SAP-C02 Amazon AWS Certified Solutions Architect Professional – Exam Preparation Guide

1. Exam Preparation – Domain 1

Hey everyone and welcome back. Now in today’s video we will be discussing about some of the important pointers for exam as far as the domain one is concerned. Now the domain one is basically designed for organizational complexity and it constitutes to be twelve 5% of the overall examination. Now this domain in turn has three main major sections. One is cross account authentication and access strategy. Second is design networks for complex organization and third is multi account AWS environment. So before we start, let me in fact show you this. So if you look into the exam white paper so this is the domain one which is designed for organizational complexity. The percentage of examination is 12. 5% and it has three major sections over here. So these are some of the things that we’ll be discussing in today’s video. Now, when you talk about cross account authentication, the first thing that comes is delegation.

So delegation proves to be quite important for exams. Then you have access strategy. So access strategy can be like how can you access your AWS account? One is definitely through delegation, second is through federation. So within the access strategy, the federation related topics like single sign on SAML, ETCA. Proves to be quite important. Then you have design network for complex organization. So this is mostly focusing on the networking aspect. So your topics like VPNs, direct connects, storage gateways et cetera would prove to be important. Then you have the multi account AWS environment. So this is where you would typically be asked questions like how you can store logs in a cross account environment. So we have great amount of videos in the domain one like how you can store cross account logs for cloud trail et cetera.

So those are some of the topics associated with 1. 3. So some of the important topics that you must remember as far as the domain one is concerned, we have already discussed. You have delegation, you have federation, you have the VPNs, you have direct connects, you have VPC endpoints which is again part of the networking section. Then you have storage gateway and you have AWS organization. Now let’s discuss about the first one which is delegation. Now for delegation you should know on how to build a delegation for cross account IAM access. This is very important. You should know each step which is required for cross account IAM access.

So these are the four major steps which are generally involved. First is to create a cross account IAM role in account B. And here you should have account A as a trusted entity. Now you should also have a user in account A which will be assuming the role which is present in the account B. Then within the IAM policy associated with the user you should have a Sts assume role present. So Sts assume role should be present on the role here in associated with the Im role created in the account B. And the last point here is to share the sign in link with the user so that he can assume that role and log into the account B. So we have discussed about this in great detail in the videos of the course. So you can go ahead if you have any doubts here. The next important part is federation. Now, federation is generally used for federated users. The federated users are the ones who do not have AWS accounts.

So when you look into delegation, delegation basically means that the user do have an AWS account. So basically when you discuss in the step two here, you are actually creating IAM user so that user has an AWS account. However, there can be users who do not have a who do not have an im user to be more specific. So those are basically referred as the federated users who do not have a tables account or who do not have an im user in any of the AWS account. So you should know about the step by step approach which is required during the federation process. So be aware about the concepts like identity store, identity provider as well as SAML. All right, so basically these are the steps where user signs in to the identity broker. So your ADFS acts as an identity broker.

Identity broker will verify from the solutions like active directory whether the user is present and whether he has a proper authorization or not. So this is referred as the identity store over here, all right? So once the active directory confirms that the user is present, the password is correct and the authorization related parameters are also correct, then the identity broker will call the Sts service. Sts service will in turn send an author response. That auth response will be sent back to the user’s browser and users browser will use that auth response to sign into AWS. Now, we have a great video again related to this. Go ahead and watch this video if you have any doubt related to how this thing would work. But make sure you understand each and every step over here. Now, along with that, you should be aware about the web identity federation.

So for web identity federation you typically make use of AWS cognitive. Now, web identity federation is generally used whenever a login is required via social providers like Facebook, Google, Amazon and various others. Now, for AWS cognitive you should understand the difference between a user pool and identity pool. This is quite important. All right, so user pool. So within the user pool you can have your own user. You can also have users which can be federated from the social identity providers like Facebook, Twitter, Google, Amazon, et cetera. And then you have the identity pool and you also have the AWS resources. So this is one of the differences that you should remember before you sit for the exam. Now, generally one typical use case that you might find is let’s say that there is a mobile application and mobile application wants to connect to a DynamoDB to store the result.

So if it is a game based application. So once user has completed playing his games, that result would be stored to DynamoDB. Now, in such cases, manually adding an access and secret key within that application is not a right choice. So in such case you can make use of a web identity federation where a user can log into the application via Facebook, Google, et cetera. And the application can make use of this generate temporary SPS tokens. And that SPS tokens can be used to put the data inside the DynamoDB bucket. So, similar kind of use case is something that you can expect in exams. Now, the third important pointer is the directory service. This is quite important because directory service also plays an important role in federation as well as in the overall access strategy in AWS. So, within the directory service, there are three major types that you should be aware.

