DEV Community: Afshan Naqvi

AWS Solution Architect- Associate: Important Topics

Afshan Naqvi — Sun, 30 Mar 2025 10:57:01 +0000

Hey guys! 🎉

I’m super excited to share that I recently passed the AWS Solution Architect Associate certification! In this document, I’ve put together a list of key AWS topics that you must learn and understand to ace the exam.

This isn’t a full blog post—just a quick and handy reference guide to help you focus on the most important topics. Note: This list highlights essential exam concepts, but I highly recommend using it alongside other study materials for a well-rounded understanding.

I’ve also made a video where I share my exam experience, study tips, and insights to help you prepare better. If you’re interested, check it out here: https://youtu.be/HyYjveYPC3o

1️⃣ EC2 (Elastic Compute Cloud)

EC2 Instance: Virtual servers in AWS for running applications.
Types of EC2 Instances: General Purpose (T, M), Compute Optimized (C), Memory Optimized (R, X), Storage Optimized (I, D, H), GPU-based (P, G, F).
Pricing Options: On-Demand (pay as you go), Reserved (1-3 years), Spot (cheapest, but interruptible), Savings Plans, Dedicated Hosts.
Cost-Effective Solutions: Choose instance types based on workload, use Spot and Reserved instances, enable auto-scaling.
Snapshots (EBS Snapshots): A point-in-time backup of an Amazon EBS volume.
AMI (Amazon Machine Image): A pre-configured template for launching EC2 instances.

2️⃣ S3 Storage

Types of S3 Storage: Standard, Intelligent-Tiering, Standard-IA, One Zone-IA, Glacier, Glacier Deep Archive.
S3 Replication: Copies data across buckets for redundancy and availability.
Cross-Region Replication (CRR): Replicates data across different AWS regions.
Same-Region Replication (SRR): Replicates data within the same AWS region.
Object Versioning: Keeps multiple versions of an object to protect against accidental deletion.
S3 Lifecycle: Automatically moves data between storage classes based on age.
Presigned URLs (S3): Provides temporary access to private S3 objects without making them public.
S3 Glacier storage options:
- S3 Glacier Instant Retrieval
- S3 Glacier Flexible Retrieval
- S3 Glacier Deep Archive

3️⃣ AWS Storage Services

EBS (Elastic Block Store): Persistent storage for EC2, used for databases and applications.
Types of EBS Volumes: General Purpose SSD (gp2, gp3), Provisioned IOPS SSD (io1, io2), Throughput Optimized HDD (st1), Cold HDD (sc1).
IOPS and Throughput: IOPS (speed of small transactions), throughput (speed of large data transfers).
Instance Store: Temporary storage directly attached to EC2 instances.
EFS (Elastic File System): Managed file storage for multiple EC2 instances.
FSx: Managed file system for Windows and Lustre workloads.
When to Use Each Storage Service:
- EBS – Persistent storage for EC2.
- EFS – Shared storage for multiple instances.
- FSx – Windows file system and high-performance workloads.
- Instance Store – Temporary storage for fast processing.

4️⃣ Networking & VPC

VPC (Virtual Private Cloud): Isolated network within AWS for launching resources.
Subnets: Divide VPC into public and private sections.
Five Reserved IP Addresses: AWS reserves the first 5 IPs in each subnet for internal purposes.
Security Groups: Firewall for instances (stateful, allows specific traffic).
NACLs (Network ACLs): Firewall for subnets (stateless, controls inbound/outbound rules).
Internet Gateway: Connects VPC to the internet for public-facing instances.
NAT Gateway: Allows private instances to access the internet without being exposed.
Route Table: Defines how network traffic is directed within a VPC.
VPC Flow Logs: Captures network traffic metadata for monitoring and troubleshooting.

