It’s been a heck of three weeks—actually, a month. I started studying on June 15th for the Network and AWS Solution Architect Professional, as the networking was expiring first. I decided I focus on one exam at a time. So I did the Professional Architect June 28th, Networking July 6th, and Security on July 16th. All of this while working full time. It reminded me of the effort required to get my Master’s Degree in Computer Science. I’m relieved, as I have my DevOps in November, but at least now there is a break.

Without violating the NDA, let’s talk about the security exam. I took the exam Friday and passed. I did the exam on Pearson Vue. For the exam, I used about 95 minutes, which is half the allocated time. Some questions were real struggles. Hopefully, I’ll remember some of the contexts and research them later for my knowledge. 

The last time I took the security exam in July 2018, I decided on a Friday to take it the following Wednesday. Last time I wrote, “It’s the hardest exam I’ve taken to date. I think it is harder than the Solution Architect - Professional exam.” In 3 weeks, taking the Solution Architect - Professional, Networking Specialist, and Security Speciality. Oh wait, this is the second time I’ve done this. I guess I haven’t learned. I would confirm it’s hard. Is it harder than the Solution Architect Professional in its current form? I don’t know. It’s a more nuisance exam focused on security. AWS has 100,000s pages of documentation on services, Well-Architected, Mitigation strategies, and this exam pulls from those documents. I’m not going to go into details about the questions. But that’s a ton of information to know and understand to achieve this certification. I guess this is why they’re hard, and few people have 11.  

Now the part I will talk about is my preparation. Security is fundamental to AWS. Every service integrates with IAM, most with KMS, and there are many other services like SCPs, Security Hub, Guard Duty, Shield, etc., designed to help protect workloads in AWS and their integration to other services. Last time I probably put 24 hours into studying for the exam. This time it was maybe 18 hours in total. I don’t think I did the preparation justice either time. I think I fell back on my 12 years of AWS experience and the past three weeks of studying for the other exams. Although I knew going into the exam areas like KMS Key Grants, Private CA on ACM, HSM, Secrets Manager were weaknesses, the more I tried to read up and watch videos, the more learning I felt I needed imposter syndrome at work. 

I watched the 96% of acloud.guru security course did watch it at 1.75x- 2x speed. I didn’t slow down. If I didn’t understand a topic, I read or watched something in the resources section below. Again these are resources collected before the exam that I used. 

Resources

• https://aws.amazon.com/security
• <ttp://aws.amazon.com/compliance>
• https://aws.amazon.com/compliance/shared-responsibility-model/
• https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
• https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
• <Https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html>
• https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-what-is-isnot-replicated.html
• https://aws.amazon.com/cloudwatch/faqs/
• https://aws.amazon.com/cloudhsm/faqs/ 
• https://docs.aws.amazon.com/inspector/latest/userguide/inspector_installing-uninstalling-agents.html
• https://d0.awsstatic.com/whitepapers/compliance/AWS_Security_at_Scale_Logging_in_AWS_Whitepaper.pdf.  This is a little out of data, but I think it’s interesting and a quick read.
• https://aws.amazon.com/kms/faqs/ 
• https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf
• https://aws.amazon.com/waf/preconfiguredrules/
• https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html
• https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service
• https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/
• https://aws.amazon.com/answers/networking/aws-global-transit-network/
• https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html
• https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-comparison.html
• https://aws.amazon.com/blogs/aws/new-aws-privatelink-endpoints-kinesis-ec2-systems-manager-and-elb-apis-in-your-vpc/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+AmazonWebServicesBlog+%28Amazon+Web+Services+Blog%29
• https://aws.amazon.com/cloudhsm/
• https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html
• https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
• https://aws.amazon.com/systems-manager/
• https://aws.amazon.com/compliance/  Lots of papers and information here.  I didn’t read them all.
• https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf
• https://docs.aws.amazon.com/kms/latest/cryptographic-details/intro.html
• https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html
• https://www.youtube.com/watch?v=X1eZjXQ55ec
• https://www.youtube.com/watch?v=gTZgxsCTfbk
• https://www.youtube.com/watch?v=HnoZS5jj7pk
• https://www.youtube.com/watch?v=YQsK4MtsELU
• https://www.youtube.com/watch?v=jZAvKgqlrjY
• https://www.youtube.com/watch?v=zU1x5SfKEzs
• https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf
• https://d1.awsstatic.com/whitepapers/building_an_aws_perimeter.pdf?did=wp_card&trk=wp_card - Really new, interesting read.
• https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html - Really new, interesting read.
• https://aws.amazon.com/premiumsupport/trustedadvisor/best-practices/
• https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
• https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
• https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
• https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-grant-is-for-aws-resource
• https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
• https://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html
• https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
• https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
• https://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html
• https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
• https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html
• https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaWelcome.html
• https://docs.aws.amazon.com/acm-pca/latest/userguide/ca-best-practices.html
• https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
• https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xaccountinvoke
• https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html

AWS has the security shared responsibility model.

