions 423
Index 455
xiv Contents at a Glance
ContentsIntroduction xxvii
Assessment Test xxxiv
Part I AWS Fundamentals 1
Chapter 1 Introduction to Systems Operations on AWS 3
The AWS Ecosystem 5The AWS Services Model 6The AWS Global Presence 7
AWS Managed Services 8What Is Systems Operations? 14
The AWS Shared Responsibility Model 15The AWS Service Level Agreement 16The Seven Domains 16
Working with AWS 17The AWS Management Console 17The AWS CLI 19AWS SDKs 19Technical Support and Online Resources 19Support Plans 20Other Support Resources 20Key Exam Resources 20
Summary 21Exam Essentials 21Review Questions 24
Part II Monitoring and Reporting 29
Chapter 2 Amazon CloudWatch 31
Monitoring on AWS 32Monitoring Is Event-Driven 33Monitoring Is Customizable 34Monitoring Drives Action 36
Basic CloudWatch Terms and Concepts 36CloudWatch Is Metric- and Event-Based 36Alarms Indicate Notifiable Change 36Events and CloudWatch Events Are Lower Level 37CloudWatch Events Has Three Components 37Choosing Between Alarms and Events 37What’s in a Namespace? 37To the 10th Dimension 38Statistics Aggregate Metrics 38
xvi Contents
Monitoring Compute 39EC2 Instance Metrics 39EC2 EBS Metrics 40ECS Metrics 41
Monitoring Storage 41S3 Metrics 42RDS Metrics 42DynamoDB2 Metrics 43
CloudWatch Alarms 44Create an Alarm Threshold 45Set Off an Alarm 45Respond to an Alarm 45
CloudWatch Events 46Events 46Rules 46Targets 47
Summary 47Resources to Review 48Exam Essentials 48Exercises 49Review Questions 56
Chapter 3 AWS Organizations 61
Managing Multiple Accounts 62AWS Organizations Consolidates User Management 63AWS Organizations Consolidates Billing 63
Core AWS Organizations Concepts 64An Organization Is a Collection of Accounts 64Organizations Have a Master Account 65Manage Organizational Units Across Accounts 65Apply Service Control Policies 66
AWS Organizations and Consolidated Billing 68Compliance Benefits 69Prefer AWS Organizations Over Tagging 69
Summary 69Exam Essentials 70Exercises 70Review Questions 73
Chapter 4 AWS Config 77
Managing Configuration Changes 78Continuous Everything 79On-Premises Solutions 80Configuration in the Cloud 80
Contents xvii
AWS Config Use Cases 81Centralized Configuration Management 81Audit Trails 83Configuration as Security 83
AWS Config Rules and Responses 83Rules Are Desired Configurations 83A Configuration Item Represents a Specific Configuration 84Rules Are Evaluated 85
AWS Config or AWS CloudTrail? 87Summary 87Resources to Review 88Exam Essentials 88Exercises 89Review Questions 96
Chapter 5 AWS CloudTrail 101
API Logs Are Trails of Data 102What Exactly Is a Trail? 103The CloudTrail Process 105
CloudTrail as a Monitoring Tool 106Viewing CloudTrail Logs 106Connect a CloudTrail Trail to SNS 107CloudTrail Handles Permissions…Sometimes 108
Summary 108Resources to Review 108Exam Essentials 109Exercises 109Review Questions 115
Part III High Availability 119
Chapter 6 Amazon Relational Database Service 121
Creating Databases with Amazon RDS 122Amazon RDS vs. Your Own Instances 123Supported Database Engines 125Database Configuration and Parameter Groups 125Scalability with Amazon RDS 127
Amazon RDS Key Features 128Scaling Amazon RDS Instances 128Backing Up Amazon RDS Instances 128Securing Amazon RDS Instances 129
Multi-AZ Configuration 129Creating a Multi-AZ Deployment 129Failing Over to the Secondary Instance 130
xviii Contents
Read Replicas 131Replication to Read Replicas 131Connecting to Read Replicas 132Read Replicas’ Requirements and Limitations 132
Amazon Aurora 132Aurora Volumes 133Aurora Replicas 133
Summary 133Resources to Review 134Exam Essentials 134Review Questions 136
Chapter 7 Auto Scaling 141
Auto Scaling Terms and Concepts 142Auto Scaling Groups 143Scaling In and Scaling Out 143Scaling More than EC2 144Minimums, Maximums, and Desired Capacity 145Auto Scaling Groups Auto Scale 145Auto Scaling Instances Must Be Maintained 146
Launch Configurations 147EC2 Instances Are Launch Configuration Templates 147One Auto Scaling Group Has One Launch Configuration 148Launch Templates: Versioned Launch Configurations 148
