DEV Community: maso

DAY8 -Bonus

maso — Wed, 25 Feb 2026 17:47:30 +0000

Overview

Today, I’ll summarize the key points of the services that weren't covered in the hands-on sessions but appear frequently on the exam!
※You can check the exam scope from the link below.
https://docs.aws.amazon.com/aws-certification/latest/examguides/sap-02-in-scope-services.html

1. AWS Organizations

governance tool that allows centralized management of multiple AWS accounts.
SCP imposes maximum permission restrictions (i.e., even if SCP permits an action, it cannot be performed without corresponding IAM permissions).

2. CloudTrail / AWS Config

can check API call history using CloudTrail
can check resource State History using AWS Config

3. KMS / Secrets Manager / ACM

KMS : create/manage the encryption keys and control key usage
Secrets Manager : rotate DB passwords
ACM : manage certificates for ALB, CloudFront, API GW...

4. CloudFront / Global Accelerator

CloudFront : Cache and distribute at the edge CDN
Global Accelerator : Enter the nearest AWS edge and transport to the optimal region/endpoint

5. Transit Gateway / Site-to-Site VPN / Direct Connect

TGW : Multi-VPC/Multi-site Hub
VPN : two or more private networks over the internet
Direct Connect : two or more private networks over the dedicated line

6. Athena / Redshift / Glue

Athena : Instant SQL Analysis on S3 (Serverless)
Redshift : DWH (Data Warehouse, Business Intelligence)
Glue : ETL/Data Catalog

7. WAF / Shield

WAF : L7 (HTTP) filter (SQLi/XSS, IP Restriction, etc.)
Shield : DDoS Mitigation (especially edge/global)

8. ECS/Fargate/ECR

ECR : Docker image registry
ECS : An orchestrator that manages container execution, deployment, and scaling.
Fargate : One of the “execution platforms” for ECS (or EKS). Run containers without managing EC2 instances. ※It's important to understand how to choose between ECS on EC2 and Fargate ・ Don't want to manage the server/ Highly fluctuating workloads/ Small to medium-sized microservices → Fargate is better ・ Large-scale and continuously operational/ Host-level control is required → ECS on EC2 is better

That's all for this series!
After trying a few of the official AWS practice questions, I think I'll take the exam (once I get back to Japan)!
Thank you for reading!

DAY7 -IaC

maso — Thu, 19 Feb 2026 16:12:50 +0000

Overview

Today, I’ll build a basic VPC baseline, the same as Day1, using CloudFormation. CloudFormation makes it easier to create and update resources.
I'll deploy two CloudFormation stacks to learn cross-stack references. The network stack contains network resources (VPC, subnets, IGW...) and the app stack contains app resources (EC2, SG...).

Hands-on

1. Create YAML templates

Create two YAML files using the templates below.

"day7-network.yaml"

AWSTemplateFormatVersion: '2010-09-09'
Description: Day7 Network Stack - VPC baseline with Exports (2AZ public/private, IGW, S3 Gateway Endpoint)

 # Create Variables
Parameters:
  VpcCidr:
    Type: String
    Default: 10.0.0.0/16
  Az1:
    Type: AWS::EC2::AvailabilityZone::Name
  Az2:
    Type: AWS::EC2::AvailabilityZone::Name

Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VpcCidr
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: hs-day7-vpc

  IGW:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: hs-day7-igw

  AttachIgw:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref IGW

  PublicSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      AvailabilityZone: !Ref Az1
      CidrBlock: 10.0.0.0/24
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: hs-day7-public-a

  PublicSubnetB:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      AvailabilityZone: !Ref Az2
      CidrBlock: 10.0.1.0/24
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: hs-day7-public-b

  PublicRT:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: hs-day7-rt-public

  PublicRouteDefault:
    Type: AWS::EC2::Route
    DependsOn: AttachIgw
    Properties:
      RouteTableId: !Ref PublicRT
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref IGW

  AssocPublicA:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnetA
      RouteTableId: !Ref PublicRT

  AssocPublicB:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnetB
      RouteTableId: !Ref PublicRT

 # Output resource information for reference from the stack
Outputs:
  VpcId:
    Value: !Ref VPC
    Export:
      Name: !Sub "${AWS::StackName}-VpcId"

  PublicSubnetAId:
    Value: !Ref PublicSubnetA
    Export:
      Name: !Sub "${AWS::StackName}-PublicSubnetAId"

  PublicSubnetBId:
    Value: !Ref PublicSubnetB
    Export:
      Name: !Sub "${AWS::StackName}-PublicSubnetBId"

  PublicRouteTableId:
    Value: !Ref PublicRT
    Export:
      Name: !Sub "${AWS::StackName}-PublicRouteTableId"

"day7-app.yaml"

AWSTemplateFormatVersion: '2010-09-09'
Description: Day7 App Stack - Create EC2 in imported VPC/Subnet (SSM enabled)

