AWS - download.e-bookshelf.de...The authors would like to thank a few people who helped us develop and write the AWS Certified SysOps Administrator Official Study Guide – Associate

AWSCertified SysOps

Administrator Official Study Guide - Associate Exam

Stephen Cole, Gareth Digby, Christopher Fitch,

Steve Friedberg, Shaun Qualheim, Jerry Rhoads,

Michael Roth, Blaine Sundrud

Senior Acquisitions Editor: Kenyon BrownDevelopment Editor: Gary SchwartzProduction Editor: Rebecca AndersonCopy Editor: Kezia EndsleyEditorial Manager: Mary Beth WakefieldProduction Manager: Kathleen WisorExecutive Editor: Jim MinatelBook Designers: Judy Fung and Bill GibsonProofreader: Nancy CarrascoIndexer: Robert SwansonProject Coordinator, Cover: Brent SavageCover Designer: WileyCover Image: © Getty Images Inc./Jeremy Woodhouse

Copyright © 2018 by Amazon Web Services, Inc.

Published by John Wiley & Sons, Inc. Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-119-37742-9 ISBN: 978-1-119-37744-3 (ebk.) ISBN: 978-1-119-37743-6 (ebk.)

Manufactured in the United States of America

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war-ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2017947567

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. AWS is a registered trademark of Amazon Technologies, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor men-tioned in this book.

10 9 8 7 6 5 4 3 2 1

http://www.wiley.com/go/permissions

http://booksupport.wiley.com

http://www.wiley.com

For our customers (whom we are always obsessing over). May this book find

you well in your pursuit of becoming an AWS Certified Systems Operator.

AcknowledgmentsThe authors would like to thank a few people who helped us develop and write the AWS Certified SysOps Administrator Official Study Guide – Associate Exam.

First and foremost, a very big thank you to all of our friends and families who put up with us spending weekends, evenings, and vacations creating content, writing questions, and reviewing each other’s chapters. Their flexibility, patience, and support made this book a reality.

Thank you to Nathan Bower and Victoria Steidel, the technical writers at AWS who reviewed and edited every single piece of content. They were always willing to review content, and their due diligence kept us on schedule. Their wisdom made us all better writers.

We could not have written this book without the help of our friends at Wiley. Gary Schwartz, Project Editor, provided valuable advice that kept us on track with our deliver-ables. Additionally, we were guided by Kezia Endsley, Copy Editor, who further refined our content to make the various chapters written by the many authors, flow into one cohesive piece of work.

A special thanks to Eli Schilling, Biff (yes that’s his real name) Gaut, and Brian Wagner. Eli gathered the group of authors to write this book, Biff provided us much needed fore-sight, as he had co-authored the AWS Certified Solutions Architect Official Study Guide, and Brian helped us write some last-minute questions for the online practice exams.

Lastly, we want to thank all the Solutions Architects and Technical Trainers at AWS who participated in certification blueprint development, question writing, review sessions, and the development of a world-class certification program for cloud practitioners that is setting the standard for our industry. #LearnAndBeCurious

About the Authors

Stephen Cole is a Technical Trainer with AWS, having joined the Training and Certification team in 2016. He received his Bachelor of Arts degree from Indiana University of Pennsylvania (IUP) in 1991 and, in 2015, earned a Master of Arts in Organizational Leadership from Gonzaga University. Currently, he has two AWS certifications: Solutions Architect Associate and SysOps Administrator Associate. Stephen would like to express his grati-tude and appreciation for his wife, Laura, and son, Eli, as they were both very patient while sacrificing significant family time for this book.

Gareth Digby, Technical Trainer for AWS, delivers training on AWS services to students throughout North America. Gareth holds a B.Sc. and Ph.D. in Electrical and Electronic Engineering from the University of Swansea. Gareth has held full time faculty posts in the Electrical and Electric Engineering Department at the University of Swansea and at the School of Electrical and Electric Engineering at the University of Birmingham. He has taught as adjunct faculty in the Department of Computer Science at the University of Oxford and the Graduate School

at Penn State. Prior to joining AWS, in addition to his academic posts, Gareth held System Engineering and System Architecture roles on a variety of public sector projects. Gareth wants to thank Enfield Grammar School for introducing him to computers, the Electrical and Electronic Engineering Department, and the Computer Science Department at the University of Wales, Swansea for inspiring him to teach about computers. He would also like to thank his family for allowing him to pursue these passions for far too many years.

Christopher Fitch is a Technical Trainer with AWS. He has over 15 years’ experience in various engineering, administration, and architectural posi-tions. His experience brings with it a combination of academic and hands-on knowledge that’s provided a diverse and well-rounded set of skills. Prior to working with AWS, he spent most of his career working with the DoD. Christopher holds a Bachelor’s of Science in Technical Management from DeVry University, a Master of Science in Information Systems, and

a Master of Science in Network and Communications Management from the Keller Graduate School. Chris is a geek at heart. He is a native Floridian and Seattle transplant who is passion-ate about design, photography, and biking.