Auto Scaling Strategies 149Manual Scaling 149Scheduled Scaling 149Dynamic Scaling 150Cooldown Periods 150Instances Terminate in Order 151
When Auto Scaling Fails 152Summary 153Resources to Review 153Exam Essentials 153Exercises 154Review Questions 158
Part IV Deployment and Provisioning 163
Chapter 8 Hubs, Spokes, and Bastion Hosts 165
VPC Peering 166Understanding the Use Case for Hub-and-Spoke
Architecture 168
Contents xix
Using a VPC Peering Connection Across Multiple Regions (Interregion Peering) 169
Bastion Hosts 169Architecting for Bastion Host Use 170Options for Bastion Hosts 170
Summary 171Resources to Review 172Linux Bastion Hosts on the AWS Cloud: 172Exam Essentials 172Exercises 173Review Questions 183
Chapter 9 AWS Systems Manager 187
AWS Systems Manager 188Communication with AWS Systems Manager 189AWS Managed Instances 190AWS Resource Groups 191Taking Action with AWS Systems Manager 191
Summary 196Resources to Review 196Exam Essentials 197Exercises 197Review Questions 205
Part V Storage and Data Management 209
Chapter 10 Amazon Simple Storage Service (S3) 211
Object Storage and Amazon S3 212What’s in a URL? 214
Availability and Durability 215S3 Storage Classes 216
Securing and Protecting Data in S3 217Access Control 217Versioning 220Encryption 221
Amazon Glacier 222Amazon Glacier Deep Archive 223
S3 Lifecycle Management 223Storage Gateways 224Summary 225Resources to Review 225Exam Essentials 226Exercises 226Review Questions 232
xx Contents
Chapter 11 Elastic Block Store (EBS) 237
Understanding Block Storage and EBS 238Types of EBS Storage 239EBS vs. Instance Stores 241
Encrypting Your EBS Volumes 242EBS Snapshots 244Summary 244Resources to Review 244Exam Essentials 245Exercises 245Review Questions 248
Chapter 12 Amazon Machine Image (AMI) 253
Amazon Machine Images (AMIs) 254Accessibility of AMIs 255AMI Storage 257
AMI Security 258Launch Permissions 258Encryption 258
Moving AMIs Between Regions 258AWS Management Console 259AWS CLI 259
Common AMI Issues 260Summary 260Resources to Review 260Exam Essentials 261Exercises 261Review Questions 264
Part VI Security and Compliance 269
Chapter 13 IAM 271
Shared Responsibility Model: A Cloud Security Primer 272Building Blocks of IAM 273
Users 273Groups 274Roles 274Policies 275
Managing IAM 278Managing Passwords 278Managing Access Keys 279
Contents xxi
Securing Your AWS Accounts 281Protecting the Root Account 281IAM Best Practices 281Trusted Advisor 282
Other Identity Services 282Cognito 282Federation 283AWS KMS 283
Summary 283Resources to Review 284Exam Essentials 284Exercises 285Review Questions 290
Chapter 14 Reporting and Logging 295
Reporting and Monitoring in AWS 296AWS CloudTrail 296
Applying a Trail to All Regions 298Management Events 298Data Events 298But You Said CloudTrail Was Free… 300
Amazon CloudWatch 300Amazon CloudWatch Alarms 301Amazon CloudWatch Logs 302Amazon CloudWatch Events 303Amazon CloudWatch Dashboard 303
AWS Config 304Summary 305Resources to Review 305Exam Essentials 306Exercises 306Review Questions 311
Chapter 15 Additional Security Tools 315
Amazon Inspector 316Amazon GuardDuty 318Summary 320Resources to Review 320Exam Essentials 320Exercises 321Review Questions 326
xxii Contents
Part VII Networking 331
Chapter 16 Virtual Private Cloud 333
Understanding AWS Networking 334Classless Inter-Domain Routing Refresher 335Virtual Private Cloud 336Subnets 337Route Tables 338Internet Gateways 339NAT Gateways and Instances 340VPC Endpoints 342Connecting to the Outside 344
Securing Your Network 345Security Groups 345Network Access Control Lists 346
Troubleshooting Network Issues 347VPC Flow Logs 347Other Resources 348
Summary 348Resources to Review 349Exam Essentials 350Exercises 351Review Questions 356
Chapter 17 Route 53 361
Domain Name System 362DNS Records 363
Amazon Route 53 364Amazon Traffic Flow 366AWS Private DNS 366
Routing Policies 366Simple Routing Policy 366Failover Routing Policy 367Geolocation Routing Policy 368Geoproximity Routing Policy 368Latency Routing Policy 369Multivalue Answer Routing Policy 369Weighted Routing Policy 370