Parameters:
  NetworkStackName:
    Type: String
    Description: Name of the Network stack that exports VPC/Subnets (e.g., hs-day7-network)
  InstanceType:
    Type: String
    Default: t3.micro

Resources:
  Ec2Role:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "hs-day7-ec2-ssm-role-${AWS::StackName}"
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

  Ec2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - !Ref Ec2Role

 # Create SG for EC2 instance using VPC ID imported by the network stack
  Ec2Sg:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: hs-day7-ec2-sg (no inbound, all outbound)
      VpcId: !ImportValue
        Fn::Sub: "${NetworkStackName}-VpcId"
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0

 # Create an EC2 instance using subnet ID imported by the network stack
  Ec2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !Sub "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64}}"
      InstanceType: !Ref InstanceType
      IamInstanceProfile: !Ref Ec2InstanceProfile
      SubnetId: !ImportValue
        Fn::Sub: "${NetworkStackName}-PublicSubnetAId"
      SecurityGroupIds:
        - !Ref Ec2Sg
      Tags:
        - Key: Name
          Value: hs-day7-app-ec2

 # Output the instance id to review the instance.
Outputs:
  InstanceId:
    Value: !Ref Ec2Instance

2. Create CloudFormation stack

1. Network stack

CloudFormation → Create stack

Upload "day7-network.yaml".

Choose two Availability Zones (AZs).

You can review the resources created by this stack in the "Resources" tab. (Network resources like VPC, subnets, IGW...)

2. App stack

CloudFormation → Create stack

Upload "day7-app.yaml".
NetworkStackName = the network stack name created in the previous step.

You can review the resources created by this stack in the "Resources" tab. (App resources like EC2, SG, IAMrole...)

3. Functionality Verification

Systems Manager → Session Manager → Start session
If you can start a Session Manager session to the EC2 instance, you’ve successfully created both stacks.

Update "day7-app.yaml" to add a tag to the EC2 instance.
※"Environment : dev" tag!

"day7-app.yaml"

AWSTemplateFormatVersion: '2010-09-09'
Description: Day7 App Stack - Create EC2 in imported VPC/Subnet (SSM enabled)

Parameters:
  NetworkStackName:
    Type: String
    Description: Name of the Network stack that exports VPC/Subnets (e.g., hs-day7-network)
  InstanceType:
    Type: String
    Default: t3.micro

Resources:
  Ec2Role:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "hs-day7-ec2-ssm-role-${AWS::StackName}"
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

  Ec2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - !Ref Ec2Role

 # Create SG for EC2 instance using VPC ID imported by the network stack
  Ec2Sg:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: hs-day7-ec2-sg (no inbound, all outbound)
      VpcId: !ImportValue
        Fn::Sub: "${NetworkStackName}-VpcId"
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0

 # Create an EC2 instance using subnet ID imported by the network stack
  Ec2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !Sub "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64}}"
      InstanceType: !Ref InstanceType
      IamInstanceProfile: !Ref Ec2InstanceProfile
      SubnetId: !ImportValue
        Fn::Sub: "${NetworkStackName}-PublicSubnetAId"
      SecurityGroupIds:
        - !Ref Ec2Sg
      Tags:
        - Key: Name
          Value: hs-day7-app-ec2
        - Key: Environment
          Value: dev

 # Output the instance id to review the instance.
Outputs:
  InstanceId:
    Value: !Ref Ec2Instance

CloudFormation → Stacks → the app stack → Create a change set → Update stack → Replace template → Create change set

You can review the differences in the "Resource changes" tab.
※In this time, there are differences with tag settings.
Execute change set.

Execute change set, and the tag is added.

Tidying up

Delete the app stack
Delete the network stack

For test

Key exam points related to today's services.

CloudFormation

Cross-stack references: export values from one stack (Outputs/Export) and import them in another stack (ImportValue). Export names must be unique within the same account and region.
Change set is used when you change the template. Depending on the changes made, either in-place update or replacement are performed. (※In case of replacement, the resource is recreated. Some parameters like EC2 instance ID are changed.)

It's a last hands-on lab, see you soon in the Day8!
I'll summarize the key points of the services not covered in hands-on sessions.

DAY6 -Event-driven

maso — Tue, 17 Feb 2026 20:29:03 +0000

Overview

Today, I’ll build a simple event-driven pipeline using Amazon EventBridge, AWS Step Functions, AWS Lambda, Amazon SQS, Amazon SNS, and Amazon S3.
EventBridge triggers a Step Functions state machine, which invokes a producer Lambda. The producer stores the result in S3 and sends a message to SQS. SQS then triggers a worker Lambda, which publishes a notification to SNS. Finally, SNS delivers the message to my email.

※Using SQS to decouple components is a common exam pattern and a real-world best practice to separate components for each task to account for Lambda's execution time limits and simplify troubleshooting when errors occur.

