AWS Certified SysOps Administrator – Associate (2018)
The AWS Certified SysOps Administrator- Associate is a certification based around administering applications on AWS from an operations viewpoint. Although there are some deployment topics, this certification deals more with decisions we must make in our environments based on information we receive from monitoring, auditing, and any performance feedback we gather.
This course has been developed to provide you with the requisite knowledge to not only pass the AWS SysOps Administrator certification exam but also gain the hands-on experience required to become a qualified AWS Systems Operator working in a real-world environment.
As an added bonus to all who enroll, we have made a select group of Linux Academy’s Hands-On Labs and flashcards available for free to all students who wish to take advantage of them. Instructions on how to access these bonus features will be provided during the course. (NOTE: These bonus features are not a required part of the course. they are an addition you can choose if you so wish).
Welcome to the AWS Certified SysOps Administrator- Associate course! I am excited to be with you on the next step of your certification journey. This certification is an Associate level certification that emphasizes managing AWS resources from an operation and administrator perspective. When you're ready, mark this video complete and let's get started!
A brief chat about my background, my roots in IT, and what I like to do in my spare time.
The interactive diagrams for this course are The SysOps Administrator's Codex. The first part of this lesson is a walkthrough on navigating the charts in your own study. The link is on the "Important Links" document in the Downloads section of the course.
I am from an Operations background. This certification is about operations and administration. I developed a web application for us to use in monitoring, deploying, and making changes to throughout the course. This lesson will walk you through the infrastructure involved in running this WordPress application.
This video gives you a walkthrough on how to use the AWS Free Tier Tracking and Billing Widget for you own AWS Account!
Monitoring and Metrics
What is CloudWatch? And how do we get started?
CloudWatch is a very powerful tool for monitoring and troubleshooting in AWS. In this lesson, we will discuss CloudWatch basics and move on to CloudWatch alarms, the actions we can perform with them, and how to configure them.
CloudWatch Events are a way to automatically take action with our AWS resources based on certain event triggers or schedules. In this lesson, we will discuss what CloudWatch Events are, how to configure them, and common uses for them.
CloudWatch Logs are an excellent way to provide alarming, dashboards, and reporting from other sources in AWS like CloudTrail. In this lesson, we will discuss the different components of CloudWatch Logs and how we can use them to set custom alarms in our environment.
Status checks are made up of Instance Status Checks and System Status Checks. Errors in these indicate different issues, and should, therefore, be recovered differently. This lesson discusses AWS System and Instance Status Checks and how to recover from an error in these checks.
There is a large variety when it comes time for us to select an EC2 instance type. Some families are more suited for particular tasks. We, as SysOPs Administrators, should know what options are available to us. There is also a large difference in most families between the smallest and largest instance size that can affect performance. This lesson discusses the virtualization types, instance types, and instance sizes we can configure for our EC2 instances.
The EC2 service had the most metrics of any service. There are many we can use without additional charges. There are, however, a few metrics that are not reported by default. These can be called custom metrics and involve installing an agent on the EC2 instance itself. This lesson discusses basic EC2 metrics for CloudWatch and how we can get custom, OS-level metrics sent to CloudWatch as well.
Here are the commands used in this video:
######## Install CloudWatch Agent ############
######## Configure CloudWatch Agent ############
######## Start CloudWatch Agent ###############
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:configuration-file-path -s
CloudWatch is not always the best monitoring solution. Applications may sometimes need their own custom solution. Whether for a backup to CloudWatch or for specialized applications, setting up an instance to ping the environment is an important skill. This lesson discusses how to set up an instance and get it monitoring.
It is important to know the basics of EBS volumes to be able to make informed decisions in our environment. This lesson discusses some of the facts that are necessary to know for administering EBS and for the exam.
Performance of your EBS volumes should be a priority in your environment. Storage size, bursting, throughput, and IOPS can all cause issues. Also, if we haven't "tuned" our EBS usage carefully, we could be spending more than we really need to. This lesson discusses the performance options a user has when provisioning EBS volumes.
The metrics we need to monitor are varied and greatly depend on the volume type. This lesson discusses EBS metrics in CloudWatch and how we can use them to make performance decisions with our volumes.
EFS is a scalable, highly available block storage file system we can use with our EC2 instances and on-prem servers. EFS is becoming a bigger part of all the Associate exams. In this lesson, we discuss a brief overview of what it is. Then, we move on to how to monitor it through CloudWatch.
The performance of your RDS instances can affect your application greatly. We can use these metrics to make decisions about instance types and read replicas. This lesson discusses Relational Database Service (RDS) and how to monitor performance.
ElastiCache is a caching tool we can use to help speed up the performance of our applications for our customers. This lesson discusses ElastiCache and important aspects of monitoring it.