Health Checks and Failover 371Summary 372Resources to Review 372Exam Essentials 373Exercises 373Review Questions 377
Contents xxiii
Part VIII Automation and Optimization 381
Chapter 18 CloudFormation 383
An Introduction to IaaS 384CloudFormation Templates 385AWSTemplateFormatVersion 385
Description 385Metadata 386Parameters 386Mappings 386Conditions 387Transform 388Resources 388Outputs 388
Creating and Customizing Your Stacks 389Parameters 389Outputs 390
Improving Your Templates 390Built-in Functions 390Mapping 391Pseudo Parameters 392
Issues with CloudFormation Templates 392Summary 392Resources to Review 393Exam Essentials 393Exercise 394Review Questions 396
Chapter 19 Elastic Beanstalk 401
What Is Elastic Beanstalk? 402Platforms and Languages 403Creating a Custom Platform 405
Updates in Elastic Beanstalk 408All-at-Once Deployment 409Rolling Deployment 409Rolling with Additional Batches Deployment 409Immutable Deployment 409
Testing Your Application with a Blue/Green Deployment 410
Configuring Elastic Beanstalk 410Securing Elastic Beanstalk 412
Data Protection 412Identity and Access Management 412Logging and Monitoring 412Compliance 412
xxiv Contents
Resilience 413Configuration and Vulnerability Analysis 413Security Best Practices 413Applying Security Best Practices to Elastic Beanstalk 413
AWS Elastic Beanstalk CLI 414Troubleshooting Elastic Beanstalk 414Summary 415Resources to Review 415Exam Essentials 416Exercise 416Review Questions 418
Appendix Answers to Review Questions 423
Chapter 1: Introduction to Systems Operations on AWS 424Chapter 2: Amazon CloudWatch 425Chapter 3: AWS Organizations 427Chapter 4: AWS Config 429Chapter 5: AWS CloudTrail 430Chapter 6: Amazon Relational Database Service 432Chapter 7: Auto Scaling 434Chapter 8: Hubs, Spokes, and Bastion Hosts 436Chapter 9: AWS Systems Manager 437Chapter 10: Amazon Simple Storage Service (S3) 439Chapter 11: Elastic Block Store (EBS) 440Chapter 12: Amazon Machine Image (AMI) 441Chapter 13: IAM 443Chapter 14: Reporting and Logging 444Chapter 15: Additional Security Tools 446Chapter 16: Virtual Private Cloud 447Chapter 17: Route 53 449Chapter 18: CloudFormation 451Chapter 19: Elastic Beanstalk 452
Index 455
Table of ExercisesExercise 1.1 Use the AWS CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Exercise 1.2 Configure the AWS CLI for Your AWS Account . . . . . . . . . . . . . . . . . . . . . . 22
Exercise 1.3 List S3 Buckets Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Exercise 1.4 Create a New S3 Bucket Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Exercise 2.1 Create a Custom CloudWatch Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . 49
Exercise 2.2 Add EC2 Line Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Exercise 2.3 Name Your Widgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Exercise 2.4 Create a Text Widget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Exercise 3.1 Create an AWS Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Exercise 3.2 Define and Apply an SCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Exercise 4.1 Create a New S3 Bucket for Storing Configuration Information . . . . . . . . 89
Exercise 4.2 Create a New SNS Topic for Notifications of Configuration Changes . . . 89
Exercise 4.3 Create a New IAM Role for the AWS Config Service to Use . . . . . . . . . . . 90
Exercise 4.4 Give Your New Role Permission to Access Your S3 Bucket . . . . . . . . . . . . 91
Exercise 4.5 Turn On AWS Config and Direct It to the Created Resources . . . . . . . . . . 94
Exercise 4.6 Turn Off AWS Config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Exercise 5.1 Create a New Cross-Region Trail for Logging S3 Write Access . . . . . . . 109
Exercise 5.2 View a CloudTrail log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Exercise 5.3 Set Up Automatic Notifications When a Trail Writes a Log . . . . . . . . . . . 113
Exercise 7.1 Create a Launch Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Exercise 7.2 Create an Auto Scaling Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Exercise 8.1 Create a VPC Peering Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Exercise 8.2 Create a Bastion Host and Configure for Use . . . . . . . . . . . . . . . . . . . . . . 178