Hands-on

1. Create a S3 bucket

Block Public Access : ON (default)
Default encryption : SSE-S3 (default)

2. Create a SNS topic

Type : Standard

Check the SNS Topic ARN!

Create a subscription to receive Email notifications.
the SNS topic created in the previous step → Subscriptions
Protocol : Email
Endpoint : your email address

Check your email and confirm subscription!

3. Create SQS queue

Type : Standard
Visibility timeout : 30s

Check the SQS queue URL!

4. Create a Producer Lambda (S3 saving + SQS triggering) invoked by the Step Functions

1. Create IAM role for the Lambda

Create IAM role and attach the following permission using the inline policy to allow lambda to access the S3 bucket and SQS.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PutToS3",
      "Effect": "Allow",
      "Action": ["s3:PutObject"],
      "Resource": "arn:aws:s3:::<s3-bucket-name>/*"
    },
    {
      "Sid": "SendToSQS",
      "Effect": "Allow",
      "Action": ["sqs:SendMessage"],
      "Resource": "arn:aws:sqs:<region>:<account-id>:<queue-name>"
    }
  ]
}

2. Create a Lambda function

Runtime : Python 3.12
Role : the IAM role created in the previous step

Set the following environment variables in the Code → Environment variables section.

BUCKET = <your S3 bucket name>
QUEUE_URL = <URL of SQS>

Set the following code and deploy.

import json, os, time, uuid
import boto3

 # Initialization
s3 = boto3.client("s3")
sqs = boto3.client("sqs")

 # Reading Environment Variables
BUCKET = os.environ["BUCKET"]
QUEUE_URL = os.environ["QUEUE_URL"]

 # Receive the event passed by the Step Functions
def lambda_handler(event, context):
    job_id = str(uuid.uuid4())
    ts = int(time.time())

 # Create the object sent to the S3 bucket
    result = {
        "jobId": job_id,
        "timestamp": ts,
        "input": event
    }

 # Decide the S3 storage destination
    key = f"day6/results/{job_id}.json"

 # Put Object to the S3 bucket
    s3.put_object(
        Bucket=BUCKET,
        Key=key,
        Body=json.dumps(result).encode("utf-8"),
        ContentType="application/json"
    )

 # Create the message sent to the SQS
    msg = {
        "jobId": job_id,
        "bucket": BUCKET,
        "key": key
    }

 # Send message to the SQS 
    sqs.send_message(
        QueueUrl=QUEUE_URL,
        MessageBody=json.dumps(msg)
    )

 # Return the information to the Step Functions
    return {
        "jobId": job_id,
        "s3": f"s3://{BUCKET}/{key}",
        "queued": True
    }

5. Create a worker lambda (publish to SNS), triggered by SQS

1. Create IAM role for the lambda

AWSLambdaBasicExecutionRole
Create IAM role and attach the following permission to allow lambda to publish the SNS and receive message by the SQS.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublishToSNS",
      "Effect": "Allow",
      "Action": ["sns:Publish"],
      "Resource": "arn:aws:sns:<region>:<account-id>:hs-day6-topic"
    },
    {
      "Sid": "SQSReceiveForWorker",
      "Effect": "Allow",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage",
        "sqs:GetQueueAttributes",
        "sqs:ChangeMessageVisibility"
      ],
      "Resource": "<QUEUE_ARN>"
    }
  ]
}

2. Create Lambda

Runtime : Python 3.12
Role : the IAM role created in the previous step

Set the following environment variables.

TOPIC_ARN = <your SNS Topic ARN>

Set the following code.

import json, os
import boto3

 # Initialization
sns = boto3.client("sns")
TOPIC_ARN = os.environ["TOPIC_ARN"]

 # Receive the event by the SQS
def lambda_handler(event, context):

 # Loop the record execution
    for r in event.get("Records", []):
        body = r["body"]
        msg = json.loads(body)

 # Create the notification message
        text = (
            f"Day6 completed.\n"
            f"jobId: {msg.get('jobId')}\n"
            f"S3: s3://{msg.get('bucket')}/{msg.get('key')}\n"
        )

 # Publish to the SNS
        sns.publish(
            TopicArn=TOPIC_ARN,
            Subject="Day6 Notification",
            Message=text
        )
    return {"ok": True}

3. Set the SQS as the trigger

Worker Lambda → Add trigger → SQS created in the previous step
Batch size : 1

6. Create Step Functions

Step Functions → State machines → Create state machine
Type : Standard

{
  "Comment": "Day6: Invoke producer lambda",
  "StartAt": "InvokeProducer",
  "States": {
    "InvokeProducer": {
      "Type": "Task",
      "Resource": "arn:aws:states:::lambda:invoke",
      "Parameters": {
        "FunctionName": "hs-day6-producer",
        "Payload.$": "$"
      },
      "Retry": [
        {
          "ErrorEquals": ["States.ALL"],
          "IntervalSeconds": 2,
          "MaxAttempts": 2,
          "BackoffRate": 2.0
        }
      ],
      "End": true
    }
  }
}

7. Create an Event Bridge rule

Rule type : EventBridge Scheduled rule (5 minutes)
Target : Step Functions state machine
Input : set the following example

{"source":"eventbridge","note":"day6 test"}

8. Functionality Verification

You've created all resources!
Enable EventBridge rule and wait for few minutes...

