DEV Community: nainarmalik

How I Finally Passed the AWS Certified Solutions Architect – Professional Exam (SAP-C02)

nainarmalik — Fri, 19 Dec 2025 14:25:14 +0000

Hey dev.to community! 👋

After months of preparation (and a fair bit of stress), I finally passed the AWS Certified Solutions Architect – Professional exam on my first attempt. This certification has a reputation for being one of the toughest in the IT world – often called a "beast" – and I can confirm: it lives up to the hype.
If you're gearing up for the SAP-C02 (the current version as of late 2025), I wanted to share my exact study strategy, resources, and lessons learned. This approach worked for me with real-world AWS experience under my belt, but it focused heavily on deep understanding rather than rote memorization.

Why This Certification Matters

The AWS Solutions Architect Professional validates your ability to design complex, distributed systems on AWS – think multi-account strategies, hybrid architectures, migration at scale, cost optimization, security, and resilience. It's not just about knowing services; it's about choosing the right ones for real-world scenarios.
It's challenging because:

Questions are long, scenario-based, and full of distractors.
You need to weigh trade-offs (cost vs. performance vs. security).
It covers a massive scope, including advanced topics like organizations, multi-region DR, and service integrations.

But passing it feels incredible – it's a huge confidence booster and a standout on any resume.

My Study Resources

I kept it simple and stuck to two high-quality resources that are widely praised in the community:

Stéphane Maarek's Ultimate AWS Certified Solutions Architect Professional Course on Udemy

This was my primary resource. Stéphane is an AWS Hero and an excellent instructor – clear, concise, and focused on exam-relevant architectures.
I watched the entire course once at normal speed to fully understand the topics (services deep-dives, Well-Architected Framework, migration strategies, etc.).
Then, I rewatched the same videos at 2x speed for reinforcement. This helped solidify concepts without burning out.

Tutorials Dojo Practice Exams (by Jon Bonso)

These are gold standard for Professional-level prep. The questions are tough, detailed, and very close to the real exam in style and difficulty.
I took all the sets in timed mode first, then switched to review mode.
Crucially: I reviewed every single question, even the ones I got right. I compared my reasoning to the explanations to ensure my logic aligned (or to learn better approaches).
This process revealed my weak spots (e.g., advanced networking, organizations, or specific service limits), and I went back to Stéphane's course or AWS docs to drill those.

No other resources – no books, no free YouTube scattered videos. Consistency with these two was key.
My Study Timeline

Total time: About 2-3 months (part-time, alongside work).
Phase 1: Full course watch + notes.
Phase 2: 2x speed review.
Phase 3: Practice exams (multiple rounds) + targeted revision.
I aimed for 85%+ consistently on Tutorials Dojo before booking the exam.

Pro tip: Hands-on experience is invaluable. If you don't have it from work, build labs (e.g., multi-account setups, migrations) using the AWS Free Tier or Skill Builder labs.

The Exam Day Experience

*The exam was a beast.
*
75 questions, 180 minutes.
Scenarios are wordy – expect paragraphs describing enterprise setups with multiple requirements and constraints.
Many questions have 4-5 viable-sounding options; you have to spot the best one based on nuances.
Time management is critical: I flagged tricky ones and returned later.
I finished with ~20 minutes left for review.

I walked out unsure (classic AWS exam feeling), but the pass notification came quickly. Score was solid – thanks to the deep review process.

Key Tips for Success

Understand, don't memorize: Know why a service is chosen over alternatives.
Master the distractors: AWS loves throwing in plausible but suboptimal options.
Focus on domains: Organizational complexity, resilience, migration, and cost optimization are heavy.
Read explanations deeply: Especially in practice exams – this is where the real learning happens.
Simulate exam conditions: Timed, no distractions.
Stay calm: The exam tests endurance as much as knowledge.

If you're preparing, you got this! It's tough, but achievable with disciplined prep. Drop a comment if you have questions – happy to help.
Now onto the next one... maybe GenAI Professional? :-)

Building and Sharing an AMI Using AWS Image Builder

nainarmalik — Fri, 27 Sep 2024 09:38:08 +0000

AWS Image Builder is a powerful tool that helps automate the process of creating and distributing Amazon Machine Images (AMIs) across AWS accounts or regions. In many scenarios, you might want to share an AMI with another AWS account without actually copying it to that account, reducing storage costs and making management easier.

In this blog post, I will walk you through how I set up an Image Builder pipeline to create a custom Windows Server 2022 AMI. As part of this process, we will install Terraform, the AWS PowerShell Module, and other tools. The key objective is to share the AMI with a target AWS account without copying it. This setup is useful for environments where you need to distribute AMIs for usage across different accounts while keeping centralized control over the image versions.