Steve Friedberg has been an educator for 40 years, teaching in ten different countries. He has been a course developer and instructor for IBM, Oracle, DEC, Cisco, Microsoft, Marconi, and TIBCO, as well as an adjunct professor at Grace College in Winona Lake, IN. He has been with AWS as a Technical Trainer for over a year, and he holds all three AWS Associate certifications. Steve’s formal training includes a Bachelor of Science in Engineering from Cornell University and a Master of Arts in Education from Ball State University. He lives with

his wife in Indiana near his children and grandchildren. His real passion is teaching and developing curriculum about the Old Testament feasts, holidays, and prophecies.

vi About the Authors

Shaun Qualheim has been with AWS since September 2014. He is cur-rently serving customers as a Senior Solutions Architect. In previous lives, Shaun was a Linux Systems Administrator at companies ranging from a leading computational fluid dynamics (CFD) company to one of the largest educational assessment companies in the world. Shaun is the proud father of an amazing 9-year old son, Jackson, who loves to come to the NYC AWS office and socialize with everyone. He wishes to thank his team for their patience while he worked on this book. Shaun would like to dedicate

his portion of this book to his father, who taught him the value of never wavering in doing what’s right for the customer and whose example continues to show him the value of diligent work. Without that guidance, Shaun wouldn’t be where he is today.

Jerry Rhoads has been with AWS since May 2014. Jerry started off as a Solutions Architect, and he recently joined the Training and Certification Team as a Technical Trainer. Jerry holds a Bachelor’s of Science in Com-puter Science and a Master of Science in Information Systems Technology from the George Washington University, as well as all five AWS certifica-tions. Jerry would like to give special thanks to Dr. Marjorie Battaglia, who inspired him to be a better writer; Reggie Carreker, who provided him with

a passion for teaching; his wife, Linda, and his four children (+ one on the way), Ashley, Harry, Tinsley, and Liam for their much-needed patience and inspiration.

Michael Roth is a Technical Trainer with AWS, having joined Amazon in 2015. He is a Certified Cisco Network Academy Instructor and has taught Linux. Michael graduated from the University of Michigan with a Bachelor of Science in Zoology and a Bachelor of Arts in Urban Planning. He also has a Master of Science Degree in Telecommunications Management from Golden Gate University. Michael would like to thank his co-workers in the AWS Technical Training Organization—he is very proud to be a part of this amazing group of people. Finally, he would like

to thank his spouse, Betsy, and son, Robert. Without their support and love, this book would not have been possible.

Blaine Sundrud began his teaching career at the Show Low Arizona High School before becoming a product evangelist for Digital Technology International. At DTI, Blaine worked with newspapers from around the world helping them improve their publishing platforms, until he realized that supporting the print newspaper industry was not a long-term employ-ment option. Blaine now works in the Training and Certification depart-ment at AWS, where he holds all five certifications. His current focus is

on leveraging brain science to improve classroom learning through the NeuroEducate program that he developed at AWS. Blaine wants to thank his three children: Kelly, Hunter, and Dessa for their resiliency, as well as his wife, Diana, for her high availability.

Contents at a GlanceForeword xix

Introduction xxi

Assessment Test xxvi

Chapter 1 Introduction to Systems Operations on AWS 1

Chapter 2 Working with AWS Cloud Services 23

Chapter 3 Security and AWS Identity and Access Management (IAM) 41

Chapter 4 Compute 107

Chapter 5 Networking 151

Chapter 6 Storage Systems 207

Chapter 7 Databases 249

Chapter 8 Application Deployment and Management 313

Chapter 9 Monitoring and Metrics 363

Chapter 10 High Availability 441

Appendix Answers to the Review Questions 481

Index 499

ContentsForeword xix

Introduction xxi

Assessment Test xxvi

Chapter 1 Introduction to Systems Operations on AWS 1

Systems Operators 2Deploying Systems 2Monitoring Systems 2Optimizing Systems 3Fortifying Systems 3Securing Systems 3

AWS Certified SysOps Administrator - Associate 4Which AWS Services Should You Study? 4Reference Architecture: The Three-Tier Design 5

Introduction to the Three-Tier Design 5Sample Scenario 6Reference Architecture: The Serverless Design 14Key Product: Serverless Design 17

Summary 18Exam Essentials 18

Key Pieces to Study 19Review Questions 20

Chapter 2 Working with AWS Cloud Services 23

Introduction to AWS Cloud Services 24Systems Operations Using the AWS Toolset 24AWS Software Development Kits (SDKs) 30AWS Internet of Things (IoT) and Mobile Software

Development Kits (SDKs) 33Summary 34Exam Essentials 35Resources to Review 35Exercises 35Review Questions 38

Chapter 3 Security and AWS Identity and Access Management (IAM) 41

Security on AWS 43Shared Responsibility Model 43AWS Security Responsibilities 43

x Contents

Customer Security Responsibilities 44AWS Global Infrastructure Security 44Physical and Environmental Security 46Business Continuity Management 47Network Security 48Network Monitoring and Protection 49AWS Compliance Program 50

Securing Your AWS Account with AWS Identity and Access Management (IAM) 51

IAM User 52IAM Groups 56IAM Policies 56IAM Roles 57Best Practices for Securing Your AWS Account 58

Securing Your AWS Cloud Services 59Key Pairs 59

Monitoring to Enhance Security 62AWS CloudTrail 62Amazon Virtual Private Cloud (Amazon VPC) Flow Logs 62Amazon CloudWatch 63AWS Config 63Amazon Inspector 64AWS Certificate Manager 64AWS Web Application Firewall (AWS WAF) 64AWS Trusted Advisor 64

AWS Cloud Service-Specific Security 65Compute Services 65Networking 69Storage 75AWS Storage Gateway Security 80Database 80Application Services 88Analytics Services 89Deployment and Management Services 91Mobile Services 92Applications 94