➀EventBridge trigger the Step functions every 5 minutes.
※You can ensure Step Functions is executed at the "Executions" tab.

➁Step functions trigger the Producer Lambda.
※You can ensure the producer Lambda is invoked in the "Monitor" tab.

➂Producer Lambda send the data to the S3.
※The json file is created in the S3!

➃Producer Lambda send message to the SQS.
※You can ensure the SQS receives the message from the Lambda at the "Monitoring" tab.

➄SQS trigger the Worker Lambda, which sends the results to the SNS.
※You can ensure the worker Lambda is invoked in the "Monitor" tab.

➅SNS sends an Email notification to the user.
※You should receive the notification Email from SNS!

※At first, My Worker Lambda occurred an error because I set the SNS subscription's ARN (not the SNS topic's ARN!) to the IAM policy attached to the Lambda... If you can't receive the Email, please review the Cloudwatch Logs in the order they occur.

9. Tidying up

Delete the EventBridge Rule
Delete the Step Functions state machine
Delete Lambda (Producer/Worker)
Delete SQS queue
Delete SNS Topic + Subscription
Delete S3 bucket

For test

Key exam points related to today's services.

EventBridge

Routing the event to the multiple targets (Step Functions/Lambda/SQS/SNS...) ※EventBridge can route the event. When you want to guarantee order or perform reprocessing, you should use SQS queuing.

Step Functions

Orchestration of the processing.
should use correct mode. Requires history/observability or Long-running processes → Standard High event volume or Ultra-low latency → Express
When processing fails, you can choose retry or catch (set other processing like notification).

Lambda

Execute code without needing a server
when you need heavy/time-consuming processing, you should use ECS/Batch as Lambda has processing time limits.

SQS

message queueing service. Processing can be made asynchronous and loosely coupled.
SQS itself does not execute processing; it only invokes functions like Lambda.

DAY5 -Databases

maso — Mon, 16 Feb 2026 14:28:01 +0000

Overview

Today, I'll run a hands-on lab on databases (DynamoDB, RDS).
Recreate a private EC2 instance and the SSM interface endpoints as in Day4 hands-on if you deleted them.

Hands-on

1. RDS

1. Create a DB subnet group

VPC : the VPC created in Day1 hands-on
Subnets : 2 private subnets (AZa/AZb)

2. Create a security group for the DB

Inbound : TCP3306 (source : SG attached to the EC2 instance)
Outbound : All traffic (default)
※only open for application layer! (important for the test)

3.Create DB

Engine : MySQL
Template : Free tier (If you can't use free tier, choose Dev/Test)
DB instance class : db.t3.micro
Multi-AZ : Off
Storage : gp3
VPC : Day1 VPC
Subnet group : the subnet group created in the previous step
Public accessible : No
VPC security group : the security group created in the previous step
Authentication : password authentication

Check the endpoint!(xxxxx.rds.amazonaws.com)

4. Connection verification

Execute the following commands and ensure that the EC2 instance can access the DB

DB_ENDPOINT=<your-db-endpoint>
timeout 5 bash -c "cat < /dev/null > /dev/tcp/${DB_ENDPOINT}/3306" && echo "TCP OK" || echo "TCP NG"

If you receive "TCP OK", the instance could access to the DB!

2. DynamoDB

DynamoDB is not deployed inside your VPC. You need to call the DynamoDB API endpoints, so you need NAT or DynamoDB Gateway Endpoint to reach the DB.

1. Create DynamoDB Gateway Endpoint

Service : com.amazonaws..dynamodb（Gateway)
Route tables : Private route table
Policy : Full access

2. Create DynamoDB table

Partition key : pk (string)
Capacity mode : On-demand

3. Attach the permissions to the EC2 instance

the IAM role attached to the EC2 instance → Add permissions → Create inline policy → Add following policy to allow EC2 instance to access to the DynamoDB

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DynamoRWForOneTable",
      "Effect": "Allow",
      "Action": [
        "dynamodb:PutItem",
        "dynamodb:GetItem",
        "dynamodb:UpdateItem",
        "dynamodb:DeleteItem",
        "dynamodb:Query",
        "dynamodb:Scan"
      ],
      "Resource": "arn:aws:dynamodb:<your-region>:<your-account-id>:table/<your-table-name>"
    }
  ]
}

4. Access to the DB from the EC2 instance

Set variables.

