DEV Community: LionelPJ

A list of FAQs curated for the AWS Certified Data Analytics Specialty Exam

LionelPJ — Tue, 14 Mar 2023 21:42:39 +0000

For those who are preparing for the data analytics specialty exam - did you know that some of the exam questions may be from FAQ's?

This is a curated list of FAQ's based on the latest exam guide

So here it goes:

Analytics:

Application Integration:

Compute:

Customer Engagement:

Amazon Simple Email Service (Amazon SES)

Database:

Management and Governance:

Machine Learning:

Amazon SageMaker

Migration and Transfer:

Networking and Content Delivery:

Security, Identity, and Compliance:

Storage:

Happy Learning!

Managing on-prem systems with AWS Systems Manager : a Hands-On Guide

LionelPJ — Thu, 20 Oct 2022 22:38:42 +0000

Photo by Florian Gagnepain on Unsplash

In my last article I shared with you how to enable ssm on your account. Today, we are going to see how to manage on-prem systems using SSM.

My setup:

If you don't have an on-prem box, you may simulate the environment. Otherwise, please skip this section.

For simulating an on-prem system, I downloaded VMWare Fusion (personal use image) for my MacBook Pro (Apple M1 Chipset). I also downloaded Debian (arm based image) as my linux OS that I plan to install within VMWare. These selections are very specific to my system. Feel free to make relevant choices based on your OS.

In essence, you will need a virtual machine (and for which you can download either Oracle VirtualBox or VMWare) and any Linux or Windows image that you are comfortable with.
To reduce redundancy, for this guide I will share my steps based on my system. I hope that you figure out the right options that work for you!

Step 1: Create an IAM Role For Hybrid Activation

Let's create an IAM role for EC2 with the following attributes
Name : HybridActivation
Permissions: AmazonEC2RoleForSSM
Trust Relationship: change ec2 to ssm instead

Your trust policy should now look similar to the one given below -



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ssm.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Step 2: Create a Hybrid Activation

Visit the Systems Manager page and click Hybrid Activations from the menu on the left side (seen under Node Management).

Provide the following details in the screen:

Description: ForLocalVm1
Instance Limit: leave at 1
IAM Role: select HybridActivation from existing roles

Now click Create activation button and copy the activation code and id into a scratch pad. You will need it in the next step to register the vm

Step 3: Registering the on-prem system

I assume by this time you have installed and you have your on-prem box ready. Login to the system with super user privileges. Visit the page https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent-install.html and click on the link specific to your underlying OS and follow the instructions to install the ssm agent. In my case its Debian with an install page as seen here - https://docs.aws.amazon.com/systems-manager/latest/userguide/agent-install-deb.html

Now after the installation steps, I would suggest to stop the agent with the command



systemctl stop amazon-ssm-agent

Next, issue the registration command with the template



amazon-ssm-agent -register -code "pastCodeHere" -id "pasteIdHere" -region us-east-1

So if my Activation Code is apBIZ1Mz+RKDh+wgViz39d and Activation ID is 2a70c0a0-c2de-4f39-84ea-7cc17377e3a3 then the command would be



amazon-ssm-agent -register -code "apBIZ1Mz+RKDh+wgViz39d" -id "2a70c0a0-c2de-4f39-84ea-7cc17377e3a3" -region us-east-1

Now, start your agent again using the command



systemctl start amazon-ssm-agent

Step 4: Verify using Systems Manager

Visit Hybrid Activations inside Systems Manager, you should see your new instance listed there

Now you can use Sessions Manager to login to the machine successfully!

To verify that this is the same machine you could try any of the following commands on your ssm session and your virtual machine for comparison. They should be same.



cat /etc/os-release
hostname
hostname -I

Any command within the session can be used to add in preventive measures or control, based on your needs!

Next Steps

Think about your on-prem environment and how it can be managed by the power of using Systems Manager to roll out changes across the environment or come up with your own innovative solutions.

If you are here - Congratulations!
You just learned how to manage a virtual machine using Systems Manager!

