10 minutes
How I passed the AWS Certified Solutions Architect - Professional exam
Yesterday I successfully passed the exam to become an AWS Certified Solutions Architect - Professional at the first attempt. It was a very tough test and I invested a lot of time in preparation. In the exam, I noticed that the focus was a little different than I initially thought - and was briefly shocked. To save you this shock, I would like to briefly describe how I prepared for the exam and give further tips on how to prepare.
Warning: The exam consists of 75 random questions. It is also possible that the focus of your exam is different from what it was for me.
How did I prepare?
1. Acloud.guru online course
I have completed the acloud.guru AWS Certified Solutions Architect - Professional course. This course helped me to get an overview of the topics queried. If the site’s licensing model puts off, you can also use udemy. The courses are also available there.
The course deals with the general topics and gives tips on which whitepapers to look at as preparation. I haven’t read all of the white papers. Later more.
In addition, there are also so-called challenges, in which fictitious questions are asked and the answers discussed. I played through these challenges over and over until I reached 100% everywhere.
2. Hands-on preparation
As a hands-on preparation for the exam, I created this blog here. So I was able to practice the interaction of CloudFront, API Gateway, Lambda, StepFunctions and DynamoDB - and it was fun too. More information can be found in the website setup article:
3. Reading Whitepapers & FAQs
In the course of the preparation i read the following whitepapers and FAQs to get a better understanding on areas where I was uncertain about:
- Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
- Amazon Virtual Private Cloud Connectivity Options
- Migrating Applications Running Relational Databases to AWS
- AWS SQS FAQ - especially the retention times
Of course, there are many more interesting whitepapers out there. You have to decide, which ones may help you and which don´t.
4. Online sample questions and quizzes
As a final preparation, I worked on the quiz questions in the following YouTube videos and tried to understand the answers:
Additionally I took the free sample quiz here: https://skillcertpro.com/product/aws-solutions-architect-professional-exam-questions-2020/
AWS also provides sample questions along with answers for preparation. This also is a good opportunity to get a feeling on how questions can look like. You can find the current sample questions here. Furthermore, I studied using the “old” sample questions. Unfortunately, the don´t come with answers provided. Fortunately, the answers are in the japanese version after each section in latin letters.
https://www.examtopics.com/exams/amazon/aws-certified-solutions-architect-professional/view/
It took me approximately 2 months to prepare for the exam. It´s hard to be exact here, as I did not count the hours I put into this - a big part of it was for implementing this blog, so not every hour was valuable for preparation.
5. Important things to remember
During preparation, I created a list of services and added lots of things I wanted to remember for the exam. Time passed by and I realized that I had way too many things to remember. So I removed entries radically. I only kept thing I found hard to remember (for whatever reason). So maybe the table helps you, maybe not.
| Service | Note |
|---|---|
| ApiGateway | Public, private or edge |
| Application Discovery Service | Useful for migration |
| Appstream | Streams applications to local pc |
| Athena | Queries S3 data; Does not support XML |
| AWS Config | Config rules -> Check automatically for compliance |
| Batch | Uses prioritized Job Queues for the workload |
| CloudFormation | Stack policies deny deletion of everything by default -> explicit allow required Stack policies cannot be removed, only edited Stack policies can only be updated via CLI |
| CloudFront | Possible origins: - S3 - ELB - HTTP server (also on-prem) Behavior: Allows to define different origins depending on the URL path |
| CloudTrail | By default, CloudTrail will log all regions and store them in a single S3 location. It can however be configured to only log specific regions. |
| Cognito | User pool: Stores users Identity pool: Gives sotred users permissions |
| Database Migration Service | Does not support informix |
| DocumentDB | MongoDb in cloud |
| DynamoDB | Global Secondary Index (GSI) -> Separate table with other partition key (hash key) Local Secondary Index (LSI) -> Additional index to query for attributes not part of the sort key Eventual consistent by default Partition formula: - max. 10GB of size - rcu/3000 + wcu/1000 |
| EC2 | Step-scaling policies do not have cooldown period Reserved instances: - Regional: - no capacity reservation - all instances of the instance family can be used - Zonal: - capacity reservation - only this particular instance type can be used - Convertable - Can be modified and exchanged by comparable RIs It is not possible to move Ris between regions Scaling: - Manual - Scheduled - Metric based |
| ECS | ECS storage is handled by EBS |
| EFS | No native way to create snapshots. Can also be used by Lambda functions. Can be used along with Direct Connect or VPN connection. Recommendation: One mount target per AZ Mount target: IP endpoint for EFS Mount targets are HA |
| Elastic Loadbalancer | Only the Network Load Balancer supports static IP with Elastic Ips. Application Load Balancers can use static IPs using Global Accelerator |
| Elastic Beanstalk | Platforms: - Go - Java - NodeJs - PHP - Python - Ruby Deployment options: - all at once rolling - rolling with additional batch - blue/green - immutable. It is not possible to edit deployment configuration. You have to recreate it. |
| Elastic Block storage | Replicated automatically within a Single-AZ. Availability target: 99,999%. Annual Failure Rate ~0,2%. Supports RAID configurations. - RAID 0 (no drive can fail) - RAID 1 (mirroring) - RAID 5 (parity bit; 1 drive can fail) - RAID 6 (2 drives can fail) |
| Elasticache | Redis -> Sophisticated (Web session store, Leaderboard) Memcached -> Easy (DB caching) |
| EMR | Consists of multiple products to support huge amounts of data. Cluster: Collection of EC2 instances to run steps. Step: Programmatic task to process data Master Nodes -> Manage cluster Core Nodes (with HDFS storage) Task Nodes -> optional |