REGION=<your-region>
TABLE=<your-table-name>

Put a sample item into the table (partition key = user#001, name = sora, age = 27)
※DynamoDB is the KVS (=key/value + Attributes) DB, so use key (= A key for uniquely identifying an item) and attributes (= Data other than keys). If you use the same key with the previous data, the old data is overwritten.

aws dynamodb put-item \
  --region $REGION \
  --table-name $TABLE \
  --item '{"pk":{"S":"user#001"},"name":{"S":"sora"},"age":{"N":"27"}}'

Get the item from the DB using the partition key "user#001".

aws dynamodb get-item \
  --region $REGION \
  --table-name $TABLE \
  --key '{"pk":{"S":"user#001"}}'

If you can receive the date put in the previous step, you can correctly use DB!

3. Tidying-up

Delete RDS
Delete DynamoDB table
Delete DynamoDB gateway endpoint
Delete EC2 instance

For test

Key exam points related to today's services.

RDS/Aurora

use Multi AZ for the HA (not for improvement of reading performance)
use Read Replica for improvement of the reading performance
create DB in the private subnets and attach SG allow application SG → DB port
use SCT when migrate to the different types of DB (ex. Oracle → Aurora)
use DMS when you want to minimize the downtime during the migration.

DynamoDB

When searching for data using queries, use keys (it's not good at searching for attributes).
Use correct type Unpredictable, spikes needed → On-demand Cost optimization with stable traffic → Provisioned
DynamoDB is not created in the VPC! The EC2 instances should access to the DB using NAT or DynamoDB gateway endpoint!

See you soon in Day6 hands-on!

DAY4 -Storage Configuration

maso — Tue, 03 Feb 2026 22:58:36 +0000

Overview

Today, I'll run a hands-on lab on AWS storage services (Amazon S3, Amazon EBS and Amazon EFS).

Hands-on

1. Environment Preparation

1. Launch two private EC2 instances.

Launch two EC2 instances (Amazon Linux 2023) in private subnets-one in each Availability Zone- and attach an IAM role with AmazonSSMManagedInstanceCore.

2. Create Interface Endpoints in two private subnets to allow private EC2 instances to reach Systems Manager (SSM).

Create the following three endpoints to access to the EC2 instances using SSM Session Manager. Replace with your region.
com.amazonaws..ssm
com.amazonaws..ec2messages
com.amazonaws..ssmmessages

Enable Private DNS : ON
Security group : create a new one

3. Add rules to the security group attached to the VPC endpoints.

Inbound : HTTPS443 source = the security group attached to the private EC2
Outbound : all traffic (default)

2. EBS hands-on

1. Create an EBS volume

EBS → Volumes → Create volume
Type : gp3
Size : 8-10Gib
AZ : AZa

2. Attach an additional EBS volume to the EC2 instance

Actions → Attach volume → choose a private the EC2 instance in AZ-a
Device name : /dev/sdf

3. Set up the EBS volume

Connect to the EC2 instance by SSM and execute the following commands.

Check block devices.

lsblk

You can see the new EBS volume attached to the instance ("nvme1n1" which hasn't mounted to anything).

Format the volume (initialize and create a filesystem)

sudo mkfs -t xfs /dev/nvme1n1

Mount (attach it to the filesystem hierarchy)
If you record under /data, it's recorded in the EBS because the EBS volume is mounted to the /data.

sudo mkdir -p /data
sudo mount /dev/nvme1n1 /data

Check that the volume is mounted to the instance. If you see the filesystem mounted on /data, you've successfully mounted EBS.

df -h

Check the UUID (= A globally unique identifier assigned to objects in software.).

sudo blkid

Persistence (= Making the OS mount even if it is rebooted)
※Device names may change after reboots, so specify the disk using its UUID.

sudo sh -c 'echo "UUID=xxxx-xxxx  /data  xfs  defaults,nofail  0  2" >> /etc/fstab'

Writing test.

echo "hello ebs" | sudo tee /data/hello.txt
cat /data/hello.txt

4. Create snapshot

EC2 → Volumes → Create snapshot

※You can restore the volume data using snapshot.

3. EFS hands-on

1. Create an EFS file system

VPC : the VPC made in Day1 hands-on
Mount targets : two private subnets
Security group : create a new SG for EFS with the following settings.
Inbound - NFS2049 source = EC2's SG
Outbound - All traffic (default)

2. Mount EFS by EC2

EFS → Attach → Execute the following commands
※Replace with your resource's id shown on the EFS console.

sudo dnf -y install amazon-efs-utils
sudo mkdir -p /efs
sudo mount -t efs <FILE_SYSTEM_ID>:/ /efs
df -h | grep efs

Do the same steps for both of two EC2 instances to attach EFS for them (EFS can be used for multi-AZ).