5️⃣ IAM & Security

IAM Roles, Groups, and Users: Roles (assigned to AWS services), Groups (user collections), Users (individual accounts).
Identity Policy: Defines permissions for IAM users, roles, and groups.
Resource Policy: Defines permissions at the resource level (e.g., S3 bucket policy).
SCP (Service Control Policies): Controls permissions at the organization level.
AWS Organizations: Manages multiple AWS accounts under a single management account.
KMS (Key Management Service): Encrypts data using AWS-managed or customer-managed keys.
Secrets Manager: Securely stores and manages secrets like passwords and API keys.
Systems Manager & Parameter Store: Stores configuration data securely.
AWS WAF: Protects applications from web attacks.
AWS Shield: DDoS protection for AWS resources.
AWS Inspector: Automated security assessment for vulnerabilities.
Amazon GuardDuty: Threat detection using AI and logs.
Amazon Macie: Uses ML to detect sensitive data exposure.
AWS Certificate Manager(ACM): Manages SSL/TLS certificates for AWS services.
Inline Policy: Directly attached to a user, group, or role.
Policy Restrictions: Least privilege principle to restrict unnecessary access.
Types of Encryption:
- At-rest (EBS, S3, RDS encryption).
- In-transit (SSL/TLS).
- Client-side (before sending data to AWS).

6️⃣ Containers

ECS (Elastic Container Service): Managed container orchestration for Docker containers.
EKS (Elastic Kubernetes Service): Fully managed Kubernetes service for containerized applications.

7️⃣ Monitoring & Logging

CloudWatch: Monitors AWS resources and applications.
CloudTrail: Tracks API activity and user actions.
AWS Config: Tracks AWS resource configurations and compliance.

8️⃣ Global Services

Route 53: AWS-managed DNS service.
CloudFront: Content delivery network (CDN) for fast content distribution.
Global Accelerator: Improves global application availability and performance.

9️⃣ Databases

RDS (Relational Database Service): Managed relational databases (MySQL, PostgreSQL, SQL Server, etc.).
DynamoDB: NoSQL database with key-value and document storage.
Aurora: High-performance relational database compatible with MySQL and PostgreSQL.
Read Replica: Improves read performance by replicating databases.
ElastiCache: In-memory caching for faster database performance.
Redshift: Managed data warehouse for analytics.
DocumentDB: Managed NoSQL database compatible with MongoDB.
Neptune: Managed graph database for relationships and networks.

🔟 Storage Gateway

Tape Gateway: Virtual tape storage for backup solutions.
Amazon S3 File Gateway: Stores files as objects in S3.
Amazon FSx File Gateway: Extends FSx file systems to on-premises environments.
Volume Gateway: Hybrid cloud storage for block-based applications.

1️⃣1️⃣ Load Balancing & Disaster Recovery

ELB (Elastic Load Balancer): Distributes traffic across instances.
Types of ELB:
- Application Load Balancer (ALB) – Layer 7, routes based on URL.
- Network Load Balancer (NLB) – Layer 4, low-latency performance.
- AWS Gateway Load Balancer (GWLB): Distributes traffic across third-party virtual appliances (e.g., firewalls, IDS/IPS).
- Classic Load Balancer (CLB) – Older, Layer 4/7 balancing.
Auto Scaling Group (ASG): Automatically scales EC2 instances based on demand.
ASG Policies: Target tracking, step scaling, scheduled scaling.
Disaster Recovery Strategies:
- Backup & Restore
- Pilot Light
- Warm Standby
- Multi-Site
AWS Backup Service: Centralized backup management for AWS resources.
AWS Snow Family: Physical devices for data transfer (Snowcone, Snowball, Snowmobile).

1️⃣2️⃣ Placement Groups for Amazon EC2

A placement group is a logical grouping of EC2 instances that influence how instances are placed on underlying hardware to optimize performance, fault tolerance, or availability.

Types of Placement Strategies:

Cluster – Low-latency, high-bandwidth networking for HPC workloads.
Partition – Isolates instance groups across partitions for fault tolerance in distributed systems.
Spread – Distributes instances across different hardware to reduce failure impact.

I'm also digitizing my notes since I originally wrote them in a physical notebook. If you're interested in getting a copy, feel free to reach out to me on LinkedIn, and I'll share them with you once I’ve compiled everything! 😊

Happy studying, and best of luck with your AWS journey! 🚀💡

Essential AWS IAM Enumeration Commands

Afshan Naqvi — Tue, 31 Oct 2023 17:02:51 +0000

Hey everyone,

I hope you all are doing well.

Today, I would like to share some AWS CLI commands that I've found incredibly useful in my cloud security projects. As AWS is our primary cloud provider, having a good grasp of AWS CLI is essential. In this post, I'll be focusing on IAM (Identity and Access Management) enumeration through the command line.