Summary 95Exam Essentials 96Exercises 98Review Questions 103

Chapter 4 Compute 107

Introduction to AWS Compute Services 109Amazon Elastic Compute Cloud (Amazon EC2) 111

Implementation 111Management 117Security 122

Contents xi

Amazon EC2 Container Service (Amazon ECS) 123Implementation 124Management 124Security 125

AWS Elastic Beanstalk 125Languages Supported in AWS Elastic Beanstalk 126Services that AWS Elastic Beanstalk Deploys 126Management 126Security 127

AWS Lambda 128Implementation 128Management 130Security 130

Amazon Lightsail 130Implementation 131Management 131Security 133

AWS Batch 133Implementation 133Management 135Security 135

Summary 135Exam Essentials 136Resources to Review 139Exercises 140Review Questions 146

Chapter 5 Networking 151

Introduction to Networking on AWS 153Amazon Virtual Private Cloud (Amazon VPC) 154

Amazon VPC Implementation 154Amazon VPC Management 164

AWS Direct Connect 166AWS Direct Connect Implementation 167AWS Direct Connect Management 169AWS Direct Connect Security 170

Load Balancing 171Load Balancing Implementation 172Load Balancing Management 176Load Balancing Security 178

Virtual Private Network (VPN) 178VPN Installation 178VPN Management 179

Amazon Route 53 179Amazon Route 53 Implementation 180Amazon Route 53 Management 185

xii Contents

Amazon CloudFront 185Amazon CloudFront Implementation 186Amazon CloudFront Management 194Amazon CloudFront Security 194

Summary 195Resources to Review 195Exam Essentials 196Exercises 198Review Questions 201

Chapter 6 Storage Systems 207

Understanding Different Storage Options 209Block Storage vs. Object Storage 209Block Storage Basics 210Object Storage Basics 210Retrieval Times (Hot vs. Cold Storage) 211Cost Efficiency 211

Block Storage on AWS 212Amazon Elastic Block Store (Amazon EBS) 212Instance Store 221Amazon Elastic File System (Amazon EFS) 222

Object Storage on AWS 224Amazon Simple Storage Service (Amazon S3) 224Amazon Glacier 230

Systems Operator Scenario: The Newspaper 232Storage Needs 233Solution Breakdown 233

Additional Storage Solutions 234Amazon CloudFront 234AWS Storage Gateway 235AWS Snowball 235


Chapter 7 Databases 249

Introduction to AWS Databases 250SQL vs. NoSQL 251Relational Databases Overview 252Relational Database Design 252Non-Relational Database Overview 253Amazon RDS Features and Benefits 254Amazon Aurora 256

Contents xiii

Monitoring Amazon RDS 278Monitoring Tools 278Amazon RDS Pricing 282

Non-Relational Databases 283Amazon DynamoDB 283

Amazon DynamoDB Core Components 284Amazon Redshift 292

Cluster Management 293Cluster Access and Security 293

Databases 294Monitoring Clusters 295

Amazon ElastiCache 296Summary 298Resources to Review 298Exam Essentials 299Exercises 300Review Questions 307

Chapter 8 Application Deployment and Management 313

Introduction to Application Deployment and Management 314Deployment Strategies 314

Provisioning Infrastructure 314Deploying Applications 315Configuration Management 315Scalability Capabilities 318Monitoring Resources 318Continuous Deployment 319

Deployment Services 322AWS Elastic Beanstalk 323Amazon EC2 Container Service 325AWS OpsWorks Stacks 328AWS CloudFormation 330AWS Command Line Interface (AWS CLI) 345


Chapter 9 Monitoring and Metrics 363

Introduction to Monitoring and Metrics 364An Overview of Monitoring 364

Why Monitor? 364Amazon CloudWatch 365AWS CloudTrail 365

xiv Contents

AWS Config 365AWS Trusted Advisor 366AWS Service Health Dashboard 366AWS Personal Health Dashboard 367

Amazon CloudWatch 367Metrics 369Custom Metrics 369Amazon CloudWatch Metrics Retention 370Namespaces 371Dimensions 372Statistics 373Units 374Periods 374Aggregation 375Dashboards 376Percentiles 376Monitoring Baselines 377Amazon EC2 Status Checks 378Authentication and Access Control 379AWS Cloud Services Integration 382Amazon CloudWatch Limits 382Amazon CloudWatch Alarms 384Alarms and Thresholds 384Missing Data Points 386Common Amazon CloudWatch Metrics 386

Amazon CloudWatch Events 395Events 396Rules 397Targets 397Metrics and Dimensions 398

Amazon CloudWatch Logs 399Archived Data 400Log Monitoring 400Amazon CloudWatch Logs: Agents and IAM 401Searching and Filtering Log Data 403

Monitoring AWS Charges 406Detailed Billing 407Cost Explorer 409AWS Billing and Cost Management Metrics

and Dimensions 410AWS CloudTrail 411

What Are Trails? 411Types of Trails 411Multiple Trails per Region 412Encryption 412

Contents xv

AWS CloudTrail Log Delivery 412Overview: Creating a Trail 413Monitoring with AWS CloudTrail 413AWS CloudTrail vs. Amazon CloudWatch 414AWS CloudTrail: Trail Naming Requirements 414Getting and Viewing AWS CloudTrail Log Files 414

