1.1 Define the AWS Cloud and its value proposition

 Define the benefits of the AWS cloud including:

• Security
• Reliability
• High Availability
• Elasticity
•  Agility
•  Pay-as-you go pricing
• Scalability
• Global Reach
• Economy of scale

Explain how the AWS cloud allows users to focus on business value

• Shifting technical resources to revenue-generating activities as opposed to managing infrastructure

1.2 Identify aspects of AWS Cloud economics

Define items that would be part of a Total Cost of Ownership proposal

• Understand the role of operational expenses (OpEx)
• Understand the role of capital expenses (CapEx)
• Understand labor costs associated with on-premises operations
• Understand the impact of software licensing costs when moving to the cloud

 Identify which operations will reduce costs by moving to the cloud

• Right-sized infrastructure
• Benefits of automation
•  Reduce compliance scope (for example, reporting)
•  Managed services (for example, RDS, ECS, EKS, DynamoDB)

1.3 Explain the different cloud architecture design principles

•  Explain the design principles
• Design for failure
•  Decouple components versus monolithic architecture
•  Implement elasticity in the cloud versus on-premises
•  Think parallel

2.1 Define the AWS shared responsibility model

•  Recognize the elements of the Shared Responsibility Model
•  Describe the customer’s responsibly on AWS
• Describe how the customer’s responsibilities may shift depending on the service used (for example with RDS, Lambda, or EC2)

 Describe AWS responsibilities

2.2 Define AWS Cloud security and compliance concepts

 Identify where to find AWS compliance information

• Locations of lists of recognized available compliance controls (for example, HIPPA,SOCs)
•  Recognize that compliance requirements vary among AWS services
•  At a high level, describe how customers achieve compliance on AWS
•  Identify different encryption options on AWS (for example, In transit, At rest)

 Describe who enables encryption on AWS for a given service

• Recognize there are services that will aid in auditing and reporting
• Recognize that logs exist for auditing and monitoring (do not have to understand the logs)
• Define Amazon CloudWatch, AWS Config, and AWS CloudTrail
•  Explain the concept of least privileged access

2.3 Identify AWS access management capabilities

•  Understand the purpose of User and Identity Management
•  Access keys and password policies (rotation, complexity)
•  Multi-Factor Authentication (MFA)
•  AWS Identity and Access Management (IAM)

1. Groups/users
2.  Roles
3. Policies, managed policies compared to custom policies

• Tasks that require use of root accounts
• Protection of root accounts

2.4 Identify resources for security support

•  Recognize there are different network security capabilities
• Native AWS services (for example, security groups, Network ACLs, AWS WAF)
• 3rd party security products from the AWS Marketplace
•  Recognize there is documentation and where to find it (for example, best practices, whitepapers, official documents)
• AWS Knowledge Center, Security Center, security forum, and security blogs
• Partner Systems Integrators
•  Know that security checks are a component of AWS Trusted Advisor

3.1 Define methods of deploying and operating in the AWS Cloud

Identify at a high level different ways of provisioning and operating in the AWS cloud

• Programmatic access, APIs, SDKs, AWS Management Console, CLI, Infrastructure as Code
•  Identify different types of cloud deployment models
• All in with cloud/cloud native

1. Hybrid
2. On-premises

•  Identify connectivity options

o VPN

o AWS Direct Connect

o Public internet

3.2 Define the AWS global infrastructure

 Describe the relationships among Regions, Availability Zones, and Edge Locations

 Describe how to achieve high availability through the use of multiple Availability Zones

o Recall that high availability is achieved by using multiple Availability Zones

o Recognize that Availability Zones do not share single points of failure

 Describe when to consider the use of multiple AWS Regions

o Disaster recovery/business continuity

o Low latency for end-users

o Data sovereignty

 Describe at a high level the benefits of Edge Locations

o Amazon CloudFront

o AWS Global Accelerator

3.3 Identify the core AWS services

Describe the categories of services on AWS (compute, storage, network, database)

