AWS Solution Architect Professional Certification Prep.

Exam Pre-requisite and IAM service

AWS Solution Architect Professional  Certification Prep.

This article provides high level information of how to prepare for AWS SAP-C02. In this, I have incorporated my daily routine which I am following to crack this certification.

12-Aug-24

Prerequisite: A general understanding of AWS services is required. It is also beneficial to have the AWS Solutions Architect Associate Certification.

The exam has the following content domains and weightings:

Domain 1: Design Solutions for Organizational Complexity (26% of scored content) • Domain 2: Design for New Solutions (29% of scored content)

Domain 3: Continuous Improvement for Existing Solutions (25% of scored content) • Domain 4: Accelerate Workload Migration and Modernization (20% of scored content)

Exam guide - https://d1.awsstatic.com/training-and-certification/docs-sa-pro/AWS-Certified-Solutions-Architect-Professional_Exam-Guide.pdf

Service Understanding -

  1. IAM service

    1. Users - Long-term credentials. If AWS CLI access is needed, create accordingly to get an Access key and Secret key.

    2. Groups - Collection of users like HR, Development Team, Testing Team, etc.

    3. Roles - Short-term credentials, collection of policies, types:

      1. EC2 Instance Roles - Assigned to an EC2 server and responsible for accessing other services from EC2. One role at a time per instance.

      2. Service Roles - Attached to any service, a way of granting permissions to any service and defining what it can do.

      3. Cross Account Roles - To access any services of other accounts you don't own, instead of sharing user credentials, provide a cross-account role.

    4. Policies - Permissions that define what a role can do, JSON statements, types:

      1. AWS managed policy - Defined and managed by AWS.

      2. Customer managed policy - Created by an individual and modified according to their needs.

      3. Inline policy - Policy assigned to an individual and cannot be shared. For example, a policy created for only User A, so Users B, C, and D cannot use the same.

      4. Resource-based policy - Tied with AWS resources to allow or disallow any access or action. For example, S3 policy, SQS/SNS policy, etc.

        Note -

        in Exam, you may get JSON statements related to IAM policy and you need to select on the action like what will be allowed/Denied if particular policy will be applied? etc. For more reference, please refer the below link:

        https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html

      5. Explicit Deny has precedence over Allow

      6. Use least privilege for maximum security

    5. IAM access advisor - To see permissions granted and the last accessed time

    6. IAM access analyzer - To analyze resources shared with external entities, You can define a "Zone of trust," after which AWS provides findings for resources outside this "Zone of trust." It performs policy validation and policy generation based on access activity (checked from CloudTrail logs - up to 90 days of logs).

    7. IAM Power user access - Provides full access to AWS services and resources but does not allow management of Users and groups. PFB the JSON policy:

       {
         "Version": "2012-10-17",
         "Statement": [
           {
             "Effect": "Allow",
             "NotAction": [
               "iam:",
               "organizations:",
               "account:"
             ],
             "Resource": ""
           },
           {
             "Effect": "Allow",
             "Action": [
               "iam:CreateServiceLinkedRole",
               "iam:DeleteServiceLinkedRole",
               "iam:ListRoles",
               "organizations:DescribeOrganization",
               "account:ListRegions",
               "account:GetAccountInformation"
             ],
             "Resource": "*"
           }
         ]
       }
      
    8. IAM permission boundaries - Supported for users and roles (not groups), maximum permission for an IAM entity, can be combined with Organization SCP.

    9. 10 Minutes Meditation - Isha Kriya by Sadhguru

    10. Hear from Champions - I heard Kobe Bryant's motivational interview; you can choose based on your preferences

13-Aug-24

  1. STS comes into the picture when you assume a role (User <-> STS <-> Roles). Define which principals can access, and it can be valid between 15 minutes to 12 hours. When you assume the role, you give up your original permissions and inherit the permissions assigned to the role. You can assign MFA protection to the role, and you need to explicitly grant permission to the user to assume a role. STS APIs:

    1. STS with assume role - Within account, Cross account roles - Understanding of Confused deputy, Session tags in STS

    2. Assume a role with SAML

    3. Assume role with Web Identity - not recommended by AWS; instead, use AWS Cognito

    4. Get Session Tokens

    5. Get Federation Tokens

  2. Identity Federation - Give access to outside users to AWS resources without managing them in AWS IAM. Flavors:

    1. SAML 2.0

    2. Custom Identity Broker

    3. Web Identity Federation with(out) Amazon Cognito

    4. Single Sign-On

  3. 10 Minutes Meditation - Isha Kriya by Sadhguru

14-Aug-24

  1. SAML understanding

  2. Web Identity Federation with(out) AWS Cognito understanding

  3. AWS Directory Services: Integrations - AWS services, with on-premises AD > Trust relationship (One way, Two way) and it is different than synchronization/replication Types:

    1. AWS managed AD - Standard, Enterprise

    2. AD connector - forwards sign-in requests to your on-premises AD DC for authentication.

    3. Simple AD - supports normal features like user accounts, group membership, joining a Linux/Windows EC2 instance, Kerberos-based SSO, and group policies. AWS provides monitoring, daily snapshots, and recovery as part of this service.

  4. AWS Organizations - AWS organization account access role -> Admin role in member accounts

    1. Features mode - Consolidated billing, All features (billing + SCP)

      note - you can't switch from all features to consolidated billing

    2. Reserved instance sharing

    3. Moving an account from one O.U. to another O.U. -> first remove from the existing O.U. then send an invite to the member account -> accept the invite from the member account

    4. S.C.P. - applied at O.U. and account level, doesn't apply to the management account, includes roles and users + root user, doesn't affect service-linked roles, must have an explicit allow from root to each O.U. (doesn't allow anything by default even though root O.U. has full AWS access)

      1. Allow list and Deny list
    5. 10-Minute Meditation - Isha Kriya by Sadhguru

15Aug24

  1. Policies - IAM policy, SCP at O.U. or account level, Tag policy at O.U. level, AI services opt-out policy at O.U. level, backup policy at O.U.

  2. AWS IAM Identity Center (previously known as SSO) - Permission sets -> multi-account permissions, Application assignments/integrations, Attribute-based access control (ABAC), AD sync

  3. AWS Control Tower - Automation best practice to manage/deploy multi-accounts

    1. Account Factory - automates account provisioning on pre-approved baseline, uses AWS Service Catalog service, can integrate with AD

    2. Guardrail - detect and remediate policy violations, 2 types - Preventive (AWS SCP), Detective (AWS Config), Levels - Mandatory, Strongly recommended, Elective

  4. AWS Resource Access Manager (RAM) - Avoid resource duplication, PFB the link to check shareable resources:

    https://docs.aws.amazon.com/ram/latest/userguide/shareable.html

  5. 10 Minutes Meditation - Isha Kriya by Sadhguru

    16Aug24

    1. Multi Account Strategy-

      1. Identity account architecture

      2. Logging account architecture

      3. Publishing account structure

      4. Billing structure

    2. IAM policy evolution logic-

      1. Every user gets an implicit deny after creation, which can be overridden by an IAM policy or a resource-based policy.

      2. If a user has both allow and deny for a service, then explicit deny will be the final decision.

      3. IAM service role and pass role

    3. Listened songs

17aug24

  1. Federation - SAML, How SSO works?, IDP(Identity Provider), SP(Service Provider), SAML assertion

Good to know points:

  1. Difference between IAM roles and resource-based policies?

  2. Policy simulator to validate your IAM policies: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html

  3. Policy Generator: https://awspolicygen.s3.amazonaws.com/policygen.html

  4. How to set up AD replication?