Anyone on the AWS platform understands where this model. However, security on AWS is not easy as AWS has always been a platform of innovation. AWS has released a ton of services AWS Config, Macie, Shield, Web Application Firewall, SCPs. Over the years, Landing zones and then Control Tower which builds security when starting multi-account on AWS. Lastly, the Well Architected Security Pillar to review and confirm your workload is well architected.

Last month, AWS released a comprehensive guide to a Security Reference Architecture. It was built by Professional Services, which is the customer implementation arm of AWS.

I’m not going to try to summarize a 62-page document in a blog article. Mainly the document is about defense-in-depth, which is security at each layer of the workload. There two key observations from the document. The first observation is it does follow Control Tower guidance. Terms have been changed. It requires workloads to be in separate OU from security and infrastructure(shared services). Again these are general security principles that limit blast radius if an application or account is compromised. Security account and log collection account need to be separate. This Control Tower recommended an OU structure. Also, keeping log data in an immutable state is best for audit analysis.

The second observation is it now talks about leverage the Infrastructure account for Egress and Ingress traffic to the internet. This is only possible with Transit Gateway or a Transit VPC, defined in the document but not mentioned as part of the VPC diagram.

Maybe it’s just because of hyperfocus on renewing certifications. However, I notice the bleed-over between networking and security and how proper networking architecture is to start good security hygiene.

After studying for Advanced Networking Exam, I pondered a question about global backbones. There is a need for common understanding. So let’s take a step back. Transit gateway was a service introduced at ReInvent 2018. Transit Gateway(TGW) puts a router between VPCs and other networking services. The transit gateway works by putting attachments in each VPC using ENIs. If you’re lost before proceeding, watch the Re: Invent Video. TGW uses attachments is fundamental to the VPC architecture as the VPC doesn’t process traffic from a source destination outside the VPC. So the attachment ENI becomes part of the VPC. So now I have an attachment in the VPC thru a subnet. So instead of terminating my DirectConnect Gateway(DXGW) on a VGW in a VPC, it’s terminated in a TGW. A quick whiteboard of this architecture.

This becomes challenging while building a global network because European network would look like this assuming I had three pops in one Europe region:

Still better than Direct Connect Gateways to the VPCs. But there is a limitation Transit Gateways which are peered, don’t dynamically pass routes. This works great if you summarize routes by region. Like the US was all 10.50.0.0/12, and Europe was all 10.100.0.0/12. What doesn’t work is when I have unsummarized routes. But I digress route summarization doesn’t matter to the question. So here is a quick view of our whiteboard architecture of Europe and US regions:

The question is if there was dynamic routing, could I use the AWS backbone to haul traffic around the world without having to build my own global network as the two TGWs would exchange my prefixes from the exchange or pop locations?

I needed to recertify the Advanced Networking specialty. Technically it expired on 6/20. So I decided to focus on the Professional as it would include Networking and Security topics. I need to recertify Security Speciality later this month.

I took the AWS Advanced Networking Speciality on Tuesday and passed.

I took this exam with Pearson VUE. The exam opens 30 minutes before to get checked out. The process with the same as PSI, only there wasn’t a long wait. Personally, the interface in PSI is a little nicer than Pearson VUE. However, the experience of the otherwise of taking the exam is the same as it’s from the comfort of home.

I’m not going to talk about the exam, as that would violate the NDA. There are three observations. First, the exam requires deep AWS networking knowledge. Make sure you get in the console and get hands-on. The exam, as advertised, requires deep understanding and experience, which can only come thru practical hands-on experience. The other observation I would make is that the exam requires knowledge of services touched by networking, which is why acloud.guru course recommends associate level certification. The last comment on this exam has the most deficient written questions and answers of the certification exams I’ve taken. The questions and answers lack clarity found on the other exams.

I took the exam in about 90 minutes, which is half the allocated time. There were enough questions that I struggled to know the correct answer. I had no sense if I had no sense during the exam of a pass or fail.

Now the parts I can talk about, which was my preparation for the exam. In studying, the number of new networking specific services, including Transit Gateway announced Re:Invent 2018, Firewall Manager introduced April 2018 to name a few. The changes in networking services like AWS Shield, VPC FLow Logs, WAF between studying back in 2018 and studying three years later is incredible. Probably the reason, these certifications have to be re-certified every three years. The first time for the exam, I put about 50 hours of preparation into studying for the exam. This time I put maybe 16 hours into studying.