 Identify AWS compute services

o Recognize there are different compute families

o Recognize the different services that provide compute (for example, AWS Lambda compared to Amazon Elastic Container Service (Amazon ECS), or Amazon EC2, etc.)

o Recognize that elasticity is achieved through Auto Scaling

o Identify the purpose of load balancers

 Identify different AWS storage services

o Describe Amazon S3

o Describe Amazon Elastic Block Store (Amazon EBS)

o Describe Amazon S3 Glacier

o Describe AWS Snowball

o Describe Amazon Elastic File System (Amazon EFS)

o Describe AWS Storage Gateway

 Identify AWS networking services

o Identify VPC

o Identify security groups

o Identify the purpose of Amazon Route 53

o Identify VPN, AWS Direct Connect

 Identify different AWS database services

o Install databases on Amazon EC2 compared to AWS managed databases

o Identify Amazon RDS

o Identify Amazon DynamoDB

o Identify Amazon Redshift

3.4 Identify resources for technology support

Recognize there is documentation (best practices, whitepapers, AWS Knowledge Center, forums, blogs)

 Identify the various levels and scope of AWS support

o AWS Abuse

o AWS support cases

o Premium support

o Technical Account Managers

 Recognize there is a partner network (marketplace, third-party) including Independent

Software Vendors and System Integrators

 Identify sources of AWS technical assistance and knowledge including professional services,

solution architects, training and certification, and the Amazon Partner Network

 Identify the benefits of using AWS Trusted Advisor

4.1 Compare and contrast the various pricing models for AWS (for example, On-Demand Instances,

Reserved Instances, and Spot Instance pricing)

 Identify scenarios/best fit for On-Demand Instance pricing

 Identify scenarios/best fit for Reserved-Instance pricing

o Describe Reserved-Instances flexibility

o Describe Reserved-Instances behavior in AWS Organizations

 Identify scenarios/best fit for Spot Instance pricing

4.2 Recognize the various account structures in relation to AWS billing and pricing

 Recognize that consolidated billing is a feature of AWS Organizations

 Identify how multiple accounts aid in allocating costs across departments

4.3 Identify resources available for billing support

 Identify ways to get billing support and information

o Cost Explorer, AWS Cost and Usage Report, Amazon QuickSight, third-party partners, and AWS Marketplace tools

o Open a billing support case

o The role of the Concierge for AWS Enterprise Support Plan customers

 Identify where to find pricing information on AWS services

o AWS Simple Monthly Calculator

o AWS Services product pages

o AWS Pricing API

 Recognize that alarms/alerts exist

 Identify how tags are used in cost allocation

1.1 Apply concepts required to automate a CI/CD pipeline

•  Set up repositories
•  Set up build services
•  Integrate automated testing (e.g., unit tests, integrity tests)
•  Set up deployment products/services
•  Orchestrate multiple pipeline stages

1.2 Determine source control strategies and how to implement them

•  Determine a workflow for integrating code changes from multiple contributors
•  Assess security requirements and recommend code repository access design
•  Reconcile running application versions to repository versions (tags)
•  Differentiate different source control types

1.3 Apply concepts required to automate and integrate testing

•  Run integration tests as part of code merge process
•  Run load/stress testing and benchmark applications at scale
•  Measure application health based on application exit codes (robust Health Check)
•  Automate unit tests to check pass/fail, code coverage
• CodePipeline, CodeBuild, etc.
•  Integrate tests with pipeline

1.4 Apply concepts required to build and manage artifacts securely

• Distinguish storage options based on artifacts security classification
• Translate application requirements into Operating System and package configuration (build specs)
• Determine the code/environment dependencies and required resources
• Example: CodeDeploy AppSpec, CodeBuild buildspec
• Run a code build process

1.5 Determine deployment/delivery strategies (e.g., A/B, Blue/green, Canary, Red/black) and how to implement them using AWS services

• Determine the correct delivery strategy based on business needs
• Critique existing deployment strategies and suggest improvements
•  Recommend DNS/routing strategies (e.g., Route 53, ELB, ALB, load balancer) based on business continuity goals
•  Verify deployment success/failure and automate rollbacks