[about Lionel Pulickal]

Lionel is a Solutions Architect who has worked in the IT industry since 1997. He has all the three AWS associate level exams, the Solution Architect Professional and Networking Specialty exams under his belt. He loves hands-on and is always willing to share the knowledge he has gained over the years.

Connecting to private Ec2 Instances using Systems Manager - A Hands-On Guide

LionelPJ — Thu, 10 Mar 2022 00:52:59 +0000

Systems Manager is a wonderful service and has many untapped features!! One common feature that has become popular in the recent past is connecting to Ec2 instances using Session Manager (a feature of Systems Manager) instead of using ssh. To use Session Manager you must enable Systems Manager in your account. The setup guide for Systems Manager is very exhaustive and it’s not very clear on what’s the minimum that you require to enable it in your account. This article focuses on the minimal steps involved to do just that. We will go through what resources we plan on using, to build it. Instead of using the console, we will use CloudFormation. I will assume that you have an existing network so my scripts work with them. In case this is a new account feel free to use my utility script to build a 3 tier network from scratch and then apply the script I provide within the resources. So, if you see me mention first script in this article, I refer to this 3 tier network script, which you are free to reuse.

My focus on CloudFormation is to automate the process and also to help those who are learning for the AWS exams to refer to a working sample. I could have done it in Terraform but I wanted to stick to AWS products and features instead.

For those of you who are not familiar with the resources we are building using CloudFormation and its properties, I have added references in the resources section down below.

Prerequisites:

Log in as an IAM admin user or a role that has the permissions to run cloudformation. [This article is not heavily focused on the privilege of this logon identity. Feel free to make it least privileged if you need to. Our focus will be on enabling systems manager which is the main theme of the article.]
You need a VPC for this exercise. You can use an existing VPC with a minimum of 2 subnets. The default VPC also works but I would strongly advise against it for production systems. If you don’t have a VPC or want to create a new custom one for this exercise, check the resources section to build one before you enable systems manager.

Resources to Build

1. A new mySsmRole that does the following -

Has a trust policy for ec2
Has 2 main managed policies attached namely -

AmazonSSMManagedInstanceCore
This required trust policy enables an instance to use Systems Manager core service functionality. It provides minimum permissions which allow the instance to:

* Register as a managed instance
* Send heartbeat information
* Send and receive messages for Run Command and Session Manager
* Retrieve State Manager association details
* Read parameters in Parameter Store

This policy replaces the old AmazonEC2RoleforSSM policy and is mandatory

CloudWatchAgentServerPolicy
This policy enables the Amazon CloudWatch agent, by allowing access to read instance information and write it to CloudWatch Logs, Metrics and EventBridge. Permissions also grant access to read Amazon EC2 tags, volumes, and CloudWatch configuration parameters in Parameter Store. You can also create a more restrictive policy that, for example, limits writing access to a specific CloudWatch Logs log stream. For more details, refer to the CloudWatch user guide.

AmazonSSMDirectoryServiceAccess [Only applicable for Windows users joining a Domain server]
This instance trust policy enables a managed instance to seamlessly join a domain by providing access to the required AWS Directory Service API actions. This is optional. In my article, I am not going to add it.

Now that you have some background information, lets build our script starting with the role

Resources:
  MySsmRole:
    Type: AWS::IAM::Role
    Properties:
      Description: Role that allows SSM capability
      ManagedPolicyArns:
        - !Ref CWAgentServerPolicyArn
        - !Ref SSMManagedInstanceCoreArn
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Tags:
        - Key: Name
          Value: mySsmRole

notice the 2 managed policies that are attached and the trust policy for ec2

Parameters:
  CWAgentServerPolicyArn:
    Type: String
    Default: 'arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy'
  SSMManagedInstanceCoreArn:
    Type: String
    Default: arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

these default values were fetched by visiting the IAM page and manually copying the ARN's

Note: Remember that CloudFormation adds prefixes and suffixes to mySsmRole to make them unique during a deployment.