AWS Config 417Ways to Use AWS Config 418AWS Config Rules 419AWS Config and AWS CloudTrail 420Pricing 421


Chapter 10 High Availability 441

Introduction to High Availability 443Amazon Simple Queue Service 444

Using Amazon Simple Queue Service to Decouple an Application 444

Standard Queues 448First-In, First-Out Queues 448Dead Letter Queues 449Shared Queues 449

Amazon Simple Notification Service 450Mobile Push Messaging 451Amazon SNS Fan-Out Scenario 451

Highly Available Architectures 452Network Address Translation (NAT) Gateways 453Elastic Load Balancing 453Auto Scaling 454Session State Management 455Amazon Elastic Compute Cloud Auto Recovery 455Scaling Your Amazon Relational Database

Service Deployment 456Multi-Region High Availability 457

Amazon Simple Storage Service 457Amazon DynamoDB 457Amazon Route 53 457

Highly Available Connectivity Options 463Redundant Active-Active VPN Connections 463Redundant Active-Active AWS Direct Connect

Connections 465AWS Direct Connect with Backup VPN Connection 466

xvi Contents

Disaster Recovery 467Backup and Restore Method 467Pilot Light Method 468Warm-Standby Method 470Multi-Site Solution Method 470Failing Back from a Disaster 471


Appendix Answers to the Review Questions 481

Chapter 1: Introduction to Systems Operations on AWS 482Chapter 2: Working with AWS Cloud Services 483Chapter 3: Security and AWS Identity and Access

Management (IAM) 483Chapter 4: Compute 485Chapter 5: Networking 486Chapter 6: Storage Systems 488Chapter 7: Databases 490Chapter 8: Application Deployment and Management 492Chapter 9: Monitoring and Metrics 494Chapter 10: High Availability 496

Index 499

Table of ExercisesExercise 2.1 Install and Configure AWS CLI on Linux or Mac . . . . . . . . . . . . . . . . . . . . . 36

Exercise 2.2 Install and Configure AWS CLI on Windows with MSI . . . . . . . . . . . . . . . . 36

Exercise 3.1 Creating AWS Identity and Access Management (IAM) Users . . . . . . . . . 99

Exercise 3.2 Create IAM Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Exercise 3.3 Create IAM Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Exercise 3.4 Working with IAM Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Exercise 3.5 Working with IAM Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Exercise 4.1 Create a Linux Instance via the AWS Management Console . . . . . . . . . . 141

Exercise 4.2 Create a Windows Instance via the AWS Management Console . . . . . . 142

Exercise 4.3 Create a Linux Instance via the AWS CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Exercise 4.4 Create a Windows Instance via the AWS CLI . . . . . . . . . . . . . . . . . . . . . . . 143

Exercise 4.5 Inspect the AWS Service Health Dashboards . . . . . . . . . . . . . . . . . . . . . . 143

Exercise 4.6 Use the Elastic IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Exercise 4.7 Work with Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Exercise 4.8 Attach an AWS IAM Role to an Instance . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Exercise 5.1 Create an Elastic IP (EIP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Exercise 5.2 Create an Amazon VPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Exercise 5.3 Tag Your Amazon VPC and Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Exercise 5.4 Create an Elastic Network Interface (ENI) . . . . . . . . . . . . . . . . . . . . . . . . . 199

Exercise 5.5 Associate the ENI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Exercise 5.6 Test Your ENI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Exercise 5.7 Delete VPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Exercise 6.1 Create an Encrypted Amazon EBS Volume . . . . . . . . . . . . . . . . . . . . . . . . 240

Exercise 6.2 Monitor Amazon EBS Using Amazon CloudWatch . . . . . . . . . . . . . . . . . . 240

Exercise 6.3 Create and Attach an Amazon EFS Volume . . . . . . . . . . . . . . . . . . . . . . . . 240

Exercise 6.4 Create and Use an Amazon S3 Bucket . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Exercise 6.5 Enable Amazon S3 Versioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Exercise 6.6 Enable Cross-Region Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Exercise 6.7 Create an Amazon Glacier Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Exercise 6.8 Enable Lifecycle Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Exercise 7.1 Create a New Option Group Using the Console . . . . . . . . . . . . . . . . . . . . 300

Exercise 7.2 Create an Amazon DynamoDB Table from the AWS CLI . . . . . . . . . . . . . 301

xviii Table of Exercises

Exercise 7.3 Add Items to the Amazon DynamoDB Table MusicCollection Using the AWS CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Exercise 7.4 Create a MySQL Amazon RDS DB Instance . . . . . . . . . . . . . . . . . . . . . . . 303

Exercise 8.1 Create an AWS Elastic Beanstalk Environment . . . . . . . . . . . . . . . . . . . . . 349

Exercise 8.2 Manage Application Versions with AWS Elastic Beanstalk . . . . . . . . . . . 349

Exercise 8.3 Perform a Blue/Green Deployment with AWS Elastic Beanstalk . . . . . . 350

Exercise 8.4 Create an Amazon ECS Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Exercise 8.5 Launch an Amazon EC2 Instance Optimized for Amazon ECS . . . . . . . . 351

Exercise 8.6 Use Amazon ECR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Exercise 8.7 Work with Amazon ECS Task Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Exercise 8.8 Work with Amazon ECS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Exercise 8.9 Create an AWS OpsWorks Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Exercise 8.10 Make a Layer in AWS OpsWorks Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Exercise 8.11 Add an Amazon EC2 Instance to an AWS OpsWorks Stacks Layer . . . . 356

