Copyright © 2020 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-119-56155-2
ISBN: 978-1-119-56157-6 (ebk.)
ISBN: 978-1-119-56152-1 (ebk.)
Manufactured in the United States of America
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2020931495
TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. AWS is a trademark of Amazon.com, Inc. or its affiliates in the United States and/or other countries. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
I dedicate this book to my husband for his patience and encouragement throughout the writing process. Getting this book finished meant many missed nights in Azeroth; it's a labor of love for sure!
—Sara Perrott
This one is for Addie, who has literally grown up before my eyes while I've been working on this book. Addie, I'm so proud of you, and love you tons, even though you won't understand a word of what's in this giant tome.
—Brett McLaughlin
While a book may be a labor of love for an author, there is a fantastic team of people behind the author or authors that makes the book a reality. First off, a shout-out to our team at Wiley, who put in a lot of hard work to take the book from a manuscript to the finished book in front of you now. My gratitude to our editor, Adaobi Obi Tulton, who kept us on task and helped to polish the text. Another shout-out to our technical editor, John Mueller, whose guidance and keen eye helped to make this book better.
My personal thanks also to my agent, Carole Jelen, and to my coworkers, who put up with my need to take extra personal days to finish the book.
—Sara Perrott
Sara speaks the truth when she says that it's rarely clear to anyone but the authors just how much help is needed to pull off a book. In this case, Sara is both a great author and someone who came in to help when I was frankly drowning! She's made this book tremendously more valuable and you wouldn't have it in your hands without her saving the day.
Adaobi also deserves more praise than can fit into a short paragraph. From helpful comments to gentle nudges to (at times) much-needed, “Look, I really need that chapter, Brett,” every email I received from Adaobi was right on time and just what was needed.
The rest of my thanks to the entire Wiley team, our technical editor, John, and my own agent (and Sara's), Carole. Until next time, when we can all do it again!
—Brett McLaughlin
Sara Perrott is an information security professional with a systems and network engineering background. She shares her passion for all things information technology by teaching classes related to Windows Server, Amazon Web Services, networking, and virtualization, as well as other classes when needed at a local community college. She enjoys speaking at public events and presented most recently at the RSA Conference in 2019. Sara also enjoys technical editing and technical proofreading and has had the pleasure to work on a few projects doing this type of work.
When Sara is not working or writing, she enjoys spending time with her husband playing World of Warcraft, building robots, and playing with her ham radio. She also loves playing with her two pugs. Sara has a website where you can see some of the things she has been up to at www.saraperrott.com. You can also follow her on Twitter (@PerrottSara) and Facebook (@PerrottSara).
Brett McLaughlin has been working and writing in the technology space for over 20 years. Today, Brett's focus is squarely on cloud and enterprise computing. He has quickly become a trusted name in helping companies execute a migration to the cloud—and, in particular, Amazon Web Services—by translating confusing cloud concepts into a clear, executive-level vision. He is the chief technical officer (CTO) of Volusion, an e-commerce platform company based in Austin, Texas. Prior to Volusion, Brett has led large-scale cloud migrations for NASA's Earth Science program and the RockCreek Group's financial platform.
In addition to his work with technology, Brett is a gifted and in-demand author and video educator. In addition to numerous AWS-specific projects for Wiley, he has recently completed over 12 hours of certification training, also for Wiley, and is in preproduction on two cloud-based introductory courses for LinkedIn Learning. He is an AWS Certified Solutions Architect, Business Professional, and has managed the advancement of small businesses to AWS Partners, at both the standard and advanced tiers. You can find Brett online most easily at www.brettdmclaughlin.com.
John Mueller is a freelance author and technical editor. He has writing in his blood, having produced 114 books and more than 600 articles to date. The topics range from networking to artificial intelligence and from database management to heads-down programming. Some of his current books include discussions of data science, machine learning, and algorithms. His technical editing skills have helped more than 70 authors refine the content of their manuscripts. John has provided technical editing services to various magazines, performed various kinds of consulting, and writes certification exams. Be sure to read John's blog at http://blog.johnmuellerbooks.com/. You can reach John on the Internet at John@JohnMuellerBooks.com. John also has a website at www.johnmuellerbooks.com/.