2. Create an instance profile

From the console, when you attach a role to an EC2, an instance profile is automatically created. Now, when you automate this instead using CloudFormation or Terraform it's your responsibility to create it. The instance profile is just a container that is created within EC2 to pass the iam role and the permissions attached to it.

So our script would now look like -

  MyEc2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
      - !Ref MySsmRole
      InstanceProfileName: MySsmRoleInstanceProfile

remember MySsmRole was just created in step 1

A note on CloudFormation conditional statements

Before we continue to the next section, I would like to explain how to add conditions into our script. This will be employed so our script can work with both existing VPC, subnets or route tables and with values that you provide.

My idea is that if you have used my basic 3 tier network script from the resources section, those values will be automatically imported cross stack. If you instead want to provide your own values you are free to do so.

Here is how I am doing it. For example - for a VPC id, by default I set the value to an empty string.

clientVpc:
    Type: String 
    Default: ''

If you override it with a value, then this snippet will return a true value

clientVpcExists: !Not [ !Equals [!Ref clientVpc, '']]

Now, in the place where I have to use a VPC id, I place an if condition around it to use client VPC if it exists, otherwise to import the value from my previous stack

VpcId: !If [clientVpcExists, !Ref clientVpc, !ImportValue MyVpc]

With this understanding let's continue with the next section.

3. Create Interface and Gateway Endpoints

Our The EC2 instances are private. There is no internet connectivity. To allow the ability to connect using systems manager, we are going to add the 4 mandatory endpoints seen in the table below. All optional ones though mentioned here, will not be added unless you have a need for it. In that case, please modify my script, as you need.

Endpoint	Purpose	Is Mandatory
com.amazonaws.region.ssm	For the Systems Manager service	Yes
com.amazonaws.region.ssmmessages	To connect to our instances through a secure data channel using Session Manager	Yes
com.amazonaws.region.ec2	To create snapshots or call EBS	Yes
com.amazonaws.region.ec2messages	Systems Manager uses this endpoint to make calls from SSM Agent to the Systems Manager service	Yes
com.amazonaws.region.s3	Systems Manager uses this endpoint to update SSM Agent, perform patching operations, and for tasks like uploading output logs you choose to store in S3 buckets, retrieving scripts or other files you store in buckets, and so on. If the security group associated with your instances restricts outbound traffic, you must add a rule to allow traffic to the prefix list for Amazon S3.	Yes

Sample snippets of our endpoints would look like -

ec2InterfaceEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcEndpointType: Interface
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ec2'
      VpcId: !If [clientVpcExists, !Ref clientVpc, !ImportValue MyVpc]
      SubnetIds: 
        - !If [clientSubnetAExists, !Ref clientSubnetA, !ImportValue AppSubnetA]
        - !If [clientSubnetBExists, !Ref clientSubnetB, !ImportValue AppSubnetB]
      SecurityGroupIds:
        - !Ref myDefaultSecurityGroup
      PrivateDnsEnabled: true

everything looks similar for ec2MessagesInterfaceEndpoint, and ssmInterfaceEndpoint except for the ServiceName that has the service specific endpoint as seen in the table above

S3GatewayEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
      VpcEndpointType: Gateway
      VpcId: !If [clientVpcExists, !Ref clientVpc, !ImportValue MyVpc]
      RouteTableIds:
        - !If [clientRouteTableAExists, !Ref clientRouteTableA, !ImportValue PrivateARouteTable]
        - !If [clientRouteTableBExists, !Ref clientRouteTableB, !ImportValue PrivateBRouteTable]
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: '*'
            Action: '*'
            Resource: '*'

notice the gateway endpoint here adds route table entries instead

My parameters and conditions to make these work are as follows

  clientVpc:
    Type: String 
    Default: ''
  clientSubnetA:
    Type: String
    Default: ''
  clientSubnetB:
    Type: String
    Default: ''
  clientRouteTableA:
    Type: String
    Default: ''
  clientRouteTableB:
    Type: String
    Default: ''

Conditions:
  clientVpcExists: !Not [ !Equals [!Ref clientVpc, '']]
  clientSubnetAExists: !Not [ !Equals [!Ref clientSubnetA, '']]
  clientSubnetBExists: !Not [ !Equals [!Ref clientSubnetB, '']]
  clientRouteTableAExists: !Not [ !Equals [!Ref clientRouteTableA, '']]
  clientRouteTableBExists: !Not [ !Equals [!Ref clientRouteTableB, '']]

For reference - the complete script is available in the resources section.