Ability to monitor and manage billing and cost optimization processes
Running our applications in the cloud can present large cost savings for our organizations. We must know how to monitor and optimize costs to take full advantage of these savings. AWS Billing and Cost Managment hold several features we use to not only pay our bills but also monitor and optimize costs.
AWS provides a way for us to investigate expenses in our account. We can tag resources by environments (dev, test, prod) and see cost reports for each. We can also filter costs by region, VPC, instance type, and many more. This lesson is a basic walkthrough of the AWS Cost Explorer service.
Costs can always increase unexpectantly. There are some common mistakes that contribute to these increases. In this lesson, we will discuss AWS recommendations to optimize costs and avoid some of the common causes of cost increases.
Scalability and elasticity are key concepts in how cloud computing provides automatic performance increases and cost savings. This lesson discusses the concepts of scalability and elasticity. We go on to show how it works in EC2, RDS, and DynamoDB
In AWS, scaling out means horizontal scaling by increasing the number of instances in an Auto Scaling group. Scaling up is referring to vertical scaling by increasing the instance size or family. This lesson discusses decisions administrators need to make regarding AutoScaling versus increasing instance size.
EC2 reserved instances can be an effective method of saving money if long-term compute capacity is needed. They can also reserve us capacity in case of an availability zone or region shortage of on-demand instances. In this lesson, we discuss reserved instances in greater detail. Scenarios that show the benefits of using them are also provided.
Load balancers are responsible for serving traffic to multiple instances in an application. In addition, they can also prevent poor application performance by evaluating the health of the instances it serves. Traffic can then be directed to only those instances that are "healthy." This lesson discusses how Elastic Load Balancers can assist in scalable, highly available applications.
Messaging services can be used to decouple applications. Because these services are scalable and highly available, they provide applications with the ability to grow automatically. This lesson discusses how we can use messaging services to make applications scalable.
Ensure level of fault tolerance based on business needs
In the event of an availability zone failure, instances will still need access to the internet for updates. If multiple NAT gateways are deployed, we can allow for this. Bastion hosts also need to be available when an AZ fails. This lesson discusses how to make Bastion Hosts and NAT Gateways fault tolerant.
Multi-AZ is a fault tolerant feature in Relational Database Service. It prevents an availability zone failure from removing database access from an application. This lesson discusses RDS Multi-AZ deployments and how they handle fault tolerance. There is also a simulated failover executed.
AWS services provide different levels of management. Some services are fully managed while others can provide us access to the operating system. Administrators need to know what services require more administrative work. This lesson is an overview of services that allow access to the underlying operating system.
Optimize the environment to ensure maximum performance
When restoring a volume from a snapshot, maximum volume performance is not achieved until all blocks on the device have been read. This lesson discusses initializing EBS volumes and when we should use it. The commands from the lesson are here:
sudo dd if=/dev/xvdf of=/dev/null bs=1M
Read replicas allow us to offload database resources to another instance to improve read performance. Read replicas are also a useful tool for disaster recovery and migrations. In this lesson, we will discuss RDS Read Replicas and how they can help the performance of an application.
Identify performance bottlenecks and implement remedies
Resizing a root volume is a necessary skill as a Systems Operator. At some point, you will either run out of storage or need better IOPS performance. This video will show a couple of different techniques for resizing or changing a root EBS volume.
Using SSL for secure web communications can increase the processing your application servers are required to do. It might even start to affect your application's performance. Offloading the SSL handshake and decryption duties to a load balancer is a great way to alleviate this. We can also use Certificate Manager to create and renew our SSL certificates. This lesson discusses the process of offloading the SSL workload.
Network performance is highly important to any application. It is also the first culprit to be blamed when an application is not performing efficiently. Systems Operators need to know the most common causes of network bottlenecks in AWS. This lesson discusses several of those causes.
Identify potential issues on a given application deployment
Autoscaling issues can be difficult to troubleshoot. There are many different configuration steps and items that can lead to problems. This lesson discusses many of the common issues when AutoScaling is not working.
Knowing how to preserve data is an important tool for any administrator. EBS volumes can behave differently depending on how they are being used. This lesson discusses methods of preserving data when our instances need to be terminated. There is also a short discussion on instance-store backed instances.
Deployment and Provisioning
There are now three types of load balancers in AWS. The use cases and behaviors need to be known for each to properly deploy and administer load balancers in an AWS environment. This lesson discusses the differences and shows configuration examples for each type.
Lambda is gaining increased coverage on all the Associate level exams. Even as SysOps Administrators, we need to know the basics of how it works. This lesson walks through configuring a Lambda function from one of the AWS-provided blueprints.
As the popularity of containers continues to grow, we as Systems Operators on AWS need to know how the ECS service works. This lesson discusses what ECS is as well as a walkthrough of deploying a sample app using ECS and Fargate.