2.1 Determine deployment services based on deployment needs

• Demonstrate knowledge of process flows of deployment models
• Given a specific deployment model, classify and implement relevant AWS services to meet requirements
• Given the requirement to have DynamoDB choose CloudFormation instead of OpsWorks
• Determine what to do with rolling updates

2.2 Determine application and infrastructure deployment models based on business needs

•  Balance different considerations (cost, availability, time to recovery) based on business
• requirements to choose the best deployment model
•  Determine a deployment model given specific AWS services
•  Analyze risks associated with deployment models and relevant remedies

2.3 Apply security concepts in the automation of resource provisioning

• Choose the best automation tool given requirements
• Demonstrate knowledge of security best practices for resource provisioning (e.g., encrypting data bags, generating credentials on the fly)
•  Review IAM policies and assess if sufficient but least privilege is granted for all lifecycle stages
• of a deployment (e.g., create, update, promote)
•  Review credential management solutions (e.g., EC2 parameter store, third party)
•  Build the automation
• CloudFormation template, Chef Recipe, Cookbooks, Code pipeline, etc.

2.4 Determine how to implement lifecycle hooks on a deployment

• Determine appropriate integration techniques to meet project requirements
• Choose the appropriate hook solution (e.g., implement leader node selection after a node failure) in an Auto Scaling group
• Evaluate hook implementation for failure impacts (if a remote call fails, if a dependent service is temporarily unavailable (i.e., Amazon S3), and recommend resiliency improvements
• Evaluate deployment rollout procedures for failure impacts and evaluate rollback/recovery processes

2.5 Apply concepts required to manage systems using AWS configuration management tools and services

• Identify pros and cons of AWS configuration management tools
• Demonstrate knowledge of configuration management components
• Show the ability to run configuration management services end to end with no assistance while adhering to industry best practices

3.1 Determine how to set up the aggregation, storage, and analysis of logs and metrics

• Implement and configure distributed logs collection and processing (e.g., agents, syslog, flumed, CW agent)
•  Aggregate logs (e.g., Amazon S3, CW Logs, intermediate systems (EMR), Kinesis FH –Transformation, ELK/BI)
•  Implement custom CW metrics, Log subscription filters
•  Manage Log storage lifecycle (e.g., CW to S3, S3 lifecycle, S3 events)

3.2 Apply concepts required to automate monitoring and event management of an environment

• Parse logs (e.g., Amazon S3 data events/event logs/ELB/ALB/CF access logs) and correlate with other alarms/events (e.g., CW events to AWS Lambda) and take appropriate action
• Use CloudTrail/VPC flow logs for detective control (e.g., CT, CW log filters, Athena, NACL or WAF rules) and take dependent actions (AWS step) based on error handling logic (state machine)
• Configure and implement Patch/inventory/state management using ESM (SSM), Inspector, CodeDeploy, OpsWorks, and CW agents
• EC2 retirement/maintenance
• Handle scaling/failover events (e.g., ASG, DB HA, route table/DNS update, Application Config, Auto Recovery, PH dashboard, TA)
• Determine how to automate the creation of monitoring

3.3 Apply concepts required to audit, log, and monitor operating systems, infrastructures, and applications

• Monitor end to end service metrics (DDB/S3) using available AWS tools (X-ray with EB and Lambda)
• Verify environment/OS state through auditing (Inspector), Config rules, CloudTrail (process and action), and AWS APIs
• Enable, configure, and analyze custom metrics (e.g., Application metrics, memory, KCL/KPL) and take action
• Ensure container monitoring (e.g., task state, placement, logging, port mapping, LB)
• Distinguish between services that enable service level or OS level monitoring Example: AWS services that use OS agents (e.g., Inspector, SSM)

3.4 Determine how to implement tagging and other metadata strategies

•  Segregate authority based on tagging (lifecycle stages – dev/prod) with Condition context keys
•  Utilize Amazon S3 system/user-defined metadata for classification and automation
•  Design and implement tag-based deployment groups with CodeDeploy
•  Best practice for cost allocation/optimization with tagging