3. Verify that both EC2 instances can access the same EFS filesystem.

Execute the following commands by SSM in the EC2 instance in AZa, and create test text file in the folder mounted to the EFS instance.

echo "from ec2-a" | sudo tee /efs/shared.txt
cat /efs/shared.txt

in the EC2 instance in AZb, you can see "shared.txt" file created by the instance in AZa.

cat /efs/shared.txt

4. S3 hands-on

1. Create an S3 bucket

Block Public Access : ON
Default encryption : SSE-S3

2. Upload a test file to the bucket.

3. Attach the S3 access permission to the EC2 instance

IAM → Create policy → Set the following JSON to allow EC2 instance to access the S3 bucket made in the previous step
※replace with your S3 bucket name

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ListBucket",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::<BUCKET_NAME>"
    },
    {
      "Sid": "ObjectRW",
      "Effect": "Allow",
      "Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject"],
      "Resource": "arn:aws:s3:::<BUCKET_NAME>/*"
    }
  ]
}

Attach this policy to the IAM role attached to the private EC2

4. Ensure that the EC2 instance can access the S3 bucket

1. Verify the instance can't reach the public Internet (because it's in a private subnet).

curl -I https://aws.amazon.com || true

2. Ensure the instance can reach to the S3 using the S3 endpoint.

※Replace the region name and bucket name with your region

aws s3 ls s3://<BUCKET_NAME> --region <REGION>

You can see the file uploaded on the S3 bucket by console.

3. S3 test operation

Create text file → send it to the S3 bucket →check the S3 folder

echo "hello from private ec2 via vpce" > /tmp/hello.txt

aws s3 cp /tmp/hello.txt s3://$BUCKET/day4/hello.txt --region $REGION
aws s3 ls s3://$BUCKET/day4/ --region $REGION

You can see the file uploaded by the EC2 instance on S3 console.

You can also copy the file from the S3 bucket → check it

aws s3 cp s3://$BUCKET/day4/hello.txt /tmp/hello-from-s3.txt --region $REGION
cat /tmp/hello-from-s3.txt

Tidyng-up

Delete a S3 object → Delete a S3 bucket
Delete EFS File systems (Mount targets are automatically deleted)
Terminate two EC2 instances
Delete EBS volumes
Delete EBS snapshots

※Keep the S3 Gateway endpoint, as it's no hourly cost.

For test

Key exam points related to today's services.

Choosing the Right Storage Service

S3
can store objects. Highly durable and requires no scaling
EBS
can store block. Low latency, high IOPS. basically for only one AZ and one EC2 instance (can't be shared with instances)
EFS
can store file. can be shared with instances and is multi-AZ.
FSx for windows
can store file. SMB, NTFS, ACL, AD integrated (= useful for windows server.)
FSx for Lustre
can store file. Integrates with S3. High-speed parallel processing capability

See you soon in Day5!

DAY3 -Monitoring & Scaling

maso — Sat, 31 Jan 2026 00:20:46 +0000

Overview

Today, I'll do a hands-on lab on monitoring and scaling EC2 instances using an ALB, an Auto Scaling Group, and CloudWatch.

Hands-on

1. Build NAT Gateway

1. Create Elastic IP to attach to the NAT Gateway

2. Build NAT Gateway

Subnet : Public subnet (either public subnets made in Day1 hands-on)
Elastic IP : IP made in the previous step.
※Best practice is to deploy a NAT Gateway per AZ for high availability. To keep costs down, I'm creating only one NAT Gateway in a single AZ by Zonal mode.

2. Add a default rule to the private route table

Add a default route to the private route table associated with private subnets so that instances in those subnets can reach the Internet.
Destination : 0.0.0.0/0
Target : NAT Gateway

3. Create two security groups.

Security group for ALB Inbound : HTTP 80 from 0.0.0.0/0 Outbound : All traffic (default)

Security group for EC2 Inbound : HTTP 80 from the ALB security group made in the previous step Outbound : All traffic (default)

4. Create Target Group

Target type : Instances
Protocol/Port : HTTP 80
VPC : the VPC made in Day1 hands-on
Health check : Path /

5. Create Launch Template

Create a launch template for the ASG.

AMI : Amazon Linux 2023
Instance type : t3.micro
Security group : the security group made in the previous step for EC2
IAM role : the IAM role has AmazonSSMManagedInstanceCore permission (we made in Day2 hands-on)
※I will use Session Manager to perform load testing
Auto-assign public IP : Disable
User data : following

#!/bin/bash
set -e

dnf -y update
dnf -y install nginx
systemctl enable --now nginx

TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" \
  -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
INSTANCE_ID=$(curl -s -H "X-aws-ec2-metadata-token: $TOKEN" \
  http://169.254.169.254/latest/meta-data/instance-id)

cat > /usr/share/nginx/html/index.html <<EOF
<h1>Day3: ALB + ASG (Private EC2)</h1>
<p>InstanceId: ${INSTANCE_ID}</p>
EOF

6. Create Auto Scaling Group (ASG)

Launch template : the template made in the previous step
VPC : VPC made in Day1 hands-on
Subnets : two private subnets made in Day1 hands-on
Load balancing : attach to the target group made in the previous step
Min Desired capacity : 2
Max desired capacity : 4
Health check type : ELB
Grace period : 120 sec

7. create ALB

Schema : Internet-facing
VPC : VPC made in Day1 hands-on
Availability Zones and subnets : 2 public subnets
Security group : security group for ALB
Listener : HTTP:80
Routing action : Forward to the target group made in the previous step.