Lightsail is a virtual private server (VPS) solution from AWS. It allows for a monthly "rental" of an instance. Batch is a fully managed AWS service for handling batch computing jobs. These compute services are being mentioned in AWS documentation. These are new in terms of the exam. This lesson is a quick overview of what Lightsail and Batch are and what they do.
Kowing Relational Database Service and all of the features and configurations is an important skill for SysOps Administrators. Deploying an RDS instance from scratch presents us with many options. This lesson discusses a few of those options like subnet groups, backup and maintenance windows, and how MultiAZ works using subnets.
DynamoDB is a managed, NoSQL data store. It provides for schemaless design using key-value pairs. DynamoDB is not a large focus of the SysOps Administrator certification, but you will see it mentioned a few times on the exam. This lesson goes over the important attributes and configurations that all System Operators and Administrators should know.
Simple Storage Service (S3) is a fully scalable, highly available object storage solution in AWS. There are many attributes of S3 to think about when objects are first uploaded and when those objects need to be managed later in the objects' lifecycle. This lesson discusses read consistencies, storage classes, and lifecycle policies.
EFS is a highly scalable managed file system that can be shared by multiple instances. These attributes make it perfect for a web server data store. We can have many instances running and only have to launch and update our websites in one place. This lesson shows the process.
Here is the command to mount the EFS to your instance:
sudo mount -t nfs4 :/ /var/www/html
You can substitute a different path at the end of this command depending on where you want to mount EFS in your instance.
The ability to provision cloud resources and manage implementation automation
Elastic Beanstalk is a powerful tool used to deploy simple, single-tier applications without having to provision all the resources before deployment. It allows developers a way to deploy code quickly for testing and production environments. There are limitations for this service to be of use. This lesson shows different methods to launch applications and discusses some of the limitations of the service.
"Infrastructure as code" is one of the unique abilities of cloud computing. We can launch an entire AWS environment using a text file formatted in JSON or YAML. In AWS, this ability is served using CloudFormation. This lesson will explain templates and template sections as well as the benefits of using this service.
OpsWorks is a service that uses Chef cookbooks developed in the Ruby language. It allows us to manage our application in layers. We can use recipes to affect our layers at various lifecycle events in an application's deployment. This video walks through the deployment of a sample Node.js application to further understand the OpWorks infrastructure.
Demonstrate ability to create backups for different services
Creating backups for applications is a large responsibility for administrators. Backups are greatly important during disaster recovery events or data corruption incidents. There are services in AWS that offer backup solutions, but they are not enabled by default. As SysOps Admins, we need to be familiar enough to enable these backups.
As we have seen, EC2 does not provide an automated backup solution directly. The first option we discussed was using CloudWatch Events to create snapshots of EBS volumes. We can also script snapshot creation using API calls. This lesson shows a method using the Boto3 SDK to create snapshots of your EBS volumes all at once without having to know any attributes of the volume itself.
NOTE: The code for this lesson is available in the Resources tab.
It may seem strange that we are discussing backups for S3 because it has some impressive numbers for durability and availability. The issue is S3 buckets, even though the names are global, they exist in a particular region. If that region were to fail, we would not be able to access our objects. This lesson demonstrates how S3 Cross Region Replication works and what limitations are involved with this replication.
For hybrid environments, ones that include some sort of on-premises infrastructure, AWS provides services to assist with data durability. Storage Gateway provides us a way to backup and even migrate to the cloud. It has three main types, and they all include some type of on-prem component. This lesson discusses the three types Storage Gateway offers and how they are used.
Demonstrate ability to enforce compliance requirements
Organizations around the world have a lot of different compliance rules and regulations they must adhere to. AWS has provided documentation for compliance audits that you can use, but it applies only to what AWS is responsible for. We must ensure that the applications we deploy are also compliant. This lesson is an overview of how compliance works and some ideas to think about when designing for compliance.
Manage backup and disaster recovery processes
Disaster recovery strategies when you have databases involved can be tricky. How do we make sure the data in our secondary region is up to date in case of a disaster recovery event? This is what RDS cross-region replicas are built for. This video shows you how to create a cross-region read replica and then simulates a region failure and a promotion of that read-replica in the second region.
Centralizing our log storage can help make our monitoring more efficient. It can also be cheaper if we are not storing multiple copies of logs around our infrastructure. This lesson discusses this strategy of centralized log storage and some tools you can use to help.
There are many different decisions administrators must make when it comes to disaster recovery planning. A DR solution should be cost-effective so that it does not cost the organization more than it would lose during an outage. Cost, downtime, and frequent testing are important decisions in any company. This lesson discusses disaster recovery scenarios as well as the cost vs. downtime planning decisions that need to be made.