Notes for success:

The default security group id that you provide to this script must allow for all access. This will be used by ssm and allows your private instance to receive updates from the internet using the endpoints.
The default security group should be part of the VPC that you chose to build your resources with.
The subnets must be part of the VPC and in the same region.
The private route table must be associated to the private subnets within the VPC.
When a new instance is ready and running, the systems manager connect button must be enabled if everything was done right. Or you will have to backtrack and identify what step you missed.
Most modern linux versions have systems manager agent installed on them. This is documented here. If your OS is not supported check the guide on how to install the ssm agent.
The first time the instance tries to connect the ssm agent is enabled and ready to use.
Failure to enable systems manager and the reason for its failure is not provided as a feedback. Instead you are provided with an 8 step guide on enabling systems manager.

Testing Our Script

1. Testing script with a custom VPC using CloudFormation Console

For ease, I will use the script within this article for the custom VPC values. Feel free to use your own values instead.

here I will not set any client variables as I am going to use the imported values that were exported cross stack from my first script

click next

acknowledge and create stack

Verifying ssm access using a new ec2 instance

Lets launch a new instance using the free tier ami's. The only difference from your regular choices are the ones that are captured here below. Please make sure that these are set right.

here choose myVpc, the appA subnet and the new instance profile that was created

give the instance a meaningful name

choose the default security group

and finally launch the instance. Wait for it to go into a running state then connect to the ec2 instance.

click connect

when session manager is enabled, the connect button is available to click

a successful yum update on the new private instance connected privately

Cleanup

If you have not done it already, terminate your private instance and delete ssm stack so you don't end paying for the endpoints while it's not in use.

2. Testing script with a default VPC using CloudFormation Console

Now, for ease to test with a different VPC I am going to use the default VPC. You may ask, are VPC endpoints needed because they are by default public. So I tested and found that a new instance that is created with just the role doesn't enable the systems manager

a typical error message when it cant connect

So, in order to test my script and adapt to the default VPC, I had to modify it slightly and comment out a line of code within the s3 gateway endpoint because default VPC's only have 1 route entry.

  S3GatewayEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
      VpcEndpointType: Gateway
      VpcId: !If [clientVpcExists, !Ref clientVpc, !ImportValue MyVpc]
      RouteTableIds:
        - !If [clientRouteTableAExists, !Ref clientRouteTableA, !ImportValue PrivateARouteTable]
        # - !If [clientRouteTableBExists, !Ref clientRouteTableB, !ImportValue PrivateBRouteTable]
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: '*'
            Action: '*'
            Resource: '*'

notice the second line is commented out

Now, if you launch the script and provide the client VPC id, 2 subnet id's, and the private route table id for clientRouteTableA parameter, the script will successfully deploy.

notice all values are overriden with default VPC values. all other options are same as the previous scenario to create the stack

Once the instances are running you now see that you can connect to this public instance.

Congratulations You just got Systems Manager enabled in your accounts.

Cleanup

Just like the last time, cleanup after yourself by terminating your public instance and delete ssm stack so you don't end paying for the endpoints while it's not in use.

Resources

3 tier VPC network cloud formation script
enabling ssm script
CloudFormation resource type references
- VPC Endpoint - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html
- IAM Role - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html
- IAM Instance Profile - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html

[about Lionel Pulickal]

Lionel is a Cloud Engineer who has worked in the IT industry since 1997. He has all the three AWS associate level exams, the solution architect professional and networking specialty exams under his belt. He loves hands-on and always loves to share the knowledge he has gained over the years.