Note: I've compiled these commands for my own quick reference. As I discover more valuable commands, I'll keep adding them here in the future.

Let's get started!

To begin, it's crucial to learn how to configure AWS keys via the CLI. This skill is essential because many clients entrust you with programmatic keys to assess potential vulnerabilities.

1. Configure AWS Credentials:
You can configure the AWS keys using the following command:

aws configure

You will be prompted to enter your AWS Access Key ID, AWS Secret Access Key, default region, and default output format.

Example:

2. WhoAmI:
To check the identity associated with your AWS CLI session, you can use the sts get-caller-identity command, commonly referred to as "whoami":

aws sts get-caller-identity

Example:

3. List IAM Users:
IAM users are commonly used for representing individuals, employees, or applications that require access to your AWS environment. Use the following command to list IAM users in your AWS account:

aws iam list-users

Example:

4. List IAM Groups:
IAM Groups are collections of users who share similar access requirements. You can use the following command to list IAM groups in your AWS account:

aws iam list-groups

Example:

5. List IAM Roles:
In short, IAM roles are associated with specific job functions or responsibilities within an organization. Use the following command to list IAM roles in your AWS account:

aws iam list-roles

Example:

6.List Attached Policies for a User/Group/Role:
A policy is a set of rules or guidelines that define what actions are allowed or denied in a specific context. Most policies are stored in AWS as JSON documents.

To list the attached policies for an IAM user, group, or role, please replace USER_NAME, GROUP_NAME, or ROLE_NAME with the appropriate name:

aws iam list-attached-user-policies --user-name USER_NAME
aws iam list-attached-group-policies --group-name GROUP_NAME
aws iam list-attached-role-policies --role-name ROLE_NAME

List Attached policy for an IAM user:

List Attached policy for an IAM group:

List Attached policy for an IAM role:

7. List Inline Policies for a User/Group/Role:
To list inline policies for an IAM user, group, or role, replace USER_NAME, GROUP_NAME, or ROLE_NAME with the appropriate name:

aws iam list-user-policies --user-name USER_NAME
aws iam list-group-policies --group-name GROUP_NAME
aws iam list-role-policies --role-name ROLE_NAME

8. List Managed Policies:
To list managed policies in your AWS Identity and Access Management (IAM) environment. When you run this command, it retrieves and displays a list of IAM policies that are available in your AWS account.

aws iam list-policies

Example:

9. List Policy Versions:
To list all versions of a managed policy, specify the policy ARN (Amazon Resource Name):

aws iam list-policy-versions --policy-arn POLICY_ARN

Example:

10. Get Policy Document:
To view the policy document for a specific policy version, use the get-policy-version command with the version ID and policy ARN:

aws iam get-policy-version --policy-arn POLICY_ARN --version-id VERSION_ID

Example:

11. Assuming an IAM Role:
Assuming a role in AWS is like temporarily wearing a permission hat to access resources securely. You can assume a role using the following command:

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/MyNewRole --role-session-name MySession

Example:

After assuming a role, you can obtain temporary credentials, and you can export them into your environment variables as follows:

export AWS_ACCESS_KEY_ID=your_access_key_id
export AWS_SECRET_ACCESS_KEY=your_secret_access_key
export AWS_SESSION_TOKEN=your_session_token

Make sure to replace your_access_key_id, your_secret_access_key, and your_session_token with the actual values you received when assuming the role.

12. List Instance Profiles:
IAM instance profile is used to link an IAM role to an EC2 instance, allowing the instance to assume the role and obtain temporary credentials to access AWS services and resources based on the role's permissions. Use the following command to list IAM instance profiles in your AWS account:

aws iam list-instance-profiles

Example:

13. List SSH Public Keys:
To list SSH public keys associated with IAM users:

aws iam list-ssh-public-keys --user-name USER_NAME

Example:

14. List MFA Devices:
MFA in AWS is a security feature that requires users to provide two or more factors of authentication (typically something they know and something they have) to access their AWS account, enhancing security and reducing the risk of unauthorized access.