Implement and manage security policies
Knowing how to create policies is at the very center of IAM management. We use these policies to enable permissions for users, groups, and roles. This lesson discusses both the pre-built policies as well as custom policies and how to create them.
Managing permissions and policies for users is a big responsibility. Using groups is an efficient way to make management of users easier. This lesson shows how to create users and add them to groups.
Roles are a way for us to grant our AWS resources permission to interact with each other. We can also grant temporary permissions to users outside of our AWS environment by using roles with delegation and federation. This lesson discusses roles and how we use them.
S3 Bucket Policies allow us to have fine, granular control over the access of objects in our S3 buckets. Using these policies, we can implement additional layers of security and access control for objects. This lesson discusses what these policies are and how to implement them in S3.
Security groups and Network Access Control Lists (NACLs) are extremely important when looking to lock down the security of our applications. This lesson discusses a strategy to make them work together more efficiently. Misconfiguring either one of these tools can lead to a lot of time troubleshooting.
Ensure data integrity and access controls when using the AWS platform
Encryption is becoming more and more important in AWS. New services are getting Key Management Service support at a constant rate. An Associate level SysOps Administrator needs to have a basic grasp on encryption and how it is implemented in AWS. This lesson will show you how.
Multi-factor authentication should be required for all of your users who have console access, especially administrators. We need to ensure that a compromised password isn't enough to allow someone to enter our environment maliciously. This lesson shows you how to enable MFA and how to set it up using Google Authenticator.
Identity Federation needs to be understood for us to administer our applications on AWS. STS affects both customers and employees. For users, they need to federate with third-party providers a lot of times to use our applications. For employees, they can use their domain credentials from on-prem services to federate to and use AWS services. This lesson discusses these scenarios in further detail.
S3 offers several features that can assist with data integrity in addition to its built-in availability and durability numbers. We also need methods to protect our objects from human error. This lesson discusses versioning, replication, and multi-factor authentication delete.
Demonstrate understanding of the shared responsibility model
The shared responsibility model is an important concept for any Sysops Administrator to grasp. AWS does not manage everything for you. There are many items and services that require additional administration to protect, monitor, and analyze AWS environments. This lesson discusses the basics of the shared responsibility model along with some examples.
Demonstrate ability to prepare for security assessment use of AWS
AWS Config is a service we can use to evaluate the configurations of our resources. It records all the details including relationships between resources. This can be very helpful in troubleshooting situations. We can also create a set of rules for evaluating our resources. When a resource is non-compliant with our set rules, AWS Config will let us know. This lesson shows how to configure and use the AWS Config service.
CloudTrail is a service we can use to log all the API calls in our account. API Calls include interaction from the console, AWS CLI, and SDKs. We can also create trails that we can analyze with CloudWatch Logs or third-party tools. This lesson shows us how.
Inspector gives us the ability to evaluate our EC2 instances against a built-in library of best practices, common compliance, and vulnerability standards. AWS has compiled libraries using several focus areas for evaluating your instances. This lesson shows how to install the AWS agent on EC2 instances and how to configure targets, templates, and runs from within Inspector.
Demonstrate ability to implement networking features of AWS
Virtual Private Cloud allows for us to create networks for our applications to run on. We can customize many different features such as IP address range, how many layers our application needs, routing, security, and many more. This lesson discusses the basics of VPCs, the building blocks, and the attributes of a default VPC.
Elastic IP (EIP) and Elastic Network Interfaces (ENI) give us a flexible way to retain the same IP address on an instance. This ability is useful in many application scenarios. With ENI, settings such as IP addresses and security groups migrate with the interface. Instances must still be in public subnets to be accessible with either. This lesson shows how to use each and some of the behaviors we need to be aware of as SysOPs Administrators.
CloudFront is the AWS Content Delivery Network (CDN). It allows us to cache our web applications around the world to provide lower latency and a better experience for our end-users. It is important to know how our content is distributed to the edge locations and what happens when the edge location does not have a cached version of our content. This lesson discusses the basics of how to configure a CloudFront distribution and some of the processes we need to be aware of.
Route53 is AWS's solution for DNS resolution. Its routing policies can help us decrease latency, implement fault tolerance, and run test deployments. This lesson demonstrates a Route53 failover policy for our WordPress application. The discussion then moves to routing for customers in different locations and test deployments.
Demonstrate ability to implement connectivity features of AWS
VPC Peering is a tool that we can use when we want our VPCs to communicate using private IP addresses as if they are on the same network. We also have the newly released ability to peer VPCs across regions. This lesson shows you how.
AWS Virtual Private Network (VPN) is a way to get secured communications to AWS from an on-prem environment using the public internet. This lesson discusses the basics and components of an AWS VPN connection.