I watched about 80% of the acloud.guru course. I did watch most of it in 1.75x speed. I would slow down if I didn’t understand a topic or wanted more. I also read many whitepapers and FAQs and watched Youtube videos (2x) and linked below.

Resources:

• https://aws.amazon.com/certification/faqs/
• https://aws.amazon.com/certification/certified-advanced-networking-specialty/
• https://d1.awsstatic.com/training-and-certification/docs-advnetworking-spec/AWS-Certified-Advanced-Networking-Specialty_Exam-Guide.pdf
• https://aws.amazon.com/about-aws/global-infrastructure/regions_az/
• https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html
• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-rules
• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports
• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html
• https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway.html#vpc-endpoints-limitations
• https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway.html
• https://aws.amazon.com/vpc/faqs/#Peering_Connections
• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-peering.html
• https://www.youtube.com/watch?v=VIgAT7vjol8
• https://www.youtube.com/watch?v=_Z5jAs2gvPA
• https://www.youtube.com/watch?v=HKh54BkaOK0
• https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/elb-ug.pdf
• https://aws.amazon.com/about-aws/whats-new/2020/08/aws-site-to-site-vpn-now-supports-internet-key-exchange-initiation/
• https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-client-vpn-to-securely-access-aws-and-on-premises-resources/
• https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/limits.html
• https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html
• https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html
• https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
• https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html
• https://docs.aws.amazon.com/vpc/latest/userguide/Extend_VPCs.html
• https://www.youtube.com/watch?v=SMvom9QjkPk&list=PLlkukGgpsXyvUbJ85RVD7qNJ1mcGKO4_w&index=1
• https://www.youtube.com/watch?v=Qep11X1r1QA&list=PLlkukGgpsXyvUbJ85RVD7qNJ1mcGKO4_w&index=1
• https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-one/
• https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-amazon-route-53/
• https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-microsoft-active-directory/
• https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-by-using-unbound/
• http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html
• http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html
• https://aws.amazon.com/articles/6234671078671125
• http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html
• http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html
• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html#vpc-limits-gateways
• https://aws.amazon.com/articles/high-availability-for-amazon-vpc-nat-instances-an-example/
• https://aws.amazon.com/cloudfront/details/#faq
• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html#default-network-acl
• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-dns.html
• http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ts-elb-http-errors.html
• http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
• http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
• http://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-network-requirements.html
• http://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
• http://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html
• http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html
• http://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-vpc.html
• http://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html

Every year 10s of thousands of AWS customers and prospect customers desend on Las Vegas. For those of us to don’t make the trek Amazon live streams the the daily Key Notes. Those are where AWS announces it’s newest products and changes. Each year I build a list before November as AWS has a tendency to leak smaller items. This year my wish list for AWS was as follows:

1. Mixing sizes and types in ASG - Announced
2. DNS fixed for Collapsed AD - Announced
3. Cross regional replication for Aurora PostGreSQL - Regions expanded  still waiting on the cross regions to be announced 
4. Lambda and more Lambda integrations  - Announced 
5. AWS Config adding machine learning based on account.  
6. Account level S3 bucket control - Partly Announced 
7. 40Gbps Direct Connect 

There a lot of announcements, far too many to recap if interested in them all go read the AWS News Blog.   I do like to find two announcements which shock me and two things that seem interesting. 

The two items which shocked me were:

1. DynamoDB added transactional support (ACID).   This means someone could build an e-commerce or banking application which requires consistent transactions on dynamoDB.  
2. AWS Outposts and AWS RDS on VMware allows you to deploy AWS on-premise and AWS will manage this for you.   I can only assume this is to help with migrations or workloads so sensitive they can’t move off-premise.     It would be interesting to see how AWS manages storage capacity and compute resources as many companies struggle with these and how the management model will work.   However, given the push to move away from traditional data centers, so reserves that course.   It will be interesting to see how it plays out over the next year and what services this provides a company migrating to the cloud. 

On my passions is security, so the two things which interested me are

• AWS Security Hub and  AWS Control Tower  - I consider these one thing as they will be used in tandem.   Control Center will provide security launch zone for an organization while AWS Security Hub will provide governance and monitoring of security 
• The ARM processor in the a1 instances which Amazon developed internally.   Based on pricing these instances seem to offer cost advantages to the existing instance types.   

What did you find interesting, amusing or shocking?   What were you looking for which wasn’t announced? 