You can list multi-factor authentication (MFA) devices associated with IAM users by using the following command.

aws iam list-mfa-devices --user-name USER_NAME

Example:

15. List Service-Specific Credentials:
Service-specific credentials in AWS are temporary and limited-scope security credentials designed for use by AWS services and third-party applications. Use the following command to list AWS service-specific credentials for an IAM user.

aws iam list-service-specific-credentials --user-name USER_NAME

Example:

16. Creating an IAM User:
You can create an IAM user using the create-user command:

aws iam create-user --user-name MyNewUser

Example:

17. Creating an IAM Group:
You can create an IAM group using the create-group command:

aws iam create-group --group-name MyNewGroup

Example:

18. Attaching a Policy to a User or Group:
You can attach an existing IAM policy to a user or group using the attach-user-policy or attach-group-policy command:

aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess --user-name MyNewUser

aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess --group-name MyNewGroup

Example:

19. List Server Certificates:
A server certificate refers to a digital certificate used to secure network communication between clients and your server or service. These certificates are primarily used for enabling secure, encrypted connections using protocols like HTTPS, which is crucial for protecting data in transit.

aws iam list-server-certificates

When you run this command, it will return a list of server certificates associated with your AWS account, including information such as the certificate name, the Amazon Resource Name (ARN), the expiration date, and the path.

Example:

20. Generating AWS Credential Reports
AWS Credential Reports provide valuable insights into the security of your AWS account by detailing IAM user access and activity. To generate a credential report using the AWS Command Line Interface (CLI), follow these steps:

1. Generate the Report: Use the generate-credential-report command to initiate the report generation process. This command doesn't provide immediate access to the report but triggers its creation.

aws iam generate-credential-report

2. Wait for Completion: Credential reports typically take a few hours to generate. Check the status using the get-credential-report command. Repeat this step until the report is marked as "Ready."

aws iam get-credential-report

3. Retrieve the Report: Once the report is ready, use the get-credential-report command to retrieve and save the report in a CSV file for analysis.

aws iam get-credential-report --query 'Content' --output text | base64 -d > credential-report.csv

Well, folks, that's a wrap for this post.If you're into cloud penetration testing, feel free to dive into my Pwned Labs lab-solving playlist.

Cloud Pentesting Playlist

Thanks for stopping by, and take care!

AI Hackathon: Sentiment Analysis with Python Flask and Transformer

Afshan Naqvi — Fri, 30 Jun 2023 16:59:07 +0000

Hey there, fellow AI/ML enthusiasts!

I hope you're having a blast out there in the world of tech!

In case you don't know me, I'm Afshan, your programming buddy.I recently became a part of the AWS Community Builder program, and we just had our first AI hackathon. This blog is all about that hackathon.

Getting Started in AI:

To be honest, AI is quite new to me,so participating in this hackathon was a great starting point for me to learn through hands-on practice.

Hackathon Overview:

The AI hackathon welcomed individuals of all skill levels, from beginners to experts. It was a diverse and inclusive event that fostered collaboration and learning. I thoroughly enjoyed being part of this inclusive environment where knowledge-sharing and growth were encouraged.

Project Focus: Sentiment Analysis with Transformer Framework

For the hackathon, my project focused on sentiment analysis, and it was a requirement to use the transformer framework. Leveraging this powerful framework, I built a sentiment analysis program that can analyze text and determine the sentiment conveyed—whether it's positive, negative, or neutral.

Motivation: AWS Comprehend Service:

One of the significant motivations behind my project was the AWS Comprehend service. With AWS Comprehend, you can gain valuable insights by understanding customer sentiment, extracting key information, and analyzing documents on a large scale. It empowers you to decode the true meaning behind vast amounts of text, helping you uncover hidden patterns, trends, and actionable intelligence.

Challenges Faced: UI Designing:

While working on the project, I encountered several challenges in UI designing, as it's not my field of expertise. However, I gave it my best shot to ensure proper margin and padding.

Implications: Sharing the Tool with College Students:

This project is open to college students, who can make use of it in their graduation presentations. It provides an excellent opportunity for college students to incorporate this project into their academic work and showcase its functionality. Additionally, students have the freedom to enhance and customize the program according to their specific needs and requirements.

Key Learning:

I have learnt a lot about Generative AI and the transformer framework. Additionally, I had the opportunity to connect with brilliant minds in our industry during the hackathon. Interestingly, this event also made me realize the significance of improving my front-end skills... but let's just say I was only joking!😄

Github Project link: https://github.com/Afs514/AI_hackathon/