By the end of this guide, you’ll understand how to:

Set up the necessary AWS infrastructure (VPC, Subnets, IAM roles) for the Image Builder process.
Create Image Builder components to install tools like Terraform and AWS PowerShell on a Windows Server 2022 base image.
Build and share the AMI with a target AWS account without copying it, saving storage and simplifying management.
Step 1: Setting Up the AWS Infrastructure
Before creating and distributing an AMI, it’s important to set up the networking and security infrastructure to host the EC2 instance that Image Builder will use to create the AMI.

1.1 Create a Custom VPC
We start by setting up a custom Virtual Private Cloud (VPC) to provide the networking environment for our resources. This VPC includes a public subnet, an Internet Gateway for internet access, and a route table to direct traffic.

resource "aws_vpc" "custom_vpc" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_support   = true
  enable_dns_hostnames = true
  tags = { Name = "CustomVPC" }
}

1.2 Create a Public Subnet and Internet Gateway
Next, we create a public subnet within the VPC. This subnet will allow the EC2 instances to have public IP addresses for accessing resources like AWS services or the internet. An Internet Gateway and appropriate route table are also created to route traffic.

resource "aws_subnet" "public_subnet" {
  vpc_id                  = aws_vpc.custom_vpc.id
  cidr_block              = "10.0.1.0/24"
  map_public_ip_on_launch = true
  tags = { Name = "PublicSubnet" }
}

resource "aws_internet_gateway" "custom_igw" {
  vpc_id = aws_vpc.custom_vpc.id
  tags = { Name = "CustomInternetGateway" }
}

resource "aws_route_table" "custom_route_table" {
  vpc_id = aws_vpc.custom_vpc.id
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.custom_igw.id
  }
  tags = { Name = "CustomRouteTable" }
}

1.3 Create a Security Group
A security group is created to allow inbound and outbound traffic to/from the EC2 instances in the public subnet. Here, all traffic is allowed, but in production, you might want to restrict access to specific ports.

resource "aws_security_group" "custom_sg" {
  vpc_id      = aws_vpc.custom_vpc.id
  description = "Security group for allowing all inbound and outbound traffic"
  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"  # All protocols
    self        = true  # Allow traffic from itself
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags = { Name = "CustomSecurityGroup" }
}

Step 2: Setting Up the EC2 Instance Profile and IAM Role
To allow the EC2 instances to interact with other AWS services, such as SSM (AWS Systems Manager) and Image Builder, we need an IAM role with appropriate permissions. This role will be associated with an EC2 instance profile.

resource "aws_iam_role" "custom_ec2_instance_profile_role" {
  name = "EC2InstanceProfileForImageBuilderCustom"
  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect    = "Allow",
        Principal = { Service = "ec2.amazonaws.com" },
        Action    = "sts:AssumeRole"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "custom_ec2_ssm_policy" {
  role       = aws_iam_role.custom_ec2_instance_profile_role.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

This IAM role allows the EC2 instance to interact with the AWS Systems Manager (SSM) for seamless management of the instance during AMI creation.

Step 3: Creating AWS Image Builder Components
AWS Image Builder allows us to define custom components (scripts and instructions) that will be executed during the AMI creation process. Let’s create two custom components that install Terraform and the AWS PowerShell module.

3.1 Component to Install Terraform
We can create a component that uses PowerShell to install Terraform during the AMI build process.

resource "aws_imagebuilder_component" "terraform_powershell_component" {
  name        = "TerraformThroughPowershell"
  version     = "1.0.0"
  platform    = "Windows"
  data = <<EOT
{
  "schemaVersion": "1.0",
  "phases": [
    {
      "name": "build",
      "steps": [
        {
          "name": "InstallTerraform",
          "action": "ExecutePowerShell",
          "inputs": {
            "commands": [
              "Invoke-WebRequest -Uri 'https://releases.hashicorp.com/terraform/1.5.0/terraform_1.5.0_windows_amd64.zip' -OutFile 'C:\\terraform.zip';",
              "Expand-Archive -Path 'C:\\terraform.zip' -DestinationPath 'C:\\terraform';",
              "Move-Item -Path 'C:\\terraform\\terraform.exe' -Destination 'C:\\Windows\\System32\\';",
              "terraform -version;"
            ]
          }
        }
      ]
    }
  ]
}
EOT
}

3.2 Component to Install NuGet and AWS PowerShell
This component installs NuGet and the AWS PowerShell module, allowing the EC2 instance to interact with AWS services.

