AWS DevOps Pro Certification Blog Post Series: Policy and Standards Automation


This is part of the blog post series: AWS DevOps Pro Certification

What does the exam guide say?

To pass this domain, you'll need to know the following:

What services and products covered in this domain?

What about other types of documentation?

If you have the time, by all means, read the User Guides, but they are usually a couple of hundred pages. Alternatively, get familiar with the services using the FAQs:

You're all expected to know the APIs

Before you panic, you'll start to spot a pattern with the API verbs.

And the CLI commands

As with the API, there are patterns to the commands.

10 per cent

I've decided to keep all of the services around this domain within this intro, you're expected to be aware of the services, their purposes and uses cases rather than have in-depth knowledge around their implementation.

Whilst this domain is only 10 per cent, it probably doesn't hurt to know of these services it might make the difference between a pass and fail grade when you take the exam.

What?

AWS Service Catalog...

AWS Trusted Advisor is a service that provides a dashboard to report if AWS resources are not in line with current best practice. The reporting is categorised as follow:

What reports you to get depend on the support plan you're on.

Basic/Developer - get seven core checks (six from Security and all of the Service Limit reports) Business/Enterprise - get all the reporting and checks

AWS Systems Manager is an infrastructure management service that can perform the following tasks:

AWS Organizations allows you to organise your environment based on your own hierarchy or functional roles (security, compliance, operations, developer and finance).

AWS Secrets Manager encrypts secrets at rest using keys in KMS. Secrets can be database credentials, passwords and 3rd party API keys. You can store and control access through Console service, CLI, API and SDK.

Secrets can be rotated automatically via a schedule

Secret types you can store are:

Amazon Macie uses machine learning to automatically identify, classify and protect sensitive data in AWS. It recognises personally identifiable information (PII) or intellectual property. It currently protects S3, but data store related services are being planned for the future.

AWS Certificate Manager centralised managed certificates in AWS. It has good integration with AWS services allowing it to provision TLS/SSL certificates on their behalf. You can also use it to set up a private certificate authority which can be internally within an organisation when there's no need to use trusted Internet Root CAs.

Why?

AWS Service Catalog allows you to hide the specific implementation of your cloud infrastructure. By giving your users a separate front end, you can remove a direct association to an AWS account.

AWS Trusted Advisor is an automated tool to gather information about your AWS environment and report against those not configured as per best practice. It's also a cost-saving tool, making recommendations to remove unused resources or downgrade them. A full list of checks can be found on the AWS Support page.

AWS Systems Manager is a tool to centralised various tasks and activities you may wish to perform against your infrastructure. The CloudWatch Dashboards and Trusted Advisor reports are also integrated to make this a one-stop shop for systems management.

AWS Organizations allows you to map access to AWS resources based on your own business functions. The most simple example is to only allow developers access to the development environment and maybe read-only access to production.

Amazon Macie uses machine learning to identify personally

When?

AWS Service Catalog should be used when you want your users to have a specific set of products based around AWS services, but don't want to give them access to the AWS Console or a specific IAM account.

AWS Trusted Advisor should be used when you need to find out if you're following best practice.

AWS Systems Manager is an enterprise tool, allow you to identify resources by attribute (AMI image id, OS type, instance type) rather than navigate to specific resources.

AWS Organizations when you need to map your business functions against AWS resources and IAM users, groups and roles are not sufficient enough controls.

Amazon Macie should be used by organisations that require careful handling of customer data i.e. health care or government. Where the volumes of data are not easily managed by a data administration team or monitored by security/compliance business function.

AWS Secrets Managers when you don't want to hard code secrets or store sensitive data on servers or have a regulatory requirement cycle secrets on a regular basis.

AWS Certificate Manager when you need to provision SSL/TLS certificates or need to a private certificate authority.

How?

If there are no specific instructions, it's assumed the service is available through the AWS Console.

AWS Service Catalog requires development so the Developer Guide should be consulted.

AWS Trusted Advisor is available through the AWS Console. In addition to the dashboard, you can send out weekly reports to receipts based on role: billing, operations and security.

AWS Systems Manager is available through the AWS Console, you can create groups to manage by searching for resources based on tags (resource type, operating system, etc). It will require an agent to be installed on the resource (as well as an IAM instance profile) to become a managed instance.

AWS DevOps Pro Certification Blog Post Series



Tweet