Deployments using a CloudFormation StackSet in an Organization

LionelPJ — Tue, 08 Mar 2022 09:36:00 +0000

This is a short article to share my experience with CloudFormation StackSets across the Organization. This is not a duplication of any documentation. Instead it shares my notes on ease of use, intuitiveness, gotchas and any other benefit that I perceive. These are just my opinions and has no bearing on the underlying product or AWS in general.

The StackSet Journey

1. The Setup:

I am going to use a CloudFormation script that creates a 3 tier network from scratch. Feel free to reuse my script (that can found in the resources section below) or use anything that works for you. My sample is not very complicated but takes a few minutes to deploy, when it’s directly applied in an account using a stack.

2. Enable trusted access

Only administrators can enable this setting. With this setting you can deploy across the organization. There’s a concept of delegated administrator accounts but I didn’t try that out. Instead I logged into the management account (the first account that enabled aws organizations) with a user having admin access.

If you want to try out registering delegated admin accounts try the guide here.

3. Creating the StackSet

Here, I plan to cover just the salient points of creating the stackset. I did the minimal to move forward. So this article doesn’t go through explanations of each field and what it accepts. Feel free to check the guide for more details if that interests you.

The create stackset screens start similar to creating a stack where you say the template is ready and you can provide a template from an s3 bucket or from your computer. I chose to upload my own file.

I left all options as default except for the Execution configuration I set as active, under deployment options I chose all accounts in organization and finally the region was scoped to us-east-1. I left the concurrency options as is and let the stackset rip.

Observations:

Under the operations tab it said running against the stackset.

Under stack instances tab, each account that executed got a stack id assigned to it.
All accounts started with an OUTDATED status

here you see all accounts are outdated

first account initiated and got an id

first account completed and changed status to CURRENT and second account started processing

finally all accounts updated

It was hard to say what was what was happening within each account as there was no feedback or details about the processing. On one of my previous attempts the whole stackset FAILED status and I had to switch to each account to delete the stacks to revert back and restart.
When a stack was successful, the status changed to CURRENT. The next account now received an id as the execution is sequential by default.
When all stacks completed, the stackset went into SUCCEEDED status.

4. Deleting the StackSet

While deleting the stackset I had to fill the same choices as in creation. I noticed I couldn’t delete the stackset until I delete all stacks within it and I had to know the organization ids to delete the stacks. This time I chose parallel execution and all of them got an id. Once done I could successfully delete the set.

attempt to delete stackset when stacks were not removed

initiating delete stacks within the organization

notice the account was deleted

finally account is ready to delete stackset

My Suggestions

If this is your first time using a stackset make sure your stack executes in one account successfully
Don’t make assumptions while executing stacksets. For example security group ids change across the accounts. So don’t hard code them.
Add default values for things that are static. For example private cidr blocks to be assigned to a vpc or subnet

Final Thoughts

The stackset is not the most intuitive feature. With a little care you can be successful at it. There are alternatives within AWS to execute it against the organization using systems manager or programmatically. You may also use Terraform to make your deployments. Either way by trying it you practice some best practice of cross account deployments.

Resources

3 tier vpc network cloud formation script

[about Lionel Pulickal]

Lionel is a Cloud Engineer who has worked in the IT industry since 1997. He has all the 3 AWS associate level exams, the solution architect professional and networking specialty exams under his belt. He loves hands-on and always loves to share the knowledge he has gained over the years.

AWS Exam Preparation: Strategies and Techniques to prevent you from Pulling your Hair Out!

LionelPJ — Wed, 26 May 2021 17:29:22 +0000

This is a two part post. This article delves into common problems and strategies to overcome them. May be in the process save you some hair loss. In Part 2 of this post, we will see some answering techniques that will help you through taking the exam.