Sat the AWS Certified DevOps Engineer - Professional Exam last this afternoon.  The exam is hard, as it scenario based.   Most of the exam questions were to pick the best solution for deployments which comprised CloudFormation, Elastic Beanstalk and OpsWorks.   Every one of those questions had 2 good answers, it came down to which was more correct based on the keywords cost, speed, redundancy, roll back capabilities.  

I did the course on acloud.guru and a lot of AWS pages. At some point I will make a page of all the links I collected when studying for this exam.

The exam took me about two-thirds of the allowed time, I read fast and have a tendency to flag questions I don’t know the answer to and come back later and work thru them. This exam, I flagged 20 questions. Most of them I could figure out, once I thought about them for a while. But flagging questions and going back helps manage the time.

Upon submission, I got the “Congratulations! You have successfully completed the AWS Certified DevOps Engineer - Professional…”

I got my score email very quickly:

Overall Score: 82%

Topic Level Scoring:

That now makes my 7th AWS Certification.

I was listening to the Architech podcast.  There was a question asked, ”Does everything today tie back to Kubernetes?”   The more general version of the question is, “Does everything today tie back to containers?”.    The answer is quickly becoming yes.    Something Google figured out years ago with its environment that everything was containerized is becoming mainstream.

To support this  Amazon now has 3 different Container technologies and one in the works.

ECS which is Amazon’s first container offering.    ECS is container orchestration which supports Docker containers.    

Fairgate ECS which is managed offering of ECS where all you do is deploy Docker images and AWS owns full management.  More exciting is that  Fairgate for EKS has been announced and pending release.  This will be a fully managed Kubernetes.    

EKS is the latest offering which was GA’d in June.   This is a fully managed control plane for Kubernetes.   The worker nodes are EC2 instances you manage, which can run an Amazon Linux AMI or one you create.

Lately, I’ve been exploring EKS so that will be the next blog article, how to get started on EKS.

In the meantime, what have you containerized today?

Amazon recently released a presentation on Data-safe Cloud.  It appears to be based on some Gartner question and other data AWS collected.  The presentation discusses 6 core benefits of a secure cloud.

1. Inherit Strong Security and Compliance Controls
2. Scale with Enhanced Visibility and Control
3. Protect Your Privacy and Data
4. Find Trusted Security Partners and Solutions
5. Use Automation to Improve Security and Save Time
6. Continually Improve with Security Features.  

I find this marketing material to be confusing at best, let’s analyze what it is saying. 

For point 1, Inherit Strong and Compliance Controls, which reference all the compliance AWS achieves.  However, it loses track of the shared responsibility model and doesn’t even mention until page 16.   Amazon has compliance in place which is exceptional, and most data center operators or SaaS providers struggle to achieve.   This does not mean my data or services running within the Amazon environment meet those compliances

For point 2,  4  and 6 those are not benefits of the secure cloud.  Those might be high-level objects one uses to form a strategy on how to get to a secure cloud.  

Point 3 I don’t even understand, the protection of privacy and data has to be the number one concern when building out workloads in the cloud or private data centers.   It’s not a benefit of the secure cloud, but a requirement.  

For point 5, I am a big fan of automation and automating everything.   Again this is not a benefit of a secure cloud, but how to have a repeatable, secure process wrapped in automation which leads to a secure cloud.

Given the discussions around cloud and security given all the negative press, including the recent AWS S3 Godaddy Bucket exposure, Amazon should be publishing better content to help move forward the security discussion.  

Earlier today AWS released t3 instances.   There are a bunch of press releases about the topic.    The performance is supposed to be 30% better than T2.   Hopefully, in the next few days, independently published benchmarks will be released to confirm if the instances are 30% faster.   In the interim go to the Amazon pages for all the details on T3 instances.   The cost is a few cents less.   For example, a reserved instance from T2.small to  T3.small with no upfront went from .17 cents to .15 cents in the US-WEST-2 region.    

Before today awsarch.io ran off T2 instances, to build this blog article it was updated to T3 instances.    AWS makes it easy to change instance type, just shut down the instance and from the AWS console go to Instance Settings->Change Instance type.  Then select the appropriate t3 instance.   It can be done via the AWS CLI as well.

Change Instance

T3 force you to select EBS optimized volumes.  EBS optimized volumes for T3 provide additional IOPS.  Here is the link for the complete EBS optimized information.

T3 EBS Optimized

The T3 instance uses an ENA adapter so before starting your instance change the ENA adapter thru the AWS command line:  

aws ec2 modify-instance-attribute –instance-id --ena-support

Lastly, I notice mount points changed.   Previously the EBS volumes devices in the Linux /dev directory changes.   Before the change to T3 they were /dev/xvdf1, /dev/xvdf2, etc.  Now the devices are /dev/nvme1n1p1, /dev/nvme1n1p2, etc.   Something to keep in mind if you have additional volumes with mount points on the ec2 instance. 

