AWS Solution Architect Professional Certification Prep.
Vishwajeet Sikhwal
This article provides high level information of how to prepare for AWS SAP-C02. In this, I have incorporated my daily routine which I am following to crack this certification.
12-Aug-24
Prerequisite: A general understanding of AWS services is required. It is also beneficial to have the AWS Solutions Architect Associate Certification.
The exam has the following content domains and weightings:
• Domain 1: Design Solutions for Organizational Complexity (26% of scored content) • Domain 2: Design for New Solutions (29% of scored content)
• Domain 3: Continuous Improvement for Existing Solutions (25% of scored content) • Domain 4: Accelerate Workload Migration and Modernization (20% of scored content)
Service Understanding -
IAM service
Users - Long-term credentials. If AWS CLI access is needed, create accordingly to get an Access key and Secret key.
Groups - Collection of users like HR, Development Team, Testing Team, etc.
Roles - Short-term credentials, collection of policies, types:
EC2 Instance Roles - Assigned to an EC2 server and responsible for accessing other services from EC2. One role at a time per instance.
Service Roles - Attached to any service, a way of granting permissions to any service and defining what it can do.
Cross Account Roles - To access any services of other accounts you don't own, instead of sharing user credentials, provide a cross-account role.
Policies - Permissions that define what a role can do, JSON statements, types:
AWS managed policy - Defined and managed by AWS.
Customer managed policy - Created by an individual and modified according to their needs.
Inline policy - Policy assigned to an individual and cannot be shared. For example, a policy created for only User A, so Users B, C, and D cannot use the same.
Resource-based policy - Tied with AWS resources to allow or disallow any access or action. For example, S3 policy, SQS/SNS policy, etc.
Note -
in Exam, you may get JSON statements related to IAM policy and you need to select on the action like what will be allowed/Denied if particular policy will be applied? etc. For more reference, please refer the below link:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html
Explicit Deny has precedence over Allow
Use least privilege for maximum security
IAM access advisor - To see permissions granted and the last accessed time
IAM access analyzer - To analyze resources shared with external entities, You can define a "Zone of trust," after which AWS provides findings for resources outside this "Zone of trust." It performs policy validation and policy generation based on access activity (checked from CloudTrail logs - up to 90 days of logs).
IAM Power user access - Provides full access to AWS services and resources but does not allow management of Users and groups. PFB the JSON policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "NotAction": [ "iam:", "organizations:", "account:" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", "iam:DeleteServiceLinkedRole", "iam:ListRoles", "organizations:DescribeOrganization", "account:ListRegions", "account:GetAccountInformation" ], "Resource": "*" } ] }IAM permission boundaries - Supported for users and roles (not groups), maximum permission for an IAM entity, can be combined with Organization SCP.
10 Minutes Meditation - Isha Kriya by Sadhguru
Hear from Champions - I heard Kobe Bryant's motivational interview; you can choose based on your preferences
13-Aug-24
STS comes into the picture when you assume a role (User <-> STS <-> Roles). Define which principals can access, and it can be valid between 15 minutes to 12 hours. When you assume the role, you give up your original permissions and inherit the permissions assigned to the role. You can assign MFA protection to the role, and you need to explicitly grant permission to the user to assume a role. STS APIs:
STS with assume role - Within account, Cross account roles - Understanding of Confused deputy, Session tags in STS
Assume a role with SAML
Assume role with Web Identity - not recommended by AWS; instead, use AWS Cognito
Get Session Tokens
Get Federation Tokens
Identity Federation - Give access to outside users to AWS resources without managing them in AWS IAM. Flavors:
SAML 2.0
Custom Identity Broker
Web Identity Federation with(out) Amazon Cognito
Single Sign-On
10 Minutes Meditation - Isha Kriya by Sadhguru
14-Aug-24
SAML understanding
Web Identity Federation with(out) AWS Cognito understanding
AWS Directory Services: Integrations - AWS services, with on-premises AD > Trust relationship (One way, Two way) and it is different than synchronization/replication Types:
AWS managed AD - Standard, Enterprise
AD connector - forwards sign-in requests to your on-premises AD DC for authentication.
Simple AD - supports normal features like user accounts, group membership, joining a Linux/Windows EC2 instance, Kerberos-based SSO, and group policies. AWS provides monitoring, daily snapshots, and recovery as part of this service.
AWS Organizations - AWS organization account access role -> Admin role in member accounts
Features mode - Consolidated billing, All features (billing + SCP)
note - you can't switch from all features to consolidated billing
Reserved instance sharing
Moving an account from one O.U. to another O.U. -> first remove from the existing O.U. then send an invite to the member account -> accept the invite from the member account
S.C.P. - applied at O.U. and account level, doesn't apply to the management account, includes roles and users + root user, doesn't affect service-linked roles, must have an explicit allow from root to each O.U. (doesn't allow anything by default even though root O.U. has full AWS access)
- Allow list and Deny list
10-Minute Meditation - Isha Kriya by Sadhguru
15Aug24
Policies - IAM policy, SCP at O.U. or account level, Tag policy at O.U. level, AI services opt-out policy at O.U. level, backup policy at O.U.
AWS IAM Identity Center (previously known as SSO) - Permission sets -> multi-account permissions, Application assignments/integrations, Attribute-based access control (ABAC), AD sync
AWS Control Tower - Automation best practice to manage/deploy multi-accounts
Account Factory - automates account provisioning on pre-approved baseline, uses AWS Service Catalog service, can integrate with AD
Guardrail - detect and remediate policy violations, 2 types - Preventive (AWS SCP), Detective (AWS Config), Levels - Mandatory, Strongly recommended, Elective
AWS Resource Access Manager (RAM) - Avoid resource duplication, PFB the link to check shareable resources:
https://docs.aws.amazon.com/ram/latest/userguide/shareable.html
10 Minutes Meditation - Isha Kriya by Sadhguru
16Aug24
Multi Account Strategy-
Identity account architecture
Logging account architecture
Publishing account structure
Billing structure
IAM policy evolution logic-
Every user gets an implicit deny after creation, which can be overridden by an IAM policy or a resource-based policy.
If a user has both allow and deny for a service, then explicit deny will be the final decision.
IAM service role and pass role
Listened songs
17aug24
- Federation - SAML, How SSO works?, IDP(Identity Provider), SP(Service Provider), SAML assertion
Good to know points:
Difference between IAM roles and resource-based policies?
Policy simulator to validate your IAM policies: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
Policy Generator: https://awspolicygen.s3.amazonaws.com/policygen.html
How to set up AD replication?
Subscribe to my newsletter
Read articles from Vishwajeet Sikhwal directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by