Getting Certified for Fun and Profit Andrew May AWS Community Day | Midwest 2020

1. Getting AWS Certified for
FUN* and PROFIT*
* FUN and PROFIT not guaranteed

2. Presenter: Andrew May
● Cloud Solutions Lead @ Leading EDJE
● Based in Columbus, Ohio
● Member of Columbus AWS User Group
● Development background (Java)
● 5 years AWS experience
● https://dev.to/andrewdmay
● andrew.may@leadingedje.com
● AWS Solutions Architect (associate)
● AWS Cloud Practitioner
● AWS Developer (associate)
● AWS SysOps Administrator (associate)

3. Do you enjoy learning about new
technologies?

4. LOTS of different services to learn about

5. Certifications may help you land a
job or command a higher salary

6. Résumé
Image via FlazIngo Photos (CC BY-SA)

8. FYI
● Certifications expire after 3 years
○ 50% discount on recertification exams
● Taking higher level certifications effectively renews the lower level
certifications

9. Foundational
Certifications

10. Cloud Practitioner
● Launched at re:Invent 2017
● Introductory Certification
● Recommended for anyone including technical, managerial, and sales
● Covers general cloud principals, an overview of a range of AWS
services, security, architecture, pricing and support
● Free online training at http://aws.training (~7 hours of videos)

11. Breakdown from Exam Guide
90-minute test, $100

12. Sample Question (1) - Technology
Which service can identify the user that made the API call when an Amazon Elastic Compute
Cloud (Amazon EC2) instance is terminated?
A) Amazon CloudWatch
B) AWS CloudTrail
C) AWS X-Ray
D) AWS Identity and Access Management (AWS IAM)

13. Sample Question (1) - Technology
Which service can identify the user that made the API call when an Amazon Elastic Compute
Cloud (Amazon EC2) instance is terminated?
A) Amazon CloudWatch
B) AWS CloudTrail
C) AWS X-Ray
D) AWS Identity and Access Management (AWS IAM)

14. Sample Question (2) - Security
Which of the following is AWS's responsibility under the AWS shared responsibility model?
A) Configuring third-party applications
B) Maintaining physical hardware
C) Securing application access and data
D) Managing custom Amazon Machine Images (AMIs)

15. Sample Question (2) - Security
Which of the following is AWS's responsibility under the AWS shared responsibility model?
A) Configuring third-party applications
B) Maintaining physical hardware
C) Securing application access and data
D) Managing custom Amazon Machine Images (AMIs)

16. My take:
● Most questions are “guess the service”
● Skip if you are planning to take one of the associate certifications and
you’ve already had some hands-on experience
● Too much technical detail for most non-technical roles
● Useful for those working alongside technical staff
(e.g. project managers and BAs)
● Free training may be all you need, but other options are available

17. Associate
Certifications

18. Developer (Associate)
● Recommended to have 1+ years of AWS experience
● Focus on certain core AWS services:
Compute: EC2, Lambda (& API Gateway), Step Functions, ECS, EKS
Storage: DynamoDB, S3, RDS
Caching: CloudFront, ElastiCache
Messaging: SQS, SNS
Security: IAM, Certificate Manager, Cognito
Deployment: Elastic Beanstalk, CloudFormation, SAM
● Knowledge of SDKs and APIs

19. Breakdown from Exam Guide
130-minute test, $150

20. Sample Question
A developer is adding sign-up and sign-in functionality to an application. The application is required to
make an API call to a custom analytics solution to log user sign-in events. Which combination of actions
should the developer take to satisfy these requirements? (Select TWO.)
A) Use Amazon Cognito to provide the sign-up and sign-in functionality.
B) Use AWS IAM to provide the sign-up and sign-in functionality.
C) Configure an AWS Config rule to make the API call triggered by the post-authentication event.
D) Invoke an Amazon API Gateway method to make the API call triggered by the post-authentication
event.
E) Execute an AWS Lambda function to make the API call triggered by the post-authentication event.

21. Sample Question
A developer is adding sign-up and sign-in functionality to an application. The application is required to
make an API call to a custom analytics solution to log user sign-in events. Which combination of actions
should the developer take to satisfy these requirements? (Select TWO.)
A) Use Amazon Cognito to provide the sign-up and sign-in functionality.
B) Use AWS IAM to provide the sign-up and sign-in functionality.
C) Configure an AWS Config rule to make the API call triggered by the post-authentication event.
D) Invoke an Amazon API Gateway method to make the API call triggered by the post-authentication
event.
E) Execute an AWS Lambda function to make the API call triggered by the post-authentication event.