One is the AWS managed Microsoft ad. You have the ad connector and you have the simple ad. So the AWS managed Microsoft Ad is a full fledged Microsoft Active directory. So this is the active directory which Microsoft provides. Now, there are two additions for this. One is the standard edition. Standard Edition is for small and mid sized organization, typically for up to 5000 users. And if you have a larger deployment, then you have to go with the enterprise addition. Second is the ad connector. Ad connector is generally used when on premise users needs to access AWS service via ad. This is very important. Remember this word on premise users within exams you might get a question or two related to directory service. And if the question explicitly states that there is an on premise users who wants to access AWS service, then the answer should be Ad Connector. All right? So this is one important part to remember. Third is simple ad. So simple. Ad is not really a Microsoft Active Directory. It is a Samba Four Active Directory which is compatible. Now, do remember that since this is not a full fledged Microsoft ad, it does not really have a lot of features. It has a very basic amount of features.

Now, simple 80 does not support features like trust, relationship, multifactor authentication, the communication via LDAP s. Then you have the Fsmo, role transfer and various others. So these are some of the important features which it does not support. Now, along with that, there are two major deployments. One is Small which supports up to 500 users and you have large which supports up to 5000 users. Now, the next important pointer that you should remember is the virtual private network. This is important. Now again, in virtual private network there are three types of VPNs. One is the AWS managed VPN, which is basically a hardware based VPN that you can configure. Second is AWS VPN cloud Hub. Now, Cloud Hub basically operates on a simple hub and spoke model where you can connect multiple sites with each other via Cloud Hub.

So this does not require you to have a VPC and the third one is the software VPN where you go ahead and install software appliances like OpenVPN within your cloud environment. We already have a video lecture on this as well. So these are the three types. Now in exams you might get a question related to this and you will have to select one among them. So make sure you understand these at a high level overview. Now the next important pointer that you must be aware is the direct connect. So again, these pointers are specific for the networking aspect associated with the 1. 2 section of this domain. So you should be aware about the process which is required to set up a direct connect connection between a customer and the AWS. Now here you should be aware that it might not be possible directly to connect the customer side directly. So basically here you have a concept of direct connect location where let’s say you have a customer partner rack.

So here you have your router and here you have the routers associated with AWS. So what you do, you make use of a cross connect here. So this is basically a direct connect partner location, all right? So you basically do a cross connect here and from the router you have a direct connection back to your AWS environment. So you should be aware about overall direct connect connection and how you can set it up. Now along with that you should be also aware about the virtual interfaces which is the whips which typically both the public and the private ones. Now the public whips are basically used to access public endpoints which are part of the region like S Three and various others. Private WiFi are basically used to access the private endpoints like VPC.

So anything that you want to access within a VPC, you have to create a private with anything which cannot be as part of VPC like S Three. Those things are part of the public with. Now do remember the term of nonvpc assets. So whenever if you see nonvpc assets within the exam question, then it basically means that a public WIP should be created. Now along with that you should be aware about the direct connect gateway. You can expect a question on this. Now the direct connect gateway can be used to connect your direct connect connection over private with to one or more VPCs within the account that are located in same or multiple region. So this is important. Same or multiple region, all right, so let’s say you have a customer network, you have a direct connect connection and you have a private whip to a direct connect gateway. So direct connect gateway can connect to multiple VPCs. Now this VPC can be in the same region, or it can be within two different region.

So within the exam, if you get a question related to a use case where there are two VPCs in a two separate region and a client wants to establish a direct connect connection, what is the ideal approach? Then the answer should be direct connect gateway there. Now, along with that, you should be aware about storage gateway. So you should know different types of storage gateway. You have file gateway, tape gateway, and volume gateway. Again, you should be aware about the stored volumes and cached volumes which are part of the volume gateway here. Now, the next important point associated with the networking section of this domain is the VPC endpoints. So VPC endpoints, as we have already discussed, allows the EC to instance to connect to the services like S, Three, DynamoDB and others through a private link without need of an Internet or an internet gateway.

So, there are two types of VPC endpoints. One is the interface endpoints and you have the gateway endpoints. Now, we have already discussed about both of them in the video, so I hope you know what each of them does. Now, Im policies can also be used to manage the access to the VPC endpoints. Now, at a high level overview, gateway endpoints typically make use of route tables to propagate the routes. Interface endpoints typically have an elastic network interface through which you can send the data from. Now, the last important part of this domain is the AWS Organization. Now, AWS Organization basically helps in multiple aspects. One is consolidated billing and second is the service Control policies. Now, typically if your organization have multiple AWS accounts, it is recommended to have the resources and billing isolation between the accounts.

So, resource isolation means that let’s say that you have dev and prod environments. So do not put both of them within the same AWS account. Use one AWS account for dev, use second AWS account for prod. So that is one of the classic and the best ways for resource isolation and also billing isolation. Now, do remember that if you have multiple AWS accounts, consolidated billing can also be enabled via AWS organization. Now, AWS organization also allows us to set the service Control policies to control the access of the linked accounts, so you can get a question related to that. So, let’s has taken example question where there are five AWS accounts. And what you want is you want to have a global policy which blocks the access to disable the cloud trail across all five of them. So how can you set a global policy? And that global policy can be achieved with the help of AWS organization. So you should be aware.

• Category: Uncategorized