Exercise 8.12 Add an Application to AWS OpsWorks Stacks . . . . . . . . . . . . . . . . . . . . . 356

Exercise 8.13 Create an AWS CloudFormation Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Exercise 8.14 Delete an AWS CloudFormation Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

Exercise 9.1 Search for Available Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Exercise 9.2 View Available Metrics for Running Amazon EC2 Instances by Namespace and Dimension Using the Amazon CloudWatch Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Exercise 9.3 View Available Metrics by Namespace, Dimension, or Metric Using the AWS CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

Exercise 9.4 List All Available Metrics for a Specific Resource . . . . . . . . . . . . . . . . . . . 430

Exercise 9.5 List all Resources that Use a Single Metric . . . . . . . . . . . . . . . . . . . . . . . . 430

Exercise 9.6 Get Statistics for a Specific Resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

Exercise 9.7 Get CPU Utilization for a Single Amazon EC2 Instance from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Exercise 9.8 Create a Billing Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

Exercise 9.9 Create a Billing Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

Exercise 9.10 Create an Amazon CloudWatch Dashboard . . . . . . . . . . . . . . . . . . . . . . . . 436

Exercise 10.1 Create an Amazon SNS Topic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

Exercise 10.2 Create a Subscription to Your Topic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

Exercise 10.3 Publish to Your Topic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

Exercise 10.4 Create an Amazon Simple Queue Service (Amazon SQS) . . . . . . . . . . . . 476

Exercise 10.5 Subscribe the Queue to Your Amazon SNS Topic . . . . . . . . . . . . . . . . . . 476

Exercise 10.6 Deploy Amazon RDS in a Multi-AZ Configuration . . . . . . . . . . . . . . . . . . 477

ForewordI entered college in 1978, and I immediately found a second home at the computer lab on campus. This lab was home to an IBM mainframe and a roomful of noisy keypunch machines. I punched my code onto a stack of cards, and I handed the stack to a system operator. The operator loaded the cards into the reader, and my job was queued for pro-cessing. If things went well and the mainframe was not too busy, I would have my cards and my output back within four hours or so. The operator managed the work queue for the mainframe, adjusting the balance of jobs and priorities, looking for hot spots and slow-downs, and keeping the monolithic mainframe as busy and as productive as possible at all times.

As a young, curious student, I always wondered what was happening behind the scenes. As a young, impoverished student, in the days before the Internet, information was not always easy to come by. I found a rack of manuals in the lab, figured out how to order oth-ers for free, and even scavenged the trash cans for operating system “builds” to study. That thirst for knowledge, with a focus on understanding how things work at the most funda-mental level, has worked really well for me over the intervening four decades.

A little over a decade ago, I wrote blog posts to announce the launches of Amazon Simple Storage Service (Amazon S3) and Amazon Elastic Compute Cloud (Amazon EC2). Those early launches set the tone for what was to come, introducing services that emerged with a minimal feature set that would be enhanced over time in response to customer feed-back. At that time, aspiring AWS developers and architects did not need to make very many choices when they set out to build an AWS-powered system. There was one instance type, a couple of Availability Zones in a single Region, and simple access via the AWS CLI and the API.

Back in my mainframe days, operations was a hands-on affair. There was little in the way of tooling or automation; the operator was expected to watch the console, check on status, and to deal with issues as they arose. Today, many routine operations are handled automatically. Fault tolerance, automatic scaling, load balancing, and other high-level facil-ities take on many chores that were once described in detailed run books. With this change, systems operations comes into play much earlier in the system-building process, with the goal of setting up the system for success and high availability. At the same time, the opera-tions role now spans a wider range of tasks and technologies including networking, secu-rity, and optimization. With pay-as-you-go services now the norm, people who once focused on technology can now add business skills to their repertoire.

If you are about to read this book, I am sure that you know that AWS is far more com-plex than it was a decade ago. On the Amazon EC2 side alone, there are now dozens of instance types, multiple types of Amazon Elastic Block Storage (Amazon EBS) volumes, and far more moving parts. There are now close to 100 services, each of which can be a valuable addition to your toolbox. The vocabulary itself has changed, with new terms such as containers, microservices, serverless computing, infrastructure as code, and so forth now commonplace.

xx Foreword

You now face many choices when you set out to design and implement a new system. This book is designed to provide you with detailed information on many aspects of AWS, coupled with the practical knowledge needed to put your new knowledge to use and to earn your AWS certification. Within its chapters, you will find service overviews, sample sce-narios, test-taking tips, and exercises. After setting up your AWS tools, you will learn about security, compute services, storage services, networking, databases, and more. Towards the end of the book, you will wrap up by learning about monitoring, metrics, and high avail-ability. As you will soon see, the authors have packed it with the insights that they have gained while putting AWS to use in a wide variety of customer environments. There are no better teachers than those who have actually put their theory into practice.

You can choose to study the chapters individually, or you can digest the entire book as-written. Either way, I know that you will be well-prepared to build great systems and to pass your certification exams. I strongly encourage you to get hands-on experience with each service by working through the scenarios and the exercises.

I believe in the principle of life-long learning, especially when it comes to technology. The half-life of knowledge is shorter than ever before, and keeping up is far better than catching up. So dive deep and keep on learning!