Amazon generates a lot of logs via VPC Flow Logs, CloudTrail, S3 access logs, CloudWatch (See the end of the blog article for a full list.)   Additionally, there are OS, Application, web server logs.   That is a lot of data which provides valuable insight into your running AWS environment.   What are you doing to manage this log files?  What are you doing with those log files?  What are you doing to analysis these log files?

There are a lot of logging solutions available that integrate with AWS. Honestly, I’m a big fan of Splunk and have set it up multiple times.  However, I wanted to look at something else for this blog article. Something open source and relatively low cost. This blog is going to explain what I did to setup Graylog. Graylog has no charges for the software, but you’re going to get charged for the instance, Kinesis, SQS, and data storage.  It actually a good exercise if to familiarize yourself with AWS services, especially for the Sysops exams.  

Graylog provides great instructions.   I followed the steps remember to use their image which is already self-built on Ubuntu.   One difference with this setup, I didn’t use a 4GB memory systems.   I picked a t2.small which proves 1vCPU and 2GB of memory.    I didn’t notice performance issues.  Remember to allow ports 443 and 9000 in security groups and the Networking ACLs.   I prefer to run this over HTTPS.  And it bugs me when you see NOT SECURE HTTP:  I installed an SSL certificate, and this is how I did it.

1. Create a DNS name 
2. Get a free certificate 
3. Install the Certificate as such 

Now my instance is up, and I can log into the console.  I want to get my AWS logs into Graylog.   To do this is requires the logs sent to Kinesis or SQS.  I am not going to explain the SQS setup as there plenty of resources for the specific AWS Service.   Also, the Graylog Plugin describes how to do this.  Graylog plugin for CloudTrail, CloudWatch and VPC Flow logs is available on Github at Graylog Plugin for AWS.

What about access_logs?  Graylog has the Graylog Collector Sidecar.      I’m not going to rehash the installation instructions here as there are great installation instructions.     Graylog has a great documentation.   Also if you are looking for something not covered here, it will be in the documentation or in their Github project. 

What are you using as your log collection processing service on Amazon?  

List of AWS Servers generating logs:

Amazon S3 Access logs Amazon CloudFront Access logs Elastic Load Balancer (ELB) logs Amazon Relational Database Service (RDS) logs Amazon Elastic MapReduce (EMR) logs Amazon Redshift logs AWS Elastic Beanstalk logs AWS OpsWorks logs (or this link) AWS Import/Export logs AWS Data Pipeline logs AWS CloudTrail logs

All three code platforms AWS, Google Cloud, Azure release features all the time.    However, Google Cloud took a major leap by providing great tool developers by integrating with IntelliJ.   Google did a great job covering the how it works in there Platform blog which is worth reading.

I have used Eclipse since it was released, prior to that I would use Emacs.   However, for my master program over the last 3 years, I have been using IntelliJ.   It’s become my go-to platform for coding work because IntelliJ is easy to use,  and my various class groups typically use it.   IntelliJ makes it free for students, which is a great way to develop a  user base given its price tag.

Providing an easy to use a tool, which has an existing user based was smart by Google Cloud especially as it continues its to close the gap with AWS.

Finally, I’m not a big fan of Cloud9 on AWS.   What do you think?   Are you an IntelliJ or Cloud9 user?

DDoS attacks are too frequent on the internet. A DDoS attack sends more requests that can be processed. Many times, the requestors machine has been compromised to be part of a more massive DDoS network. This article is not going to explain all the various types as there is a whole list of them here. Let’s discuss a particular type of DDoS attack designed to overwhelm your web server. This traffic will appear as legitimate requests using GET or POST Requests. GET would be for /index.html or any other page at 50 requests per minute. A POST would hit your myApi.php and attempt to post data at 50 plus requests per minute.

This is going to focus on some recommendations using AWS and other technologies to stop a recent HTTP DDoS attacks. The first step is to identify the DDoS attack versus regular traffic. The second question is how does one prevent a DDoS HTTP attack.

Identifying a DDoS attack there various DDoS The first step is to understand your existing traffic, if you have 2,000 requests per day and all of a sudden you have 2,000,000 requests in the morning, its a good indication it’s under a DDoS attack. The easiest way to identify this is to look at the access_log and pull this into a monitoring service like Splunk, AllenVault, Graylog, etc. From there trend analysis in real-time would show the issues. If the Web servers are behind an ALB make sure the ALB is logging requests and that those requests are being analysis instead of the web server access logs. ALB still support the X-Forwarded-For so it can be passed.