To set the stage for the problems we face, imagine that you have finally reached…

The Day of the Exam

So you get to the exam and start answering questions; you are trying to settle down. It's not always that you are calm and ready to go. This article is about problems that you may face and how to prepare, so you are ready when you face them.

Common Exam Problems

Let's go through some of the issues frequently faced on exam day. In this section, we will see how we can prepare ourselves based on this awareness.

The exam is hard!

Is it? Or are the questions bordering or infringing on topics you are not aware of? Some questions can be hard and needs more focus. Knowing your content and following the syllabus as you study will help. Take a deep breath - by this time you must be prepared for this!

Answer impulsively

Have you had the feeling that you can't read anything and your mind is set on what the problem may be or you pre-judge that this is the option? You stop reading or you scan for words related to the option you have in mind? Are you sure that is what they are asking?
The problem is that you can't shake it off. What if I tell you that even if it doesn't feel this way, you practice this every time you take a practice test, especially when you have seen a variant of this question. You do not stop to re-evaluate if this is true? It gets harder when you have possibly seen the answer earlier and it clouds your judgement.

Trick questions

AWS makes it a point to really test your knowledge. The tricks span across multiple ways.

Using the keyword not in the question - To make it complicated out of the 4 options there may be 2 or more answer options also containing the word NOT. Double negatives are very hard to digest. The other positive answer options do not help. Why? Because you go between positive and negative - back and forth making it confusing!
Common and repetitive phrases - This makes it hard because you have to closely watch what is different among them. In a hurry it's very easy to miss them and answer wrong.
Verbiage - The sentences are tricky thanks to the English language; and
Technical Knowledge - It can also be tricky when your question infringes on the border of your knowledge and you do not know what is this really about leaving you guessing.

Overconfidence

Many years ago, I was preparing for the Sun Certified Java Developer exam along with a friend. While I carefully worked on the project, my friend felt he finished the project and was about to submit the exam to be graded. I appreciated his confidence, but begged him to let me write a simple program to test his code. After a lot of convincing him to let me verify his solution, in 30 minutes or less, we found that his code failed - miserably! and if he would have submitted the solution, he would have failed. How is this relevant to this exam? The concept is still the same. Don't be overconfident. Let your tests speak for itself. You will know if you are ready when you are getting 3 consecutive scores of 90% or above.

Sickness

Let me say this. If you know that you are sick or feeling sick postpone the exam - please! Don't attend it. Give yourself a chance to heal. If you feel horrible on the day of the exam, call Pearson or PSI and ask what are your options. If you still decide to take it, remember the risk is higher.
When I wrote my solution architect associate exam, I had a severe headache that morning. Knowing that I could not concentrate with a heavy headache, I tried some sample tests about 45 minutes before the exam, to get used to the feeling and to warm myself up. This helped me in the exam. My headache remained throughout the course of the exam, but I still passed it.

Imposter Syndrome

This is very real. This is when you start doubting yourself and you feel you are not worthy. It has happened to me twice on two of the Azure exams. I had this constant thought stuck in my head that I am not an azure architect. Of the 7 exams that I wrote, I failed on these 2 when I doubted myself. Postpone if you are not in the right space of mind. Do more hands-on activities. When you are ready schedule again.

Strategies and Techniques

Now let's talk about common strategies to handle these problems.

Actually read the syllabus

The most common and the most important foundation is to gain a complete understanding of the syllabus. Know it well. I would suggest that you go through it more than once. The first time you gain familiarity. On the second pass, you may find gaps or better understanding.

Make Notes. Remember, it should be very short or you can't read these before the exam. No one wants to read a novel before the exam!! Try to write a phrase or a sentence that reminds you of the concept.

Benchmark your progress

I have been teaching AWS within my company for multiple students for the last two years. The first thing we always do is to take a sample test before we start learning for the exam. The deal is to never ever get a lower score again as this becomes the threshold. Every time a new benchmark is taken, the new score becomes the benchmark. Do as many benchmarks as you see fit. I would suggest that you do this at the beginning and after you finish 2 rounds of learning content.