— Jeff Barr, Chief Evangelist, AWS

IntroductionPreparing to take and pass any certification is a studious process. The AWS Certified SysOps Administrator Official Study Guide - Associate Exam was written to align with the exam blueprint to enable you to study for the exam, perform exercises, and answer review questions to enable you to become a skilled systems operator on the AWS cloud and to take and pass the AWS Certified SysOps Administrator – Associate exam with confidence.

This study guide presents the set of topics needed to round out a systems operator/systems administrator’s hands-on experiences with AWS by covering the relevant AWS cloud services and concepts within the scope of the AWS Certified SysOps Administrator – Associate exam. This study guide begins with an introduction to Systems Operations on AWS, which is then followed by chapters on specific domains covered in the exam. In addi-tion to the material covered on the exam, the chapters go deep into the actual technology. The authors go deep on topics that will serve you in preparing for the exam and the book should make a good desktop reference on AWS systems operations.

Each chapter includes specific information on the service or topic covered, followed by an Exam Essentials section that contains key information needed in your exam prepara-tion. The Exam Essentials section is followed by a Test Taking Tip to help you prepare for what you will experience on the exam or at the testing center.

Next, each chapter includes an Exercise section with activities designed to help reinforce the topic of the chapter with hands-on learning. Each chapter then contains sample Review Questions to get you accustomed to answering questions about how to use and administer AWS cloud services.

Following this up-front section, the book contains a self-assessment exam with 25 ques-tions. Two practice exams with 50 questions each are also available to help you gauge your readiness to take the exam, and flashcards are provided to help you learn and retain key facts needed to prepare for the exam.

If you are looking for a targeted book, created by technical trainers and solutions architects who wrote, reviewed, and developed the AWS Certified SysOps Administrator – Associate exam, then this is the book for you.

What Does this Book Cover?This book covers topics that you need to know to prepare for the Amazon Web Services (AWS) Certified SysOps Administrator – Associate exam:

Chapter 1: Introduction to Systems Operations on AWS This chapter provides an intro-duction to System Operations on AWS. It provides an overview of the AWS cloud services covered on the AWS Certified SysOps Administrator – Associate exam.

Chapter 2: Working with AWS Cloud Services This chapter shows you how to configure your workstation to work with AWS cloud services. You will install the AWS Command

xxii Introduction

Line Interface (AWS CLI). Topics include AWS CLI, jmespath (a query language for JSON, http://jmespath.org), and the Boto software development kit (SDK).

Chapter 3: Security and AWS Identity and Access Management (IAM) In this chapter, you will learn about the Shared Responsibility Model and the different layers of security. You will learn how to secure your systems with services such as AWS Key Management Service (AWS KMS), AWS Hard Security Module (AWS HSM), Security Groups, and Network Access Control Lists (nACLs). Furthermore, the chapter covers AWS Identity and Access Management (IAM) and Security Best Practices.

Chapter 4: Compute This chapter describes how to use the compute stack on AWS. The topics covered are Amazon Elastic Cloud Compute (Amazon EC2), AWS Lambda, AWS Beanstalk, Amazon Elastic Container Service (Amazon ECS), Amazon Lightsail, and AWS Batch. You will provision an Amazon EC2 instance, assign an Amazon EC2 Role, and work with instance metadata.

Chapter 5: Networking In this chapter, you will learn how to deploy Amazon Virtual Private Cloud (Amazon VPC) and the various methods to connect to your Amazon VPC. Additionally. you will learn how to use the Elastic Load Balancing service, Amazon Route 53. and Amazon CloudFront.

Chapter 6: Storage Systems This chapter covers deploying and using the various storage options on AWS. The services covered include: Amazon Simple Storage Service (Amazon S3), Amazon Elastic File Service (Amazon EFS), Amazon Elastic Block Service (Amazon EBS), the Amazon EC2 instance store Volumes, Amazon Glacier, AWS Snowball, and AWS Snowmobile.

Chapter 7: Databases This chapter covers the use of AWS managed database services: Amazon Relational Database Service (Amazon RDS), Amazon DynamoDB, Amazon Redshift, and Amazon ElastiCache. You will learn how these managed services simplify the setup and operation of relational databases, NoSQL databases, data warehouses, and in-memory caches.

Chapter 8: Application Deployment and Management This chapter focuses on the various methods of deployment of applications and infrastructure; for example, blue/green and roll-ing deployments. You will learn about AWS OpsWorks, AWS Elastic Beanstalk, Amazon EC2 Container Service, and AWS CloudFormation.

Chapter 9: Monitoring and Metrics In this chapter, you will learn about how to monitor your environment with Amazon CloudWatch, AWS CloudTrail, AWS Config, AWS Trusted Advisor, and AWS Service Health Dashboard.

Chapter 10: High Availability This chapter covers high availability on AWS. You will be introduced to decoupling strategies using Amazon Simple Queue Service (Amazon SQS) and Amazon Simple Notification Service (Amazon SNS). The chapter covers deploying your application to multiple Availability Zones and Multiple AWS Regions. Other high availabil-ity topics include Auto Scaling, failover with Amazon Route 53, and redundant VPN and AWS Direct Connect connections.

http://jmespath.org

Introduction xxiii

Interactive Online Learning Environment and Test Bank The authors have worked hard to provide you with some really great tools to help you with your certifi cation process. The interactive online learning environment that accompanies the AWS Certifi ed SysOps Administrator Offi cial Study Guide: Associate Exam provides a test bank with study tools to help you prepare for the certifi cation exam. This will help you increase your chances of passing it the fi rst time! The test bank includes the following:

Sample Tests All the questions in the book are provided in the form of review questions that are located at the end of each chapter. There is a 25-question assessment at the end of this introductory section. In addition, there are two practice exams with 50 questions each. Use these questions to test your knowledge of the study guide material. The online test bank runs on multiple devices.