Preventing a DDoS attack There is no way to truly prevent an HTTP DDoS attack.  Specifically to deal with this event, the following mitigation techniques the were explored:

1. AWS Shield - this provides advance WAF functions, and there rules to limit.

2. The free-ware would be to use Apache and NGINX have rate limited for specific IP addresses.   In Apache, this is implemented by a number of modules.   ModSecurity is usually at the top of the list, a great configuration example is available on Github which includes the X-Forwarded-For.

3. An EC2 instance in front of the web server can be run as a Proxy. The proxy can be configured to suppress the traffic using ModSecurity or other MarketPlace offerings including other WAF options.

4. The ALB or CloudFront can deploy an AWS WAF.

5. Lastly, the most expensive option is to deploy Auto-scaling groups to absorb all traffic.

Please leave a comment if there other options which should have been investigated.

To solve this specific issue, an AWS WAF was deployed on the ALB.   One thing to consider is to make sure to prevent attacks from directly hitting the website.   This is easily accomplished by allowing HTTP/HTTPS from anywhere only to the ALB.    ALB and EC2 instance sharing a security group which allows HTTPS/HTTP to everything in that security group.

Starting a new position today as Consultant - Cloud Architect with Taos.   Super excited to for this opportunity.

I wanted a position as a solution architect working with the Cloud, so I couldn’t be more thrilled with the role.   I am looking forward to helping Taos customers adopt the cloud and a Cloud First Strategy.

It’s an amazing journey for me, as Taos was the first to offer me a Unix System administrator position when I graduated from Penn State some 18 years ago, and I passed on the offer and went to work for IBM.

I am really looking forward to working with the great people at Taos.

Amazon released AWS Well Architected Framework to help customers Architect solutions within AWS.   The amazon certifications require detailed knowledge of 5 white papers which make up the Well Architected Framework.   Given I have recently completed 6 Amazon certifications, I decided I was going to write a blog which pulled my favorite lines from each paper.

Operational excellence pillar The whitepaper says on page 15, “When things fail you will want to ensure that your team, as well as your larger engineering community, learns from those failures.”   It doesn’t say “If things fail”, it says “When things fail” implying straight away things are going to fail.

security pillar On page 18, “Data classification provides a way to categorize organizational data based on levels of sensitivity. This includes understanding what data types are available, where is the data located and access levels and protection of the data”.  This to me sums up how security needs to be defined. Modern data security is not about firewalls and having a hard outside shell or malware detectors.  It about protecting the data based on its classification from both internal (employees, contractors, vendors) actors and hostile actors.

reliability pillar The document is 45 pages long and the word failure appears 100 times and the word fail exists 33 times. The document is really about how to architect an AWS environment to respond to failure and what portion of your environment based on business requirements should be over-engineered to withstand multiple failures.

performance efficiency pillar Page 24 the line, “When architectures perform badly this is normally because of a performance review process has not been put into place or is broken”.   When I first read this line, I was perplexed.  I immediately thought this implies a bad architecture can perform well if there is a performance review in place.  Then I thought when has a bad architecture ever performed well under load?   Now I get the point this is trying to make.

cost optimization On page 2, is my favorite line from this white paper, “A cost-optimized system will fully utilize all resources, achieve an outcome at the lowest possible price point, and meet your functional requirements.”   It made me immediately think back to before the cloud, every solution had to have a factor over the life of hardware for growth it was part of the requirements.    In the cloud you need to support capacity today, if you need more capacity tomorrow, you just scale. This is one of the biggest benefits of cloud computing, no more guessing about capacity.

Sat the AWS Certified Security - Speciality Exam this morning.  The exam is hard, as it scenario based.   Most of the exam questions were to pick the best security scenario.   It could be renamed the Certified Architect - Security.    Every one of those questions had 2 good answers, it came down to which was more correct and more secure.       It’s the hardest exam I’ve taken to date.   I think it is harder than the Solution Architect - Professional exam. The majority of the exam questions where on KMS, IAM, securing S3, CloudTrail, CloudWatch, multiple AWS account access, Config, VPC, security groups, NACLs, and WAF.

I did the course on acloud.guru and I think the whitepapers and links really helped me in the studying for this exam:

• Security Whitepaper
• S3 Bucket Policies
• AWS Security at Scale
• DDos Whitepaper
• KMS
• AWS Security Best Practices
• AWS Well Architected Framework - Security Pillar

The exam took me about half the allocated time, I read fast and have a tendency to flag questions I don’t know the answer to and come back later and work thru them.    This exam, I flagged 20 questions, highest of any AWS exam taken to date.     Most of them I could figure out, once I thought about them for a while.      Thru the exam, I was unsure of my success or failure.