4.1 Apply concepts required to enforce standards for logging, metrics, monitoring, testing, and security

•  Detect, report, and respond to governance and security violations
•  Apply logging standards across application, operating system, and infrastructure
•  Apply context specific application health and performance monitoring
•  Outline standards for delivery models for logs and metrics (e.g., JSON, XML, Data Normalization)

4.2 Determine how to optimize cost through automation

1.  Prioritize automation effort to reduce labor costs
2.  Implement right sizing of workload based on metrics
3.  Assess ways to improve time to market through automating process orchestration and
4. repeatable tasks
5.  Diagnose outliers to determine use case fit Example: Configuration drift
6.  Measure and automate cost optimization through events Example: Trusted Advisor

4.3 Apply concepts required to implement governance strategies

• Generalize governance standards across CI/CD pipeline
• Outline and measure the real-time status of compliance with governance strategies
•  Report on compliance with governance strategies
• Deploy governance policies related to self-service capabilities Example: Service Catalog, CFN Nag

5.1 Troubleshoot issues and determine how to restore operations

•  Given an issue, evaluate how to narrow down the unhealthy components as quickly as possible
•  Given an increase in load, determine what steps to take to mitigate the impact
•  Determine the causes and impacts of a failure  Example: Deployment, operations
•  Determine the best way to restore operations after a failure occurs
•  Investigate and correlate logged events with application components Example: application source code

5.2 Determine how to automate event management and alerting

• Set up automated restores from backup in the event of a catastrophic failure
• Set up methods to deliver alerts and notifications that are appropriate for different types of events
•  Assess the quality/actionability of alerts
•  Configure metrics appropriate to an application’s SLAs
•  Proactively update limits

5.3 Apply concepts required to implement automated healing

•  Set up the correct scaling strategy to enable auto-healing when a failure occurs (e.g., with Auto Scaling policies)
•  Use the correct rollback strategy to avoid impact from failed deployments
•  Configure Route 53 to ensure cross-Region failover
•  Detect and respond to maintenance or Spot termination events

5.4 Apply concepts required to set up event-driven automated actions

• Configure Lambda functions or CloudWatch actions to implement automated actions
•  Set up CloudWatch event rules and/or Config rules and targets
•  Use AWS Systems Manager or Step Functions to coordinate components (e.g., Lambda, use maintenance windows)
•  Configure a build/roll-out process to automatically respond to critical software updates

6.1 Determine appropriate use of multi-AZ versus multi-Region architectures

• Determine deployment strategy based on HA/DR requirements
• Determine data replication strategy based on cost and durability requirements
• Determine infrastructure, platform, and services based on HA/DR requirements
• Design for HA/FT/DR based on service availability (i.e., global/regional/single AZ)

6.2 Determine how to implement high availability, scalability, and fault tolerance

• Design deployment strategy to support HA/FT/scalability
• Assess statefulness of application infrastructure components
•  Use load balancing to distribute traffic across multiple AZ/ASGs/instance types (spot/M4 vs
• C4) /targets
•  Use appropriate caching solutions to improve availability and performance

6.3 Determine the right services based on business needs (e.g., RTO/RPO, cost)

•  Determine cost-effective storage solution for your application Example: tiered, archival, EBS type, hot/cold
•  Choose a database platform and configuration to meet business requirements
•  Choose a cost-effective compute platform based on business requirements Example: Spot
•  Choose a deployment service/model based on business requirements Example: Code Deploy, Blue/Green deployment
•  Determine when to use managed service vs. self-managed infrastructure (Docker on EC2 vs. ECS)

6.4 Determine how to design and automate disaster recovery strategies

•  Automate failure detection
•  Automate components/environment recovery
•  Choose appropriate deployment strategy for environment recovery
•  Design automation to support failover in hybrid environment

6.5 Evaluate a deployment for points of failure

•  Determine appropriate deployment-specific health checks
•  Implement failure detection during deployment
•  Implement failure event handling/response
•  Ensure that resources/components/processes exist to react to failures during deployment
•  Look for exit codes on each event of the deployment
•  Map errors to different points of deployment professional (DOP-C01)