Flashcards The online test banks include 100 fl ashcards specifi cally written to quiz your knowledge of operations on AWS. After completing all of the exercises, review questions, practice exams, and fl ashcards, you should be more than ready to take the exam. The fl ashcard questions are provided in a digital fl ashcard format (a question followed by a single correct answer with URL links for additional information). You can use the fl ashcards to reinforce your learning and provide last-minute test prep before the exam.

Glossary A glossary of key terms from this book is available as a fully searchable PDF.

Go to http://www.wiley.com/go/sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.

Exam Objectives The AWS Certifi ed SysOps Administrator – Associate exam validates technical expertise in deployment, management, and operations on the AWS platform. Exam concepts that you should understand for this exam include the following:

■ Deploying, managing, and operating scalable, highly available, and fault tolerant sys-tems on AWS

■ Migrating an existing on-premises application to AWS

■ Implementing and controlling the flow of data to and from AWS

■ Selecting the appropriate AWS service based on compute, data, or security requirements

http://www.wiley.com/go/sybextestprep

xxiv Introduction

■ Identifying appropriate use of AWS operational best practices

■ Estimating AWS usage costs and identifying operational cost control mechanisms

In general, certification candidates should have the following:

■ One or more years of hands-on experience operating AWS-based applications

■ Experience provisioning, operating, and maintaining systems running on AWS

■ Ability to identify and gather requirements to define a solution to be built and operated on AWS

■ Capabilities to provide AWS operations and deployment guidance and best practices throughout the lifecycle of a project

The exam covers seven different domains, with each domain broken down into objec-tives and subobjectives.

Objective MapThe following table lists each domain and its weighting in the exam, along with the chapters in the book where that domain’s objectives and subobjectives are covered.

Domain Percentage of Exam Chapter

Domain 1.0 Monitoring and Metrics 15%

1.1 Demonstrate ability to monitor availability and performance

3, 5, 7, 9, 10

1.2 Demonstrate ability to monitor and manage billing and cost optimization processes

7, 9

Domain 2.0: High Availability 15%

2.1 Implement scalability and elasticity based on scenario

4, 7, 8, 10

2.2 Ensure level of fault tolerance based on business needs

4, 5, 7, 8, 10

Domain 3.0: Analysis 15%

3.1 Optimize the environment to ensure maximum performance

5, 9

Introduction xxv

Domain Percentage of Exam Chapter

3.2 Identify performance bottlenecks and implement remedies

9

3.3 Identify potential issues on a given application deployment

9

Domain 4.0: Deployment and Provisioning 15%

4.1 Demonstrate the ability to build the environment to conform with the architected design

1, 4, 6, 7, 8

4.2 Demonstrate the ability to provision cloud resources and manage implementation automation

1, 2, 4, 6, 7, 8

Domain 5.0: Data Management 12%

5.1 Demonstrate ability to create backups for different services

6, 7

5.2 Demonstrate ability to enforce compliance requirements

6

5.3 Manage backup and disaster recovery processes

7, 10

Domain 6.0: Security 15%

6.1 Implement and manage security policies 3, 5, 7

6.2 Ensure data integrity and access controls when using the AWS platform

1, 3, 6, 7, 9

6.3 Demonstrate understanding of the shared responsibility model

3, 4, 7

6.4 Demonstrate ability to prepare for security assessment use of AWS

3, 9

Domain 7.0: Networking 13%

7.1 Demonstrate ability to implement networking features of AWS

1, 5, 10

7.2 Demonstrate ability to implement connectivity features of AWS

5, 7, 10

Assessment Test1. You notice in the AWS Management Console that your Amazon Elastic Compute Cloud

(Amazon EC2) Instance State is Failed. What would cause this?

A. Loss of network connectivity

B. Loss of System Power

C. Incompatible kernel

D. Software issues on the physical host

2. What is the difference between a Public Subnet and a Private Subnet in a VPC?

A. The Route Table in the Private Subnet has a route to the Network Address Translation (NAT), while the Route Table in a Public Subnet does not.

B. The Route Table in the Public Subnet has a route to the Internet Gateway (IGW), while the Route Table in a Private Subnet does not.

C. The Public Subnet has NAT server, while a Private Subnet does not.

D. Only Elastic Load Balancers are allowed in the Public Subnet.

3. You have deployed eight Amazon Elastic Compute Cloud (Amazon EC2) instances in the us-west-1a Availability Zone and two Amazon EC2 instances in us-west-1b Avail-ability Zone. You noticed that the two Amazon EC2 instances in us-west-1b received the same amount of traffic that is load balanced between the other eight Amazon EC2 instances located in the us-west-1a Availability Zone. How can you fix this from the load balancer?

A. Enable cross-load balancing on your load balancer.

B. Create an Auto Scaling group, and configure it to balance out the instances between the Availability Zones.

C. Create three instances in us-west-1b, and terminate three instances in us-west-1a.

D. Migrate to an Application load balancer.

4. You have launched an Amazon Relational Database Service (Amazon RDS) database instance running MySQL. When you created the Amazon RDS instance, you did not specify a maintenance window, and now you need to update the instance size from micro to large. If you request to have the update happen inside the maintenance window, what will occur?