Upon submission, I got the “Congratulations! You have successfully completed the AWS Certified Security - Specialty exam…”

Unfortunately, I didn’t get my score, I got the email, which says, “Thank you for taking the  AWS Certified Security - Specialty exam. Within 5 business days of completing your exam,”

That now makes my 6th AWS Certification.

If you have an AWS deployment, make sure you turn on AWS Config.       It has a whole bunch of built-in rules, and you can add your own to validate the security of your AWS environment as it relates to AWS services.   Amazon provides good documentation, a GitHub repo,  and SumoLogic does a quick How-to turn it on.      It’s straightforward to turn on and use.   AWS provides some pre-configured rules, and that’s what this AWS environment will validate against.  There is a screenshot below of the results.   Aside from turning it on, you have to decide which rules are valid for you.   For instance, not all S3 buckets have business requirements to replicate, so I’d expect this to always be a noncompliant resource.However, one of my findings yesterday was missing EBS encrypted volumes. In order to make EBS volumes encrypted its 9 easy steps:

1. Make a snapshot of the EBS Volumes.

2. Copy the snapshot of the EBS Volume to a Snapshot, but select encryption.   Use the AWS KMS key you prefer or Amazon default aws/ebs.

3. Create an AMI image from the encrypted Snapshot.

4. Launch the AMI image from the encrypted Snapshot to create a new instance.

5. Check the new instance is functioning correctly, and there are no issues.

6. Update EIPs, load balancers, DNS, etc. to point to the new instance.

7. Stop the old un-encrypted instances.

8. Delete the un-encrypted snapshots.

9. Terminate the old un-encrypted instances.

Remember KMS gives you 20,000 request per month for free, then the service is billable.

Serverless is becoming the 2018 technology hype.   I remember when containers were gaining traction in 2012, and Docker in 2013.  At technology conventions, all the cool developers were using containers.   It solved a lot of challenges, but it was not a silver bullet. (But that’s a blog article for another day.)

Today after an interview I was asking myself,  have Containers lived up to the hype?   They are great for CI/CD, getting rid of system administrator bottlenecks, helping with rapid deployment, and some would argue fundamental to DevOps.  So I started researching the hype.   People over at  Cloud Foundry published a container report in  2017 and 2016.

Per the 2016 report, “our survey, a majority of companies (53%) had either deployed (22%) or were in the process of evaluating (31%) containers.”

Per the 2017 report, “increase of 14 points among users and evaluators for a total of 67 percent using  (25%) or evaluating (42%).”

As a former technology VP/director/manager, I was always evaluating technology which had some potential to save costs, improve processes, speed development and improve production deployments.   But a 25% adaption rate and a 3% uptick over last year, is not moving the technology needle.

However, I am starting to see the same trend, Serverless is the new exciting technology which is going to solve the development challenges, save costs, improve the development process and you are cool if you’re using it.       But is it really Serverless or just a simpler way to use a container?

AWS Lambda is basically a container.  (Another blog article will dig into the underpinnings of Lambda.)   Where does the container run? ** A Server. **

Just means I don’t have to understand the underlying container, server etc.etc.etc.     So is it truly serverless?   Or is it just the 2018 technology hype to get all us development geeks excited, we don’t need to learn Docker or Kubernetes, or ask our Sysadmin friends provision us another server.

Let me know your thoughts.

I sat the AWS Certified Solutions Architect - Professional exam this morning.   This exam is hard, probably the hardest of the AWS exams I have taken to date.    I did it in about half the allowed time.   Generally, the test is challenging as it covers a lot of topics and each answer always had two correct choices.   The entire exam is a challenge to pick the more correct answer based on the scenario and question with a driving factor of one more or more of the following,  scalability, cost, recovery time, performance or security.

I felt like I passed the exam while doing it, but its always a relief to see:

Congratulations! You have successfully completed the AWS Certified Solutions Architect - Professional exam and you are now AWS Certified.

Here is my score breakdown from the exam.

Topic Level Scoring:

I sat the AWS Certified SysOps Administrator - Associate this morning.   That makes two exams this week in 3 days.

The exam was a little bit harder than the two other Associate exams as it went a level deeper.   It focused on CloudFormation, CloudWatch, and deployment strategies.      There were nine questions I struggled with the right answer, as all nine had two good answers.     There were about 35 questions I knew cold.    There were three questions duplicated on the other associate exams.   All of the network questions I was over-thinking, probably based on the networking exam this week.    Given this, I wasn’t worried when I ended the test.   However,  it’s always a relief when you get the Congratulations! You have successfully completed the AWS Certified SysOps Administrator - Associate.

