Passed AWS Certified Security - Specialty

July 18 2021 Greg Fina Leave a comment

It’s been a heck of three weeks—actually, a month. I started studying on June 15th for the Network and AWS Solution Architect Professional, as the networking was expiring first. I decided I focus on one exam at a time. So I did the Professional Architect June 28th, Networking July 6th, and Security on July 16th. All of this while working full time. It reminded me of the effort required to get my Master’s Degree in Computer Science. I’m relieved, as I have my DevOps in November, but at least now there is a break.

Without violating the NDA, let’s talk about the security exam. I took the exam Friday and passed. I did the exam on Pearson Vue. For the exam, I used about 95 minutes, which is half the allocated time. Some questions were real struggles. Hopefully, I’ll remember some of the contexts and research them later for my knowledge.

The last time I took the security exam in July 2018, I decided on a Friday to take it the following Wednesday. Last time I wrote, “It’s the hardest exam I’ve taken to date. I think it is harder than the Solution Architect - Professional exam.” In 3 weeks, taking the Solution Architect - Professional, Networking Specialist, and Security Speciality. Oh wait, this is the second time I’ve done this. I guess I haven’t learned. I would confirm it’s hard. Is it harder than the Solution Architect Professional in its current form? I don’t know. It’s a more nuisance exam focused on security. AWS has 100,000s pages of documentation on services, Well-Architected, Mitigation strategies, and this exam pulls from those documents. I’m not going to go into details about the questions. But that’s a ton of information to know and understand to achieve this certification. I guess this is why they’re hard, and few people have 11.

Now the part I will talk about is my preparation. Security is fundamental to AWS. Every service integrates with IAM, most with KMS, and there are many other services like SCPs, Security Hub, Guard Duty, Shield, etc., designed to help protect workloads in AWS and their integration to other services. Last time I probably put 24 hours into studying for the exam. This time it was maybe 18 hours in total. I don’t think I did the preparation justice either time. I think I fell back on my 12 years of AWS experience and the past three weeks of studying for the other exams. Although I knew going into the exam areas like KMS Key Grants, Private CA on ACM, HSM, Secrets Manager were weaknesses, the more I tried to read up and watch videos, the more learning I felt I needed imposter syndrome at work.

I watched the 96% of acloud.guru security course did watch it at 1.75x- 2x speed. I didn’t slow down. If I didn’t understand a topic, I read or watched something in the resources section below. Again these are resources collected before the exam that I used.

Resources

Amazon,AWS,Security

Security Reference Architect

July 12 2021 Greg Fina Leave a comment

AWS has the security shared responsibility model.

Anyone on the AWS platform understands where this model. However, security on AWS is not easy as AWS has always been a platform of innovation. AWS has released a ton of services AWS Config, Macie, Shield, Web Application Firewall, SCPs. Over the years, Landing zones and then Control Tower which builds security when starting multi-account on AWS. Lastly, the Well Architected Security Pillar to review and confirm your workload is well architected.

Last month, AWS released a comprehensive guide to a Security Reference Architecture. It was built by Professional Services, which is the customer implementation arm of AWS.

I’m not going to try to summarize a 62-page document in a blog article. Mainly the document is about defense-in-depth, which is security at each layer of the workload. There two key observations from the document. The first observation is it does follow Control Tower guidance. Terms have been changed. It requires workloads to be in separate OU from security and infrastructure(shared services). Again these are general security principles that limit blast radius if an application or account is compromised. Security account and log collection account need to be separate. This Control Tower recommended an OU structure. Also, keeping log data in an immutable state is best for audit analysis.

The second observation is it now talks about leverage the Infrastructure account for Egress and Ingress traffic to the internet. This is only possible with Transit Gateway or a Transit VPC, defined in the document but not mentioned as part of the VPC diagram.

Maybe it’s just because of hyperfocus on renewing certifications. However, I notice the bleed-over between networking and security and how proper networking architecture is to start good security hygiene.

AWS has the security shared responsibility model.

Anyone on the AWS platform understands where this model. However, security on AWS is not easy as AWS has always been a platform of innovation. AWS has released a ton of services AWS Config,

Amazon,AWS,Networking

Transit Gateway and Direct Connect

July 11 2021 Greg Fina Leave a comment

After studying for Advanced Networking Exam, I pondered a question about global backbones. There is a need for common understanding. So let’s take a step back. Transit gateway was a service introduced at ReInvent 2018. Transit Gateway(TGW) puts a router between VPCs and other networking services. The transit gateway works by putting attachments in each VPC using ENIs. If you’re lost before proceeding, watch the Re: Invent Video. TGW uses attachments is fundamental to the VPC architecture as the VPC doesn’t process traffic from a source destination outside the VPC. So the attachment ENI becomes part of the VPC. So now I have an attachment in the VPC thru a subnet. So instead of terminating my DirectConnect Gateway(DXGW) on a VGW in a VPC, it’s terminated in a TGW. A quick whiteboard of this architecture.
Transit Gateway

This becomes challenging while building a global network because European network would look like this assuming I had three pops in one Europe region:
Transit Gateway with multiple POPs

Still better than Direct Connect Gateways to the VPCs. But there is a limitation Transit Gateways which are peered, don’t dynamically pass routes. This works great if you summarize routes by region. Like the US was all 10.50.0.0/12, and Europe was all 10.100.0.0/12. What doesn’t work is when I have unsummarized routes. But I digress route summarization doesn’t matter to the question. So here is a quick view of our whiteboard architecture of Europe and US regions: Transit Gateway with multiple POPs

The question is if there was dynamic routing, could I use the AWS backbone to haul traffic around the world without having to build my own global network as the two TGWs would exchange my prefixes from the exchange or pop locations?