A. Nothing. The command will be ignored until you create and apply a maintenance window.

B. Nothing. It is not possible to change the DB size using Amazon RDS.

C. AWS will select and use a default maintenance window if one is not provided.

D. AWS will prompt you to provide a maintenance window when you make the request.

Assessment Test xxvii

5. Which of the following is the customer’s responsibility in the Shared Responsibility Model?

A. Restricting access to Amazon Elastic Compute Cloud (Amazon EC2) using Security Groups

B. Restricting physical access to AWS datacenters

C. Destroying physical media used in AWS datacenters

D. Managing updates to the Hypervisors on which instances run

6. You are tasked with storing 200 GB of archival images that are requested infrequently, averaging one or two requests per image each day. Which is the most cost effective storage option for the images?

A. Amazon Elastic Block Store (Amazon EBS) io1

B. Amazon EBS gp2

C. Amazon Simple Storage Service (Amazon S3)

D. Amazon Elastic File System (Amazon EFS)

7. You need storage for your production MySQL database. The database is 19 TB in size, and you will need to have approximately 10,000 IOPS—mostly writes. Without considering price, which storage option satisfies the requirements?

A. Provisioned Amazon Elastic File System (Amazon EFS) 20 TB volume with 10,000 IOPS

B. Two provisioned Amazon EFS 10 TB volumes with 5,000 IOPS per volume and RAID0 striping

C. Provisioned Amazon Elastic Block Store (Amazon EBS) (io1) 20 TB volume with 10,000 IOPS

D. Two Provisioned Amazon EBS (io1) 10 TB volumes with 5,000 IOPS per volume and RAID0 striping

8. What is the purpose of Amazon Elastic Compute Cloud (Amazon EC2) user data?

A. To install software on the Amazon EC2 instance at boot

B. To list any public keys associated with the instance

C. To show a Public IP address to an Amazon EC2 instance

D. To show the localhost name for the instance

9. You have created an Amazon Virtual Private Cloud (Amazon VPC) with the CIDR of 10.0.0.0/16. You now need to divide that VPC into a Public Subnet and a Private Subnet. Which one below is a valid combination?

A. Public 10.1.0.0/24

Private 10.2.0.0/24

B. Public 10.0.0.1/24

Private 10.0.0.2/24

C. Public 10.0.1.0/24

Private 10.0.2.0/24

D. Public 10.0.1.0/16

Private 10.0.2.0/16

xxviii Assessment Test

10. You have created an Auto Scaling group with a minimum of two Amazon Elastic Compute Cloud (Amazon EC2) instances, a maximum of six instances, and a desired capacity of four instances. Your instances take 20 minutes to launch, and they take three minutes to start once built. How can you configure autoscaling to start and stop instances versus launching new instances from Amazon Machine Instances (AMIs)?

A. Create a new Auto Scaling launch configuration, and configure the Auto Scaling group to start the instances.

B. Edit the Auto Scaling group’s launch configuration to start instances.

C. This is not possible, as Auto Scaling cannot stop and start instances.

D. Configure the Auto Scaling group to use the Amazon EC2 recovery service.

11. You have a Multi-AZ Amazon Relational Database Service (Amazon RDS) database run-ning MySQL. During a planned outage, how does AWS ensure that, when switching from the primary DB to the standby, it will not affect your application servers?

A. Amazon RDS uses Elastic IP addresses that are detached from the primary database and then attached to the standby instance. This promotes the standby to be the primary.

B. Amazon RDS uses the Elastic Queue Service to process requests from application servers and send them to database engines. Since this is done at the Hypervisor, no user intervention is required.

C. Amazon RDS runs both database instances independently, and each has their own con-nection string. You will have to update the code on your application servers because AWS has no visibility above the Hypervisor.

D. Amazon RDS uses Amazon Route 53 to create connection strings and will automati-cally update the IP address to point at the standby instance.

12. When attaching an Amazon Elastic Block Store (Amazon EBS) volume to an Amazon Elastic Compute Cloud (Amazon EC2) instance, what conditions must be true?

A. The Amazon EBS volume must be in the same Availability Zone (AZ) as the instance.

B. The Amazon EBS volume must be in the same account as the instance.

C. The Amazon EBS volume must be assigned to an AMI ID.

D. The Amazon EBS volume must have the same security group as the instance.

13. You’ve been asked to migrate a busy Amazon Relational Database Service (Amazon RDS) for MySQL database to Amazon Aurora. You need to do so with little downtime and with no lost data. What is the best way to meet the above requirements?

A. Take a snapshot of the MySQL Amazon RDS instance. Use that snapshot to create an Amazon Aurora Read Replica of the Amazon RDS for MySQL database. Once replica-tion catches up, make the Aurora Read Replica into a standalone Amazon Aurora DB cluster, and point the application to the new Amazon Aurora DB cluster.

B. Create an Amazon Simple Storage Service (Amazon S3) bucket, and upload the Ama-zon RDS database as a flat file dump into the bucket. Restore from the dump to a new Amazon Aurora database.

Documents

AWS - download.e-bookshelf.de...The authors would like to thank a few people who helped us develop and write the AWS Certified SysOps Administrator Official Study Guide – Associate