resource "aws_imagebuilder_component" "nuget_aws_powershell_component" {
  name        = "NuGetAndAWSPowerShellInstaller"
  version     = "1.0.0"
  platform    = "Windows"
  data = <<EOT
{
  "schemaVersion": "1.0",
  "phases": [
    {
      "name": "build",
      "steps": [
        {
          "name": "InstallNuGetAndAWSPowerShell",
          "action": "ExecutePowerShell",
          "inputs": {
            "commands": [
              "Install-PackageProvider -Name NuGet -Force -Scope CurrentUser;",
              "Install-Module -Name AWSPowerShell -AllowClobber -Force -SkipPublisherCheck;"
            ]
          }
        }
      ]
    }
  ]
}
EOT
}

Step 4: Creating an AWS Image Builder Recipe
An Image Builder recipe combines components and parent images to define how an AMI should be built. In this case, we are using Windows Server 2022 as the base image and adding the Terraform and AWS PowerShell components to it.

resource "aws_imagebuilder_image_recipe" "custom_recipe" {
  name          = "CustomRecipe"
  version       = "1.0.0"
  parent_image  = "arn:aws:imagebuilder:eu-central-1:aws:image/windows-server-2022-english-core-base-x86/x.x.x"

  component {
    component_arn = aws_imagebuilder_component.terraform_powershell_component.arn
  }

  component {
    component_arn = aws_imagebuilder_component.nuget_aws_powershell_component.arn
  }
}

Step 5: Sharing the AMI Without Copying It
AWS Image Builder can share the AMI with a target account by setting launch_permission in the distribution configuration. This allows the target account to launch instances using the AMI without copying it.

resource "aws_imagebuilder_distribution_configuration" "custom_distribution" {
  name = "CustomDistribution"

  distribution {
    region = "eu-central-1"

    ami_distribution_configuration {
      name = "${var.ami_name}-{{ imagebuilder:buildDate }}"

      launch_permission {
        user_ids = [var.target_account_id]
      }
    }
  }
}

Step 6: Creating the Image Builder Pipeline
Finally, the Image Builder pipeline is configured to orchestrate the entire AMI build process.

resource "aws_imagebuilder_image_pipeline" "custom_pipeline" {
  name                               = "CustomPipeline"
  image_recipe_arn                   = aws_imagebuilder_image_recipe.custom_recipe.arn
  infrastructure_configuration_arn   = aws_imagebuilder_infrastructure_configuration.custom_infra_config.arn
  distribution_configuration_arn     = aws_imagebuilder_distribution_configuration.custom_distribution.arn
  status                             = "ENABLED"
}

Conclusion

Using AWS Image Builder, we can easily automate the creation and sharing of AMIs across accounts. In this example, we set up a Windows Server 2022 AMI and installed useful tools like Terraform and the AWS PowerShell module. By configuring launch permissions, the AMI can be shared with other AWS accounts without copying it, reducing storage costs and simplifying management. This setup, combined with Terraform, makes the process repeatable and efficient.

Restrict Access to AWS Quicksight based on source ip

nainarmalik — Sun, 11 Feb 2024 19:48:57 +0000

Amazon QuickSight is a fast, cloud-native business intelligence service that makes it easy to create and share interactive dashboards. It offers machine learning insights to all users, connects to many data sources, and has a cost-effective pay-per-session pricing model. QuickSight simplifies data analysis, helping businesses make informed decisions quickly.

We noticed that the quicksight can be accessed from any device which was surprising to us in the beginning. Here are the steps we followed to restrict the access based on ip of the client.

To enable IP-based restrictions for the users who has access to QuickSight admin console takes the following steps:

On the QuickSight console, on the user name menu, choose Manage QuickSight.

In the navigation pane, choose Security & permissions.

Under IP restrictions, choose Manage.

For IP address, enter the IP address which is to be allowed access in CIDR format.

Choose Add.

To edit an existing rule, choose the pencil icon next to the rule.

To delete an existing rule, choose the trash icon next to the rule.

Make sure to add your own IP address to the list to prevent being locked out yourself.

After you add, edit or delete IP address rules, choose Save changes.

Turn on the rules to start your IP-based restriction.

When the IP restriction is turned on and the list of allowed IP addresses in CIDR format is in place, any authorised user trying to access QuickSight when not logged in to the organizations VPN (regardless of their role of admin, author, or reader) is presented with an error page.

get IAM users from all AWS accounts (organization)

nainarmalik — Thu, 16 Feb 2023 12:12:24 +0000

Hi,

IAM (Identity and Access Management) users are a critical component of any organization's security infrastructure. They represent the individuals or entities that have access to an organization's sensitive information, systems, and applications. It is essential to keep an eye on the IAM users of the entire organization for several reasons:

Security: IAM users are the gatekeepers of an organization's digital assets. If a hacker gains access to an IAM user account, they can potentially access confidential data, modify or delete important files, and even bring down the entire network. Monitoring IAM users can help identify suspicious activities, such as attempts to access restricted resources or unusual login patterns, allowing security teams to respond quickly and prevent unauthorized access.