Exercise 1.1 Use the AWS CLI
Exercise 1.2 Configure the AWS CLI for Your AWS Account
Exercise 1.3 List S3 Buckets Using the CLI
Exercise 1.4 Create a New S3 Bucket Using the CLI
Exercise 2.1 Create a Custom CloudWatch Dashboard
Exercise 2.2 Add EC2 Line Metrics
Exercise 2.3 Name Your Widgets
Exercise 2.4 Create a Text Widget
Exercise 3.1 Create an AWS Organization
Exercise 3.2 Define and Apply an SCP
Exercise 4.1 Create a New S3 Bucket for Storing Configuration Information
Exercise 4.2 Create a New SNS Topic for Notifications of Configuration Changes
Exercise 4.3 Create a New IAM Role for the AWS Config Service to Use
Exercise 4.4 Give Your New Role Permission to Access Your S3 Bucket
Exercise 4.5 Turn On AWS Config and Direct It to the Created Resources
Exercise 4.6 Turn Off AWS Config
Exercise 5.1 Create a New Cross-Region Trail for Logging S3 Write Access
Exercise 5.2 View a CloudTrail log
Exercise 5.3 Set Up Automatic Notifications When a Trail Writes a Log
Exercise 7.1 Create a Launch Configuration
Exercise 7.2 Create an Auto Scaling Group
Exercise 8.1 Create a VPC Peering Connection
Exercise 8.2 Create a Bastion Host and Configure for Use
Exercise 9.1 Create a Role for SSM and Attach It to Your EC2 Instances
Exercise 9.2 Tag Your EC2 Instances
Exercise 9.3 Set Up Your Resource Groups Based on Tags
Exercise 9.4 Use the Run Command to Install Apache on Web Servers
Exercise 9.5 Create a Parameter for a License Key
Exercise 9.6 Connect to Your EC2 Instance with Session Manager
Exercise 9.7 Configure Patch Manager for Your EC2 Instances
Exercise 10.1 Create an S3 Bucket
Exercise 10.2 Enable Default Encryption
Exercise 10.3 Enable Versioning
Exercise 10.4 Create and Apply a Bucket Policy
Exercise 10.5 Create a Lifecycle Policy
Exercise 11.1 Create an Unencrypted EBS Volume
Exercise 11.2 Use a Snapshot to Encrypt EBS Volumes
Exercise 11.3 Attach the Encrypted EBS Volume to an Amazon EC2 Instance
Exercise 11.4 Turn On Default EBS Encryption for Your Account
Exercise 12.1 Create an EC2 Instance from an AMI
Exercise 12.2 Create a Custom AMI
Exercise 12.3 Change the Launch Permissions of the AMI
Exercise 13.1 Create an IAM User
Exercise 13.2 Generate an Access Key
Exercise 13.3 Enable MFA
Exercise 13.4 Create a Password Policy
Exercise 13.5 Create a Role
Exercise 14.1 Set Up a Trail in AWS CloudTrail
Exercise 14.2 Set Up an Amazon CloudWatch Alarm
Exercise 14.3 Set Up an Amazon CloudWatch Dashboard
Exercise 14.4 Configure a Rule in AWS Config
Exercise 15.1 Set Up and Configure Amazon Inspector
Exercise 15.2 Set Up and Configure Amazon GuardDuty
Exercise 16.1 Create a VPC
Exercise 16.2 Create a Subnet and Add It to a Route Table
Exercise 16.3 Create a VPC Endpoint for S3
Exercise 16.4 Create a Security Group
Exercise 16.5 Create a NACL
Exercise 17.1 Create a Hosted Zone
Exercise 17.2 Create a Health Check
Exercise 17.3 Create the A Records for Failover
Exercise 18.1 Create a CloudFormation Stack
Exercise 19.1 Deploy a Sample Application in Elastic Beanstalk
Anyone who has taken an AWS certification exam can tell you that the exams are not easy. The right study materials can make all the difference when taking the AWS Certified SysOps Administrator – Associate exam.
To pass the exam, you must understand the various services across the AWS ecosystem that enable you to do system administration work. This book is an excellent resource for your certification journey. In addition to this book, Sybex offers AWS Certified SysOps Administrator – Associate Exam Practice Tests, which gives you a variety of questions related to the material in this book and beyond to ensure that you are well prepared to take the exam. Other materials that I recommend would be the AWS documentation (typically available as HTML and PDF) and the FAQs.
You should have hands-on experience with AWS before taking this exam. The exercises in this book will help you build on that experience. When you first sign up for an AWS account, you get 12 months of free-tier access. This means that as long as you stick to free tier–eligible items, and you don't exceed the hours or usage specified, you can practice building your infrastructure in AWS. Practice with the console, but also practice with the AWS command-line interface (CLI). You don't have to be an AWS CLI expert to pass the exam, but you should be familiar enough with it to know the format of common AWS CLI commands.
I highly recommend reading the book cover to cover. At the end of each chapter, pause and take a moment to go through the review questions to test your knowledge of the material you have covered. Once you have finished the book, take advantage of the practice tests and flashcards available to you online after registering your book. These study aides will ensure that you have the knowledge necessary to pass the exam.
When you register for the exam, you have your choice of either PSI or Pearson Vue for your testing center. As of this writing, the cost for the associate exam is $150 USD. The questions will be in either a multiple-choice or a multiple-answer format. You have a total of 130 minutes to finish the exam.