| EventBridge | Builds a bridge (event bus) between 3rd party events and AWS services |
| General | IOPS: Measure how fast we can read and write to a device. Throughput: Measure of how much data can be moved at a time. VPC Interface Endpoint -> Sits inside Subnet, so per AZ. VPC Gateway -> Sits inside VPC HA by default Use SQS instead of Kinesis for very large objects. Oauth -> OpenId -> SAML. MySQL MyISAM does not support replication. RAID5 and RAID6 are not recommended (parity bits eat up I/O) |
| HSM | Generates encrpytion keys. Non-shared hardware tenancy. Supports asymmetric keys |
| Kinesis | HA per default. Retention: - default 24h - up to 7days Shards: - each shard 1MB/sec. input - each shard 2MB/sec. Output - each shard provides up to 1000 Puts/sec. KCL -> Kinesis client library KPL -> Kinesis Producer Library Record: unit of data stored in Kinesis stream, max. 1MB per record |
| KMS | Stores and manages kryptographic keys. Shared-hardware tenancy |
| MQ | Not supported as VPC endpoint service |
| OpsWorks | Global service. Can only manage resources in the region you create the stack |
| Redshift | No Multi-AZ |
| Route53 | CNAME -> Alias for domain A record -> IP address Alias -> Alias for domain & support for zone-apex |
| S3 | Max 5 TB object size Max 5 GB in single PUT Recommended to upload in multiparts when >100 MB Read-after-write-consistency HEAD or GET to a non-existing object result in eventual consistency Overwrite PUT and DELETES are eventual consistent Encryption at rest: SSE-S3: Uses S3 encryption key SSE-C: Cutomer-managed key SSE-KMS: Encryption key generated by KMS Client-side encryption |
| Schema Conversion Tool (SCT) | Supported sources: MySQL PostgreSQ SQL Server Oracle |
| Service Catalog | Framework allowing admins to create pre-defined products. Granular control over which users have access to which offerings. Based on CloudFormation templates. Uses constraints to control how the products can be consumed. Launch constraint: IAM Role used while launching a product. Notification constraint: SNS topic to receive events. Template Constraint Allowed values in templates |
| SQS | Retention: default: 4 days min: 60 seconds max: 14 days |
| Storage Gateway | File Gateway -> NFS. Volume Gateway stored mode -> async backups. Volume Gateway cached mode -> cached locally and written to S3. Tape Gateway -> for existing tape processes |
| SWF | Consists of Decider and Activity Worker. Best-suited for human-enabled workflows |
| System Manager | Can also manage on-prem resources. Baselines -> Defines, which patches are approved for installation on instances. Services: OpsCenter Explorer -> health/performance of AWS environment Resource Groups -> Logical group of resources AppConfig Inventory Patch Manager -> Patch management for EC2 fleets Parameter store |
| VPC | VPC Endpoints: Interface endpoints Gateway Endpoints. Access to VPC endpoints via IAM policies. VPC cross-account peering is possible, if in same region. VPC inter-region peering is possible. Customer Gateway -> Customer facing appliance to establish VPN connection. Virtual Private Gateway -> AWS-facing appliance to establish VPN connection. Don´t support broadcast. Route table: Most specific route first. 5 IP addressess are always reserved. The IP address of the DNS in a VPC is always the base of the subnet range + 2. Server Name Indication (SNI) -> enables virtual hosting. No “enhanced peering mode” |
| Workdocs | Similar to dropbox |
| Workspaces | Desktop in the cloud |
| X-Ray | Debugging Microservices |
| DirectConnect |  Not inherently redundant. Only BGP and static routes are supported. Traffic coming from on-prem via a Direct Connect connect is restricted from internet access |
Tips for the exam
Take your time for preparation
The AWS SA Pro is one of the toughest certification exams you can sit for. Therefore, take your time and make sure you have a very good understanding on the most important services AWS provides. I also realized (after the exam), that some of the questions I had were originating from the support page. See here for an example. It may be a good idea to have a look at the AWS support center pages also.
Have a concept on how to deal with the short amount of time you have for each question
The exam consist of 75 questions. Many of these questions are very long and complex. So make sure you have a concept on how to cope with that. I quickly read through large questions and just gave an answer from my gut-feeling. I then flagged those questions for review and moved on to the next ones. At the end, I had a bit time left to go over the flagged questions again, although I didn´t change any of the answers. Seems the first gut-feeling is often a good one.
Drink before going in
This sounds a bit obvious, but you won´t have the chance to drink something for ~3 hours. Make sure you start early on the day drinking enough. Go to the restrooms right before the exam :-)
Use additional time, if possible
For me as a non-native english speaker, it was very helpful to have an extra amount of 30 minutes which can be requested if you can prove that you are non-native english speaker. This can be requested while scheduling the exam and definitely helps.
Keep in mind important topics
WAF
I realized that the WAF, often in combination with Application Load Balancer and webACLs made up a huge part of my questions. As stated earlier, this can vary from exam to exam, but I recommend you to gain hands-on experience with these components.
CloudFront
The combination of CloudFront & S3 was also part of multiple questions I came across. Make sure you understand how to allow access from CloudFront to S3 and how to avoid direct access to files stored on S3 using Origin Access Identity (OAI).
RDS global tables
I faced multiple questions asking on how to enable multi-region failover for RDS. Make sure you understand what RDS global tables are and what their intention is.
AWS Datasync exists
Unfortunately, I was not aware of the AWS Datasync service. I focused on migration strategies using Storage Gateway and completely oversaw Datasync.
VPC peering
Understand what VPC peering is and what it not is. Remember that VPCs can be peered across accounts (when in same region) and inter-regional (when not cross-account). Understand the purpose of transit gateway.
Good luck!
I wish you good luck with your preparation! Let me know in the comments if this article helped you.
Comments