Compliance: Many regulatory frameworks require organizations to have proper access controls in place and to monitor and audit user activity. Keeping an eye on IAM users can help organizations ensure that they are meeting compliance requirements and avoid costly fines and legal repercussions.

User management: Monitoring IAM users can help organizations identify inactive or unnecessary accounts, which can be removed or disabled, reducing the attack surface and improving the overall security posture. Additionally, organizations can use IAM user monitoring to identify users who have too many privileges and limit their access to reduce the risk of internal threats.

Data protection: By keeping an eye on IAM users, organizations can ensure that only authorized individuals have access to sensitive data. IAM user monitoring can help identify and alert security teams to any unusual access attempts, which can indicate a potential data breach.

In summary, keeping an eye on IAM users is critical to maintaining the security, compliance, and overall risk posture of an organization. It allows organizations to proactively identify potential threats and take action to mitigate risks before they can cause significant damage.

Here is how you can get the list of all IAM users in your organization:

Get all the member accounts.
Trigger "generate_credential_report" API on all the member accounts by assuming a role on the member accounts.
Trigger "get_credential_report" API on all the member accounts by assuming a role on the member accounts.
Consolidate the report.

P.S: Step 2 and 3 are done separately as I was encountering report not ready exception sometimes.

If you're looking for further help, here is a snippet you can modify according to your need.

`
import json
import boto3
import io
import csv

from datetime import datetime

def lambda_handler(event, context):
organizations_client = boto3.client('organizations')
sts_client = boto3.client('sts')
iam_client = boto3.client('iam')

#1. Get all the member accounts
marker=None
paginator = organizations_client.get_paginator('list_accounts')
page_iterator = paginator.paginate(PaginationConfig={
 'MaxItems': 200,
 'PageSize': 10,
    'StartingToken':marker
})
active_accounts=[]  
f = open("/tmp/all_users.csv", "w+")
temp_csv_file = csv.writer(f, escapechar=' ', quoting=csv.QUOTE_NONE)

#2.Filter for only active accounts
for page in page_iterator:        
    for account in page['Accounts']:
        if account['Status']=='ACTIVE':
            account=str(account['Id'])
            active_accounts.append(account)

current_account = sts_client.get_caller_identity()['Account']
consolidated_data=''

#3.Generate Credentials Report
for account in active_accounts:
    if account !=current_account:
        ROLE_ARN=f'arn:aws:iam::{account}:role/OrganizationAccountAccessRole'
        sts_response = sts_client.assume_role(RoleArn=ROLE_ARN, RoleSessionName=account)
        assumed_client=boto3.client('iam',aws_access_key_id=sts_response["Credentials"]["AccessKeyId"],aws_secret_access_key=sts_response["Credentials"]["SecretAccessKey"],aws_session_token=sts_response["Credentials"]["SessionToken"])
        assumed_client.generate_credential_report()
    else:
        response = iam_client.generate_credential_report()

#4.Generate Credentials Report & consolidate
for account in active_accounts:
    if account !=current_account:
        ROLE_ARN=f'arn:aws:iam::{account}:role/OrganizationAccountAccessRole'
        sts_response = sts_client.assume_role(RoleArn=ROLE_ARN, RoleSessionName=account)
        assumed_client=boto3.client('iam',aws_access_key_id=sts_response["Credentials"]["AccessKeyId"],aws_secret_access_key=sts_response["Credentials"]["SecretAccessKey"],aws_session_token=sts_response["Credentials"]["SessionToken"])
        response = assumed_client.get_credential_report()
        user_data=response['Content']
        user_data_decoded=user_data.decode('utf-8')
        consolidated_data=consolidated_data+user_data_decoded
    else:
        response = iam_client.get_credential_report()
        user_data=response['Content']
        user_data_decoded=user_data.decode('utf-8')
        consolidated_data=consolidated_data+user_data_decoded

temp_csv_file.writerow([consolidated_data])
f.close()

DynamoDB get all records

nainarmalik — Tue, 19 Jul 2022 13:13:30 +0000

Hey,

Here is a quick hands-on of retrieving all rows from a dynamodb table.