22. My take:
● Understand how to build applications by combining AWS services
● There’s a focus on serverless (Lambda and related services)
● Monitoring and deployment are considered developer responsibilities
● You’ll need to understand security for a range of services
(5 out of 10 of the sample questions have a security aspect)

23. Solutions Architect (Associate)
● Recommended to have 1+ years of AWS experience
● New version of Exam just released
○ You can choose which you take until July 1, 2020
● Covers wider range of services
● More focus on combining services, architectural issues
(VPC design, scaling, failover), security and migration

24. Breakdowns from Exam Guide 130-minute test, $150

25. Sample Question
A company needs to maintain access logs for a minimum of 5 years due to regulatory requirements.
The data is rarely accessed once stored, but must be accessible with one day’s notice if it is needed.
What is the MOST cost-effective data storage solution that meets these requirements?
A) Store the data in Amazon S3 Glacier Deep Archive storage and delete the objects after 5 years using a
lifecycle rule.
B) Store the data in Amazon S3Standard storage and transition to Amazon S3 Glacier after 30 days using
a lifecycle rule.
C) Store the data in logs using Amazon CloudWatch Logs and set the retention period to 5 years.
D) Store the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA) storage and delete the
objects after 5years using a lifecycle rule.

26. Sample Question
A company needs to maintain access logs for a minimum of 5 years due to regulatory requirements.
The data is rarely accessed once stored, but must be accessible with one day’s notice if it is needed.
What is the MOST cost-effective data storage solution that meets these requirements?
A) Store the data in Amazon S3 Glacier Deep Archive storage and delete the objects after 5 years using a
lifecycle rule.
B) Store the data in Amazon S3Standard storage and transition to Amazon S3 Glacier after 30 days using
a lifecycle rule.
C) Store the data in logs using Amazon CloudWatch Logs and set the retention period to 5 years.
D) Store the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA) storage and delete the
objects after 5years using a lifecycle rule.

27. My take:
● Expects a deeper level of understanding about how AWS services work
● Know how to design a VPC
● Wrong answers in questions are harder to spot (especially when you
have to pick multiple)
● Need to be able to consider Security and Compliance as requirements

28. SysOps Administrator
● Recommended to have 1+ years of AWS experience
● Operational focus:
○ Deployment, storage, configuration, networking,
monitoring and security
● Choose between different options for price/performance
○ Understand different EC2 instance types
○ IOPS limits and calculations

29. Breakdown from Exam Guide
130-minute test, $150

30. Example Question
An application running in a VPC needs to access instances owned by a different account and running in a VPC in a
different Region. For compliance purposes, the traffic must not traverse the public internet.
How should an administrator configure network routing to meet these requirements?
A) Within each account, create a custom routing table containing routes that point to the other account’s virtual
private gateway.
B) Within each account, set up a NAT gateway in a public subnet in its respective VPC. Then, using the public IP
address from the NAT gateway, enable routing between the two VPCs.
C) From one account, configure a Site-to-Site VPN connection between the VPCs. Within each account, add routes
in the VPC route tables that point to the CIDR block of the remote VPC.
D) From one account, create a VPC peering request. After an administrator from the other account accepts the
request, add routes in the route tables foreach VPC that point to the CIDR block of the peered VPC.

31. Example Question
An application running in a VPC needs to access instances owned by a different account and running in a VPC in a
different Region. For compliance purposes, the traffic must not traverse the public internet.
How should an administrator configure network routing to meet these requirements?
A) Within each account, create a custom routing table containing routes that point to the other account’s virtual
private gateway.
B) Within each account, set up a NAT gateway in a public subnet in its respective VPC. Then, using the public IP
address from the NAT gateway, enable routing between the two VPCs.
C) From one account, configure a Site-to-Site VPN connection between the VPCs. Within each account, add routes
in the VPC route tables that point to the CIDR block of the remote VPC.
D) From one account, create a VPC peering request. After an administrator from the other account accepts the
request, add routes in the route tables foreach VPC that point to the CIDR block of the peered VPC.