Test often

That is right. Test often! Find gaps. See if you can find patterns and relate it to domains. If you do badly at the domain, read or watch those portions again. If these are specific topics, then learn them with an intention to understand what it does and when it is used. This will take you a long way.

Learn using different styles

While some of us love to watch videos, some like to read books. My suggestion - try them all. Each one of the styles comes with its own unique advantages. And sometimes by this practice the topic gets deeper and you may understand even better. Some of the techniques may include -

Watching AWS re:Invent videos on YouTube
Watching premium content courses. In my case, I was introduced to Adrian Cantrill a few years ago when he worked for Linux Academy [now a part of A Cloud Guru]. I followed him along and now he has his own site learn.cantrill.io. He is a person who really built my foundation and helped me on my AWS journey and I would recommend this to anyone who also wants to learn and become better at their craft.
Reading the official guides by AWS that can be purchased from Amazon or read on O'reilly if you have a subscription.
Joining live event sessions on AWS. As an example, if you have a subscription with O'reilly, you can attend any of the advertised live events with guest speakers.
Watch or attend AWS events. They often post articles on LinkedIn or other social media.
Watching or reading material on aws.training
Reading white papers
Hands-On - a lot of it!!!
Do a project on topics you like. For example, I authored a liveProject for manning.com called Automating Infrastructure for an E-commerce Website with Terraform and AWS. This builds a network from scratch, then I made a website from scratch using ECS, automated it using CodePipeline and performed some backup strategies using serverless concepts. This option can really help you in real life where you have to apply what you learned!

Practice Answering Techniques using logic not memory

Make this a point. The real exam doesn't test your memory. They want you to evaluate the answers. So, while you do those practice exams, don't memorize. Use your logic, even if you think you know what the question is about. The art of answering and the constant application of figuring out will help you in the exam.

Additional Notes on Common Problems

The Exam is Hard - How can I handle this?

This is something that you must prepare for ahead of time. Some of the common tips are -

Download the exam guide from this site. Understand how many domains exist in your exam and how the weightage varies across the domains.
Go through the whole syllabus at least 2 times.
Don't assume you know it all. Try a test to gain some quick feedback on how much knowledge you have retained. Please don't memorize. Instead, use logic to figure out your answers. Your main exam will not have these questions verbatim. So don't waste your time.

I am driven by Impulses - How can I handle this?

Let me tell you this - the real exam is not about memorizing those answers. During the exam, the toolset you need to bring to the table is - the ability to figure it out. To do this well in any exam, you need to take it back to that same practice test where you thought you got this - and think along the following lines -

Why is this option right? or
Why are the options wrong? or
Are there keywords in the question that justify my answer choice?

I find the exam tricky - How can I handle this?

When you see the word NOT - it's time to really figure out if you want to fall for this kind of trap. It's best to first flag the question before you attempt any further. Then go about figuring what are they really asking Translate this to simple words in your mind. For each option, if you translate it to the negative or the positive version of it and answer if this is a possibility? Would this be a candidate? And then remove choices that are noisy. Finally, sweep again to match keywords from the question that helps you qualify the right answer. Personally, I like to translate it all to a positive statement as it's easy for me to wrap my head around it. We will see examples of this later in one of the answering techniques.
Common phrases in questions have no additional value. Ignore them. And really look at what is different in each option. We will also look at an example in an answering technique called Answers First
The classical tricks include adding a lot of disruptors or noise in the question or answers or both. It's all about figuring out what do they really want?
The tricks around technical knowledge really verify your understanding of the service. Do you know your subject well to spot these errors?

If you want to see some of these as examples, please read the second part of the post, where I show you how to handle each of these scenarios [coming soon].

[about Lionel Pulickal]

Lionel is a Cloud Infrastructure Analyst who has worked in the IT industry since 1997. He has all the three AWS associate level exams, the solution architect professional and the networking specialty exams under his belt. He loves hands-on and always loves to share the knowledge he has gained over the years.