`
from pprint import pprint
from time import sleep
import boto3
from botocore.exceptions import ClientError

def get_data(dynamodb=None):
if not dynamodb:
dynamodb = boto3.resource('dynamodb',region_name='YOUR_REGION')

table = dynamodb.Table('YOUR_TABLE_NAME')

try:
    response = table.scan()
    data = response['Items']

    while 'LastEvaluatedKey' in response:
        response = table.scan(ExclusiveStartKey=response['LastEvaluatedKey'])
        data.extend(response['Items'])

except ClientError as e:
    print(e.response['Error']['Message'])
else:
    return response

if name == 'main':
data = get_data()
if data:
pprint(data, sort_dicts=False)
`
`

P.S:
1.You need to configure the aws credentials.
2.Replace YOUR_REGION with the region name where the dynamodb table is located.
3.Replace YOUR_TABLE_NAME with the actual name of the dynamodb table.

Feel free to ask if you have any clarifications.

S3 Cross account Replication with KMS

nainarmalik — Thu, 07 Jul 2022 14:28:22 +0000

This post describes how can we replicate objects to a bucket owned by a different AWS account? What if the objects are encrypted?

This article discusses a method to configure replication for S3 objects from a bucket in one AWS account to a bucket in another AWS account, using server-side encryption using Key Management Service (KMS).
*Setup Requirements *

Two AWS accounts: We need two AWS accounts with their account IDs.

Source and destination buckets: We need an S3 bucket in the source account where the objects are created/uploaded and an S3 bucket in the destination account to store the replicated objects.

Source and destination KMS keys: We need KMS keys created in both source and destination accounts.

Some of the requirements for configuring replication are:
Both source and destination buckets must have versioning enabled.
S3 service must be allowed permissions to replicate objects from the source bucket to the destination bucket on your behalf.

Let’s refer to the source AWS account as account A and the destination AWS account as account B.

Configuration needed on account A:

1. Create AssumeRole and allow S3 service

{ "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "s3.amazonaws.com" }, "Effect": "Allow", "Sid": "VisualEditor0" } ] }

2.
Create IAM policy allowing KMS keys to encrypt and decrypt

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetReplicationConfiguration", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionAcl", "s3:GetObjectVersionTagging", "s3:GetObjectVersion", "s3:ObjectOwnerOverrideToBucketOwner" ], "Effect": "Allow", "Resource": [ "<accountA-S3-Bucket-ARN>", "<accountA-S3-Bucket-ARN>/*" ] }, { "Action": [ "s3:ReplicateObject", "s3:ReplicateDelete", "s3:ReplicateTags", "s3:GetObjectVersionTagging", "s3:ObjectOwnerOverrideToBucketOwner" ], "Effect": "Allow", "Resource": "<accountB-S3-Bucket-ARN>/*" }, { "Action": [ "kms:Decrypt" ], "Effect": "Allow", "Resource": "<accountA-KMS-Key-ARN>" }, { "Action": [ "kms:Encrypt" ], "Effect": "Allow", "Resource": "<accountB-KMS-Key-ARN>" } ] }

3.
Set up replication configuration on S3 bucket and add replication rule through AWS console UI or IAC.

Configuration needed on account B:

Configure KMS key policy to allow S3 service to encrypt data in accountB bucket during replication

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Principal": { "AWS": [ "<accountA-IAM-Role-ARN>" ] }, "Action": [ "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<accountB-AWS-AccountID>:root" ] }, "Action": [ "kms:*" ], "Resource": [ "*" ] } ] }

2.Configure S3 bucket policy to grant accountA permissions to perform replication actions

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<accountA-AWS-AccountID>:root" ] }, "Action": [ "s3:GetBucketVersioning", "s3:PutBucketVersioning", "s3:ReplicateObject", "s3:ObjectOwnerOverrideToBucketOwner" ], "Resource": [ "<accountB-S3-Bucket-ARN>", "<accountB-S3-Bucket-ARN>/*" ] } ] }

This way, the objects can be replicated across different accounts.

Getting started with Lambda

nainarmalik — Mon, 09 May 2022 09:18:58 +0000

Hi Everyone,

Recently I came across this beginner friendly course on boto3 and lambda.

You would be able to create lambda functions, create triggers and become a serverless pro. There are so many courses out there on multiple platform. I found this course economical and beginner friendly on udemy.

https://www.udemy.com/share/101Vx03@xfFx_n_sa1T4Df_M9C4cCG_wAGrE2VhvTX9LcaefejVXI5igtWwB3X-rlFQNbzWq/

P.S: Always bookmark / wishlist your course on udemy and buy it when there is a great discount. You could buy the same course at 1/10th of its price.

If you have any other recommendations related to serverless courses please do post on the comment.

Catch you all soon on the next post.

Cheers!