32. My take:
● For me this was the most difficult of the Associate Certifications
(this was an earlier version of the exam)
● Need to understand EBS (IOPS, Snapshots)
● Some obscure questions that weren’t covered in the training I took
○ E.g. restricting access from a VPC to a single bucket using
S3 VPC Endpoint, Bucket Policy and VPC Endpoint policy

33. Professional
Certifications

34. Solutions Architect (Professional)
● Recommended to have 2+ years of AWS experience
● Associate certification no longer required, but a good idea
● Requires deeper understanding of AWS services and architecture
● Questions and answers are more complex
● Despite being a 3-hour test, people often run out of time
● Probably the most difficult AWS Certification to obtain
● I’m currently preparing to take this

35. Breakdown from Exam Guide
180-minute test, $300

36. Example Question

37. Example Question

38. DevOps Engineer (Professional)
● Recommended to have 2+ years of AWS experience
● SysOps/Developer Associate certification no longer required
● Focus on Automation and Continuous Delivery using AWS tools:
● Code*, CloudFormation, ElasticBeanstalk, OpsWorks
● Notification driven automation – understanding different event
sources and how to automate based upon them (e.g. using Lambda)

39. Breakdown from Exam Guide
180-minute test, $300

40. Example Question

41. Example Question

42. Specialty
Certifications

43. Specialty Certifications
● Advanced Networking
● Security
● Machine Learning
● Alexa Skill Builder
● Data Analytics
(formerly Big Data)
● Database
The number of these keeps growing.
There are no required pre-requisites, but they have
varying recommended levels of experience:
● 5 years Networking experience
vs
● 6 months building Alexa skills
It’s hard to judge their relative values as
certifications (but they both cost $300!).

44. Preparing for
Exams

45. Explore AWS
● Pick a service in the AWS Console you’ve never used and try it out
● Check pricing page - there may be a free tier
○ Some services have temporary free tiers, some are permanent
● Remember to shutdown/delete everything when you’re done
● Monitor your costs before you get a bill

46. Read Documentation
● AWS Developer Documentation
○ Often contains Tutorials that you can try out
● FAQs for individual services
● AWS Whitepapers cover a lot of different use cases
○ Architecting for the Cloud: AWS Best Practices
● AWS Blogs and Release Notes email cover new services and changes to
existing service

47. Books (official + many others)
Published March 2019 Published Oct 2017 Published August 2019

48. Training
● Classroom (in-person or virtual) training course available ($$$)
○ Content determined by AWS, provided by partners
○ Hands on Labs
● Free AWS Courses on www.aws.training and edX
● Online Courses (e.g. A Cloud Guru) ($)
○ Certification specific and more general technology courses
○ Exercises (using your own AWS Account)
○ Practice Tests
● Quiklabs - hands on training using provided AWS account ($$)

49. AWS Academy
● Columbus State Community College and other colleges/universities
● Taught by AWS Certified professionals
● Evening classes on Campus
● AWS Academy Cloud Foundations
● AWS Academy Cloud Architecture
● AWS Academy Cloud Development
● AWS Academy Cloud Operations

50. Practice Exams (Official)
● Register via Certification portal
● 20 questions for $20
● Same format and software as real exams
● Some questions may be very similar to ones
you’ll get on the real exam
● Email with % for different domains
Practice Test results:
Overall Score: 80%
Topic Level Scoring:
1.0 Monitoring and Metrics: 66%
2.0 High Availability: 66%
3.0 Analysis: 100%
4.0 Deployment and Provisioning: 100%
5.0 Data Management: 100%
6.0 Security: 100%
7.0 Networking: 33%

51. Taking the Exams

52. Registering
Create AWS Training account (https://www.aws.training/)
○ Can use existing Amazon account
○ Use a personal email address

53. Registering
Select “Certifications”
● This will create a linked certification account

54. Registering

55. Registering

56. Test Centers
● Run by PSI and Pearson VUE
● Some testing centers are starting to re-open, but Pearson VUE also
offers an online option
● Lots of different tests being taken in same facility
○ You will probably be the only person taking an AWS certification
● Empty everything from your pockets
○ Limited storage for valuables
○ Online testing requires you to sit in-front of a webcam and to have
prepared your room

57. The Test
● Make sure you’re taking the right test
● Accept NDA!
● Read questions carefully, you have plenty of time
○ Questions can be marked for later and gone back to, but this may
not be a good use of time
○ Timer in top right
● Questionnaire at end
● Pass/fail result immediately, email some days later

58. Benefits

59. From Certification Portal
● These take a few days to become available
● Certification Certificate
● Digital Badge (now on Acclaim)
● Generate a public Transcript to share your Certification(s)
● Practice Exam Credit (not Practitioner), recertification discounts
● Access to AWS Certified Store

60. Questions
Please post questions in Slack