Exercise 9.1 Create a Role for SSM and Attach It to Your EC2 Instances . . . . . . . . . . 197
Exercise 9.2 Tag Your EC2 Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Exercise 9.3 Set Up Your Resource Groups Based on Tags . . . . . . . . . . . . . . . . . . . . . 199
Exercise 9.4 Use the Run Command to Install Apache on Web Servers . . . . . . . . . . . 200
Exercise 9.5 Create a Parameter for a License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Exercise 9.6 Connect to Your EC2 Instance with Session Manager . . . . . . . . . . . . . . . 202
Exercise 9.7 Configure Patch Manager for Your EC2 Instances . . . . . . . . . . . . . . . . . . 203
Exercise 10.1 Create an S3 Bucket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Exercise 10.2 Enable Default Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Exercise 10.3 Enable Versioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
xxvi Table of Exercises
Exercise 10.4 Create and Apply a Bucket Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Exercise 10.5 Create a Lifecycle Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Exercise 11.1 Create an Unencrypted EBS Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Exercise 11.2 Use a Snapshot to Encrypt EBS Volumes . . . . . . . . . . . . . . . . . . . . . . . . . 246
Exercise 11.3 Attach the Encrypted EBS Volume to an Amazon EC2 Instance . . . . . . . 247
Exercise 11.4 Turn On Default EBS Encryption for Your Account . . . . . . . . . . . . . . . . . . 247
Exercise 12.1 Create an EC2 Instance from an AMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Exercise 12.2 Create a Custom AMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Exercise 12.3 Change the Launch Permissions of the AMI . . . . . . . . . . . . . . . . . . . . . . . 263
Exercise 13.1 Create an IAM User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Exercise 13.2 Generate an Access Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Exercise 13.3 Enable MFA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Exercise 13.4 Create a Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Exercise 13.5 Create a Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Exercise 14.1 Set Up a Trail in AWS CloudTrail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Exercise 14.2 Set Up an Amazon CloudWatch Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Exercise 14.3 Set Up an Amazon CloudWatch Dashboard . . . . . . . . . . . . . . . . . . . . . . . 308
Exercise 14.4 Configure a Rule in AWS Config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Exercise 15.1 Set Up and Configure Amazon Inspector . . . . . . . . . . . . . . . . . . . . . . . . . 321
Exercise 15.2 Set Up and Configure Amazon GuardDuty . . . . . . . . . . . . . . . . . . . . . . . . 323
Exercise 16.1 Create a VPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Exercise 16.2 Create a Subnet and Add It to a Route Table . . . . . . . . . . . . . . . . . . . . . . . 352
Exercise 16.3 Create a VPC Endpoint for S3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Exercise 16.4 Create a Security Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Exercise 16.5 Create a NACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Exercise 17.1 Create a Hosted Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Exercise 17.2 Create a Health Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Exercise 17.3 Create the A Records for Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Exercise 18.1 Create a CloudFormation Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Exercise 19.1 Deploy a Sample Application in Elastic Beanstalk . . . . . . . . . . . . . . . . . . 416
IntroductionAnyone who has taken an AWS certification exam can tell you that the exams are not easy. The right study materials can make all the difference when taking the AWS Certified SysOps Administrator – Associate exam.