8. Functionality Verification

If you can open the ALB's DNS name in your browser, you've successfully reached the private EC2 instances through the public ALB.

Ensure the status of the target group is healthy.

9. Scaling

1. create Scaling policy

ASG → Automatic scaling → Create dynamic scaling policy.
Policy type : Target tracking scaling
Metric : Average CPU utilization
Target : 40~50%

2. Functionality Verification of the scaling

Connect to the EC2 instance by using SSM (like Day2 hands-on) and execute the following commands to install stress-ng and launch CPU workers to increase CPU usage for ten minutes.

sudo dnf -y install stress-ng
cd /tmp
stress-ng --cpu 2 --timeout 10m

Wait for a few minutes and check scaling status.
In my case, the status of "TargetTracking" metrics in cloud watch exceeded the threshold in 5 minutes and ASG automatically launched a new instance about five minutes later.

→After the two EC2 instances configured as the minimum desired capacity, another EC2 instance is launched for load balancing.

10. Tidying up (to prevent unpredictable cost)

Please delete the resources in the following order to avoid failures in dependency order.

1. Delete ALB

2. Delete ASG

3. Delete Target group

4. Delete Launch template

5. Delete NAT Gateway

6. Release Elastic IP ←more likely to forget! Be careful!

2. For test

Key exam points related to today's services.

1. the differences between NAT Gateway and NAT instance

NAT Gateway is the managed service (= you don't need to manage it.) and should be associated with EIP.
NAT instance is the EC2 instance has EIP or public IP. You should manage countermeasures for failures and load balancing.

2. ALB vs NLB

ALB uses HTTP or HTTPS protocol. can route based on URL and set Lambda as target and use ACM. →when you want to route based on URL in web application or manage certificate.
NLB uses TCP, TLS or UDP protocol. Ultra-high speed, high throughput and use EIP. →when you want high-speed communication in the system like financial system or publish the system using a fixed IP address. #####3. Scaling of the resources
EC2 : ASG + ALB/NLB + scale indicator (CPU, Request Count etc)
Lambda : concurrent execution, manage by event source (SQS, Kinesis etc)
ECS/EKS : Service Auto Scale

See you soon in Day4 hands-on!

DAY2 -EC2 + Remote access

maso — Thu, 29 Jan 2026 12:51:50 +0000

Overview

Today, I'll launch a basic EC2 instance in the VPC we created in Day1 and connect to it.

Hands-on

1. Create IAM Role for EC2

To access EC2 by using SSM Manager, you need to attach 'AmazonSSMManagedInstanceCore' permission to the instance.

2. Create security group

Create security group for EC2 by using the following settings.
-Inbound: none
-Outbound: allow all traffic (default)

3. Access EC2 by SSM

1. Build EC2 instance

AMI: Amazon Linux 2023
Instance type: t3.micro
VPC: VPC made in Day1
Subnet: Public subnet made in Day1 (either AZ)
Security Group: security group made in the previous step
IAM role: role made in the previous step

2. Access by SSM

Systems Manager → Session Manager → Start session → run the following commands

whoami #check user name
uname -a #get system information
curl -I https://aws.amazon.com #check the connection to AWS domain

If you see a valid response, you've successfully launched the instance and connected to it via Session Manager.
The traffic path is: your browser → SSM (public endpoint) → the SSM agent on the instance

4. Tidying up (to prevent unpredictable cost)

Terminate the EC2.

For test

Key exam points related to today's services.

There are four ways to access EC2.

SSM: connect to the instance without opening inbound SSH/RDP ports. should install SSMAgent in the instance (Most AWS-provided AMIs (e.g., Amazon Linux) include the SSM agent) and attach IAM role with SSM permission to the instance. ← today's hands-on!
SSH or RDP: use client softs like Teraterm and use keypair for Linux. use RDP and Administrator's password for Windows. should manage password or key pair by yourself. ← I'll try in tomorrow's hands-on!
EC2 Instance Connect: Connect to the instance via SSH using a public key with a short validity period (You shouldn't manage SSH key by yourself). should install EC2 instance connect in the instance.
EC2 Serial Console: connect to the virtual serial port of the instance. can connect to the instance doesn't have Internet connection, so useful for troubleshooting.

see you soon in the Day3 hands-on!

DAY1 -Basic VPC Configuration

maso — Wed, 28 Jan 2026 16:03:36 +0000

Overview

Today, I'm building　a basic VPC configuration to get hands-on experience with the following services.
VPC / Subnet / IGW / CloudWatch Logs

※Please be mindful of the region! It's better to use one region through hands-on series to prevent unpredictable charges.