Amazon,AWS,Certification,Networking

Passed the AWS Certified Advanced Networking – Specialty Exam

July 7 2021 Greg Fina Leave a comment

I needed to recertify the Advanced Networking specialty. Technically it expired on 6/20. So I decided to focus on the Professional as it would include Networking and Security topics. I need to recertify Security Speciality later this month.

I took the AWS Advanced Networking Speciality on Tuesday and passed.

I took this exam with Pearson VUE. The exam opens 30 minutes before to get checked out. The process with the same as PSI, only there wasn’t a long wait. Personally, the interface in PSI is a little nicer than Pearson VUE. However, the experience of the otherwise of taking the exam is the same as it’s from the comfort of home.

I’m not going to talk about the exam, as that would violate the NDA. There are three observations. First, the exam requires deep AWS networking knowledge. Make sure you get in the console and get hands-on. The exam, as advertised, requires deep understanding and experience, which can only come thru practical hands-on experience. The other observation I would make is that the exam requires knowledge of services touched by networking, which is why acloud.guru course recommends associate level certification. The last comment on this exam has the most deficient written questions and answers of the certification exams I’ve taken. The questions and answers lack clarity found on the other exams.

I took the exam in about 90 minutes, which is half the allocated time. There were enough questions that I struggled to know the correct answer. I had no sense if I had no sense during the exam of a pass or fail.

Now the parts I can talk about, which was my preparation for the exam. In studying, the number of new networking specific services, including Transit Gateway announced Re:Invent 2018, Firewall Manager introduced April 2018 to name a few. The changes in networking services like AWS Shield, VPC FLow Logs, WAF between studying back in 2018 and studying three years later is incredible. Probably the reason, these certifications have to be re-certified every three years. The first time for the exam, I put about 50 hours of preparation into studying for the exam. This time I put maybe 16 hours into studying.

I watched about 80% of the acloud.guru course. I did watch most of it in 1.75x speed. I would slow down if I didn’t understand a topic or wanted more. I also read many whitepapers and FAQs and watched Youtube videos (2x) and linked below.

Resources:

I took the AWS Advanced Networking Speciality on Tuesday and passed.

I...

Amazon,AWS,Certification

AWS Certified Solutions Architect – Professional

July 6 2021 Greg Fina Leave a comment

I sat the AWS Certified Solutions Architect - Professional exam last Monday. This was to recertify my expiring AWS Professional Certification, which recertified my Cloud Practioner and Associate Architect.

The exam is challenging. Probably the most time I spent taking an AWS exam, 2 hours and 21 minutes. My original certification came with what was the famous reading comprehension exam, which retired in 2019. This exam didn’t require that level of reading but was harder. Also, I finished the old exam faster than this one.

Let provide three observations on the exam that won’t violate any NDA. First, it feels more SysOps than Architect because the scenarios aren’t as drawn out in the exam, which retired in 2019. Secondly, it tests both the breadth and depth of AWS services. Lastly, back in 2018, I said, “The entire exam is a challenge to pick the more correct answer based on the scenario and question with a driving factor of one more or more of the following, scalability, cost, recovery time, performance, or security.” That statement holds true on this exam.

For preparation, I watched about 50% of the acloud.guru course. I skipped the sections thru comfortable sections. I also read a bunch of whitepapers, FAQs and watched Youtube videos and linked below.

I took the exam with PSI. First, PSI doesn’t start the check till the exam slot, which takes 20-30 minutes. Secondly, the app will suck battery power. Given the requirements, I couldn’t use my regular desk, so be prepared.

Last comment, not that the team at AWS is trying to, but the exam is about getting you stuck on a question, so you run out of time or rush thru and miss core context. I’ve been on the platform a long time and work for AWS, it took me 78% of the allocated time on a Monday night to do the exam, and I read fast. The main takeaway is to develop an exam strategy that works for you and is practiced on the associate level exams before sitting this exam.

List of resources:

The exam is challenging. Probably the most time I spent taking an AWS exam, 2 hours and 21 minutes. My original...

Technology,AWS,Hardware

graviton2

May 13 2021 Greg Fina Leave a comment

awsarch.io was switched over to Graviton2 instance types, as there was significant cost savings, something like 20% if my math was correct. There very little to this blog as it uses some Jekyll and apache. All the posts are maintained in a source code repo as they start life as markdown. Jekyll converts the markdown into HTML.

The os takes care of the differences between graviton2 arm based on the prior intel instances. The performance of t instances is not exceptional, but they scale under load like any other instance and super cost-effective.

Software required which is not available can be built using GCC. I think I had to build on a package, and it worked fine. Tools managed by homebrew had no issues.