To pass the exam, you must understand the various services across the AWS ecosystem that enable you to do system administration work. This book is an excellent resource for your certification journey. In addition to this book, Sybex offers AWS Certified SysOps Administrator – Associate Exam Practice Tests, which gives you a variety of questions related to the material in this book and beyond to ensure that you are well prepared to take the exam. Other materials that I recommend would be the AWS documentation (typically available as HTML and PDF) and the FAQs.
You should have hands-on experience with AWS before taking this exam. The exercises in this book will help you build on that experience. When you first sign up for an AWS account, you get 12 months of free-tier access. This means that as long as you stick to free tier–eligible items, and you don’t exceed the hours or usage specified, you can practice building your infrastructure in AWS. Practice with the console, but also practice with the AWS command-line interface (CLI). You don’t have to be an AWS CLI expert to pass the exam, but you should be familiar enough with it to know the format of common AWS CLI commands.
I highly recommend reading the book cover to cover. At the end of each chapter, pause and take a moment to go through the review questions to test your knowledge of the mate-rial you have covered. Once you have finished the book, take advantage of the practice tests and flashcards available to you online after registering your book. These study aides will ensure that you have the knowledge necessary to pass the exam.
When you register for the exam, you have your choice of either PSI or Pearson Vue for your testing center. As of this writing, the cost for the associate exam is $150 USD. The questions will be in either a multiple-choice or a multiple-answer format. You have a total of 130 minutes to finish the exam.
Now that you know the basics and the recommended resources, let’s review how this book is laid out.
Part I, “AWS Fundamentals”The first part of the book starts with the foundational topics that you need to know and understand before you dig into the rest of the book content. These topics include the Shared Responsibility Model and various methods to access resources in AWS.
Part II, “Monitoring and Reporting”The second part of the book focuses entirely on monitoring and reporting tools that are available within AWS. You will learn more about Amazon CloudWatch, AWS CloudTrail,
xxviii Introduction
AWS Config, and AWS Organizations. Each chapter in this part provides coverage on these topics in detail.
Part III, “High Availability”In the third part of this book, the focus shifts to highly available services and creating highly available architectures. AWS’ managed service for databases, Amazon Relational Database Service (RDS), is discussed along with Auto Scaling.
Part IV, “Deployment and Provisioning”In the fourth part of the book, we look at virtual private cloud (VPC) peering and bastion hosts. We also cover AWS Systems Manager, as well as all of its components that make it a valuable deployment and provisioning utility.
Part V, “Storage and Data Management”In the fifth part of the book, we look at storage with a focus on Simple Storage Service (S3), Glacier, and Elastic Block Store (EBS). We also examine data security and encryption as well as data life-cycle management.
Part VI, “Security and Compliance”In the sixth part of the book, the focus changes to security and compliance topics. We first cover identity and access management (IAM), and then reporting and logging from a security and compliance perspective. We end this part with a chapter on additional security tools that you need to know and understand for the exam.
Part VII, “Networking”In the seventh part of the book, we cover networking topics. We start with networking basics, virtual private cloud, and network address translation (NAT), and we end with DNS services and Route 53.
Part VIII, “Automation and Optimization”In the eighth and final section, we shift to automation and optimization. Infrastructure as a Service is discussed, and AWS CloudFormation is covered in detail. Elastic Beanstalk is also covered, which is AWS’ platform as a service (PaaS).