Hands-on

1. Build VPC

To understand the steps deeply, create VPC only.

Enable DNS Resolution and DNS hostname on.

2. Create subnets.

Make 4 subnets (public and private subnet, 2AZ).

Similarly, create public subnet in AZb (10.0.1.0/24), private subnet in AZa (10.0.10.0/24), private subnet in AZb (10.0.11.0/24).

Choose public subnets → Edit settings → Enable "Auto-assign public IPv4 address"
It makes DAY2 hands-on easier.

3. Build Internet Gateway (IGW)

Create IGW and attach it to VPC which you've made in Step1.

4. Create two Route tables.

1. Public route table

Create route table → Edit Routes → Add route (Destination:0.0.0.0/0 Target IGW) → associate 2 public subnets

2. Private route table

Create route table → associate 2 private subnets

※NAT gateway is required for private subnet to connect with Internet, but this time I will build S3 endpoint.

5. Build S3 Gateway Endpoint

There are two types of VPC endpoints, but this time I'm using Gateway endpoint as it's afordable.

Gateway endpoint: for S3 and DynamoDB only. Connect via the AWS internal network.
Interface endpoint: For many services. Connect via the ENI.

Choose S3(Gateway), VPC made in Step1, Private route table made in Step4, and full access (I will adjust permissions later).

6. Configure VPC Flow Logs

1. Create Log group. (make retention 1 to 3 days to prevent small charges)

2. Create IAM Role for Flow logs.

1. Create IAM Policy

Use following policy to permit VPC flow log to send logs to cloudwatch.

"policy-for-flowlog.json"


{
  "Version":"2012-10-17",                
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Resource": "*"
    }
  ]
}

2. Create Role

Use following policy as custom trust policy → attach the policy in the previous step.

"policy-for-flowlog.json"

{
  "Version":"2012-10-17",                
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

3. Create Flow log

VPC → Actions → Create flow log
set Filter All and choose Log group and IAM role created in previous steps.

That's all for Day1 hands-on!
I built VPC settings for tomorrow.
Tomorrow, I'm building EC2 instances in VPC.

For test

Key point for the test which are associated with services used today's hands-on!

Important services

Internet Gateway:

The Amazon VPC side of a connection to the public Internet.

NAT Gateway:

Managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.

Hardware VPN Connection:

A hardware-based VPN connection between your Amazon VPC and your datacenter, home network, or co-location facility.

Virtual Private Gateway:

The Amazon VPC side of a VPN connection.

Customer Gateway:

Your side of a VPN connection.

Peering Connection:

A peering connection enables you to route traffic via private IP addresses between two peered VPCs.

VPC Endpoints:

Enables private connectivity to services hosted in AWS, from within your VPC without using an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies.

Egress-only Internet Gateway:

A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.

See you soon in Day2 hands-on!

Let's get AWS Certified Solutions Architect – Professional in 7 days!!

maso — Tue, 27 Jan 2026 12:58:05 +0000

Introduction

This is my first time writing a blog post.
First, let me introduce myself. I worked in an IT company as a cloud engineer for 4 years and used AWS at work. A year ago, I quit my job and came to Australia to learn English.
So, my English skills are limited, but I believe this blog will be a good practice for me.
I previously held AWS certification, but it has expired. The primary goal of this blog is to retake my certification exam while writing in English!

Schedule

You can check the in-scope services.
https://d1.awsstatic.com/training-and-certification/docs-sa-pro/AWS-Certified-Solutions-Architect-Professional_Exam-Guide.pdf
I'm planning to do hands-on labs for as many of these services as possible in 7 days except for expensive services like Outposts / Wavelength / Direct Connect... (but I will summarize the key points of these services)

Day	Title	Services used
Day0	Set cost alert (Today!!)	AWS Budgets
Day1	Basic VPC Configuration	VPC / Subnet / IGW / CloudWatch
Day2	EC2 + remote access	EC2 / IAM / SSM
Day3	Monitoring and Scaling	ALB / Auto Scaling
Day4	Storage Configuration	S3 / EBS / EFS
Day5	Data layer	DynamoDB / RDS
Day6	Event-driven	EventBridge / Step Functions
Day7	IaC	CloudFormation

Let's get certification in 7 days!

Hands-on(Day0)

Today, I'm setting budget alert to avoid unexpected charges.(I was charged 200$ when I forgot to reduce the resource of Amazon Bedrock...It's so important!!)

1.Set cost alert by AWS Budget

Set an alert to trigger when it exceeds $15 by using "monthly cost alert" templete.
※It shouldn't exceed $15 to finish this hands-on.

2.Activate Cost Explorer

If you use a new account,you need to activate Cost Explorer which are useful to analyze your spends.

See you soon in Day1 hands-on!
/Link will be updated/