Within 10 minutes I got my score email:

Congratulations again on your achievement!

Overall Score: 84%

Topic Level Scoring:

The score reflected over thinking the networking questions.    I wouldn’t recommend sitting two different exams in the same few days.

That make 4 AWS certifications in 3 weeks:

• AWS Certified SysOps Administrator - Associate
• AWS Certified Advanced Networking - Specialty
• AWS Certified Developer - Associate
• AWS Certified Solutions Architect - Associate (Released February 2018)

Guess now it’s time to focus on the last of the Amazon Certifications I’ll work on for now which is the  AWS Certified Solutions Architect – Professional.

The material for the AWS Certified SysOps Administrator – Associate seems to be a lot of the material cover under the Associate Architect and Associate Developer.   I would have thought the material more focus on setting up and troubleshooting issues with EC2, RDS, ELB, VPC etc.    It also spends a lot of time looking at CloudWatch, but doesn’t really provide strategies for leveraging the logs.  Studying was a combination of the acloud.guru and the official study guide, and the Amazon Whitepapers.

I took the AWS supplied practice test using a free test voucher and score the following:

It interesting the networking score was so low as I just passed the Network Speciality.

This is the last Associate exam to pass for me.    If I successfully pass it, I will begin the process of studying for the Certified Solution Architect - Professional.    That will probably be my last AWS certification as I’ll look at either starting on something like  TOGAF certification,  Redhat or Linux Institute, Cisco, GCP  or Azure, depending on where my interest lies in a few weeks.

I passed the AWS Certified Advanced Networking – Specialty Exam this morning.    The exam is hard.   My career started with a  networking as I had multiple Nortel and Cisco Certifications and was studying to the CCIE Lab back then.  But over the last 12 years,  I got away from networking.    Doing this exam was going back to something I loved for a long time, as  BGP, Networking, Load Balancers, WAF makes me excited.

My exam results

Topic Level Scoring:
1.0  Design and implement hybrid IT network architectures at scale: 75%
2.0  Design and implement AWS networks: 57%
3.0  Automate AWS tasks: 100%
4.0  Configure network integration with application services: 85%
5.0  Design and implement for security and compliance: 83%
6.0  Manage, optimize, and troubleshoot the network: 57%

I have limited experience with AWS networking prior to this exam.   I had the standard things likes load balancers, VPCs, Elastic IPs and Route 53.   This exam tests your knowledge of these areas and more.      To prepare I used the acloud.guru course, also the book  AWS Certified Advanced Networking Official Study Guide: Specialty Exam and the Udemy Practice Tests.    With the course and book, I set up VPC peers, Endpoints, nat instances, gateways, CloudFront distributions.    I put about 50 hours into doing the course, reading the book, doing various exercise, and studying etc.

Based on my experience the acloud.guru course is lacking the details on the ELBs, the WAF, private DNS, and implementation within CloudFormation.     The book comes closer to the exam, but also doesn’t cover CloudFormation, WAF or ELBs as deep as the exam.   The Udemy practice tests were close to the exam, but lack some of the more complex scenario questions.

I plan to sit the AWS Certified SysOps Administrator - Associate exam later this week.

The pdf provided this:

The AWS Certified Solutions Architect - Associate (Released February 2018) (SAA-C01) has a scaled score between 100 and 1,000. The scaled score needed to pass the exam is 720.

I got a 932….

I sat the exam for the AWS Certified Developer - Associate this morning.     I felt lucky as the system kept asking questions I knew in depth.   There were only 4 questions I didn’t know the answer to and took an educated guess.

I did the exam in 20 minutes for 55 questions.    I only review questions I flag, and I only flagged about 8 questions.    I felt really lucky as the exam was playing to my knowledge of DynamoDB, S3, EC2, and IAM.   There were other questions about Lambda, CloudFormation, CloudFront, and API calls.   But the majority of the questions focused on 4 areas of AWS, I knew really well.

At the end of the exam, I got the Congratulations have successfully completed the AWS Certified Developer  – Associate exam.

Also within 15 minutes, I got the email confirming my score:

Congratulations again on your achievement!

Overall Score: 90%

I’m still waiting on my score from my Solution Architect - Associate Exam.    In the meantime, I’ll get back to studying my AWS Networking Speciality.

AWS offers practices emails through PSI exams.   Cost $20 and gives you 20 questions for practice.    I did the exam today.   Here is the results email.

That’s a confidence builder going into the exam tomorrow morning.