Now that you know the basics and the recommended resources, let's review how this book is laid out.
The first part of the book starts with the foundational topics that you need to know and understand before you dig into the rest of the book content. These topics include the Shared Responsibility Model and various methods to access resources in AWS.
The second part of the book focuses entirely on monitoring and reporting tools that are available within AWS. You will learn more about Amazon CloudWatch, AWS CloudTrail, AWS Config, and AWS Organizations. Each chapter in this part provides coverage on these topics in detail.
In the third part of this book, the focus shifts to highly available services and creating highly available architectures. AWS’ managed service for databases, Amazon Relational Database Service (RDS), is discussed along with Auto Scaling.
In the fourth part of the book, we look at virtual private cloud (VPC) peering and bastion hosts. We also cover AWS Systems Manager, as well as all of its components that make it a valuable deployment and provisioning utility.
In the fifth part of the book, we look at storage with a focus on Simple Storage Service (S3), Glacier, and Elastic Block Store (EBS). We also examine data security and encryption as well as data life-cycle management.
In the sixth part of the book, the focus changes to security and compliance topics. We first cover identity and access management (IAM), and then reporting and logging from a security and compliance perspective. We end this part with a chapter on additional security tools that you need to know and understand for the exam.
In the seventh part of the book, we cover networking topics. We start with networking basics, virtual private cloud, and network address translation (NAT), and we end with DNS services and Route 53.
In the eighth and final section, we shift to automation and optimization. Infrastructure as a Service is discussed, and AWS CloudFormation is covered in detail. Elastic Beanstalk is also covered, which is AWS’ platform as a service (PaaS).
This book covers the topics that you will need to understand to prepare you to take the AWS Certified SysOps Administrator – Associate exam. The topics that we cover in this book include the following:
Tools have been developed to aid you in studying for the Amazon Certified SysOps Administrator – Associate exam. These tools are all available for no additional charge here:
www.wiley.com/go/sybextestprep
Just register your book to gain access to the electronic resources that are listed here.
The AWS Certified SysOps Administrator – Associate exam is designed with system administrators who have been working with AWS in an operational capacity for at least one year in mind. The exam candidate will ideally have experience in deploying resources and managing existing resources, as well as performing basic operational tasks like troubleshooting issues and monitoring and reporting.
As a general rule, before you take this exam, you should:
This table provides you with a listing of each domain on the exam, the weights assigned to each domain, and a listing of the chapters where content in the domains is addressed.
Domain | Exam Percentage | Chapters |
Domain 1: Monitoring and Reporting | 22% | |
1.1 Create and maintain metrics and alarms utilizing AWS monitoring services | 2, 3, 4, 5, 14 | |
1.2 Recognize and differentiate performance and availability metrics | 2, 14, 16 | |
1.3 Perform the steps necessary to remediate based on performance and availability metrics | 2, 5, 14 | |
Domain 2: High Availability | 8% | |
2.1 Implement scalability and elasticity based on use case | 1, 6, 7, 12, 16, 17, 18, 19 | |
2.2 Recognize and differentiate highly available and resilient environments on AWS | 1, 6, 7, 10, 11, 12, 13, 15, 16, 17, 18, 19 | |
Domain 3: Deployment and Provisioning | 14% | |
3.1 Identify and execute steps required to provision cloud resources | 1, 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 18, 19 | |
3.2 Identify and remediate deployment issues | 4, 5, 6, 9, 11, 12, 14, 16, 17, 18, 19 | |
Domain 4: Storage and Data Management | 12% | |
4.1 Create and manage data retention | 10, 11 | |
4.2 Identify and implement data protection, encryption, and capacity planning needs | 10, 11, 12 | |
Domain 5: Security and Compliance | 18% | |
5.1 Implement and manage security policies on AWS | 1, 4, 9, 13, 15 | |
5.2 Implement access controls when using AWS | 1, 3, 4, 9, 10, 12, 13, 15 | |
5.3 Differentiate between the roles and responsibility within the shared responsibility model | 1, 13, 15 | |
Domain 6: Networking | 14% | |
6.1 Apply AWS networking features | 1, 16, 17 | |
6.2 Implement connectivity services of AWS | 16, 17 | |
6.3 Gather and interpret relevant information for network troubleshooting | 5, 14, 16 | |
Domain 7: Automation and Optimization | 12% | |
7.1 Use AWS services and features to manage and assess resource utilization | 1, 2, 7, 8, 14, 19 | |
7.2 Employ cost optimization strategies for efficient resource utilization | 3, 7, 11, 19 | |
7.3 Automate manual or repeatable process to minimize management overhead | 2, 4, 5, 7, 8, 9, 12, 18, 19 |