Hey cloud gurus, I just want to tell you that I took my exam today and bring out what came to my attention.
First of all, time was not a problem at all. I had about an hour left at the end and was able to read through the whole exam twice.
Here are the topics that came up most:
1. KMS (lots of questions about key rotations)
2. Active Directory
3. IAM and Cross-Account access
4. AWS Organizations and SCPs – with an emphasis on permissive SCPs ("allow") in my case
5. VPC (Infrastructure Security), e.g. Security Groups, ACLs and Ephemeral Ports (understand the direction for inbound/outbound requests!!)
6. CloudTrail, Config, CloudWatch Events, Lambda
7. Athena
8. AWS Artifact
9. one/two question(s) each: Macie, Inspector, FlowLogs, WAF (in conjunction with DDoS)
Note: no CloudHSM at all, no Shield
Tough Topics:
When to use CloudTrail console vs. CloudTrail with Athena and S3
How to block the aws-managed DNS server for a whole VPC when using a custom DNS server
What is covered by the IAM credentials report and its corresponding API [1]
Active Directory one-way trust from cloud to on-premise
Integration of KMS in other AWS services – these ones were very tough!! They give you different policies and you must tell what is wrong or – even harder – what is missing, e.g. what are the missing conditions and actions in a policy which a user should use to grant EC2 access to use an EBS volume
Learn the GrantIsForAWSResource condition as it is important for services which integrate with KMS [2]
AWS KMS ViaService condition with regional endpoints: i.e. whether it makes a difference if the service URI contains the region "eu-central-1" or "us-east-1" etc.
high availability across different regions with KMS: is it possible to copy a key to another region? should you reference a key in another region instead?
Note: Can someone who reads this please explain what the recommended setup is for KMS and highly available across different regions? (CloudHSM was not an option)
Terminating SSL on NLB, ALB, Classic Load Balancer and which Listener Protocol to chose on Classic Load Balancer when terminating SSL on the EC2 instance
AWS Organizations: How to restrict member account’s root user access
Question Style:
Almost all questions were scenario based (~4-5 sentences long). One or two had an infrastructure diagram. Some had an IAM policy. Many had special modifiers that asked about the most COST EFFECTIVE way of doing things or the solution with least operational overhead etc.
I could often narrow down the answer to two remaining options. Sometimes (e.g. 5-7 times) I had to guess between these two remaining options based on my feeling/experience. I think that it is the intended type of questioning AWS does on the more advanced certification exams. I am really excited if this gets even harder on the professional exams. I will share my thoughts on the Professional DevOps/Solutions Architect forums someday this year. Next will maybe be the Big Data or Networking Specialty.
Good Look to everyone!
Martin
References:
[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
[2] https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-grant-is-for-aws-resource
@Martin – Thank you so much.
@Martin, I don’t think we can copy key to another region : If i am missing any info – please correct me – as per faq : Keys generated by AWS KMS are only stored and used in the region in which they were created. They cannot be transferred to another region. For example; keys created in the EU-Central (Frankfurt) region are only stored and used within the EU-Central (Frankfurt) region.
That makes sense! However, what about disaster recovery? What happens if an entire region goes down and we reference keys from that region?
@Martin, Thank you so much! For the high availability design, I wonder if the imported customer key would be an option since the same master key can be imported cross different regions?