Dhananjay Kulkarni
AWS Solutions Architect Associate Preparation - Day 1

AWS Solutions Architect Associate Preparation - Day 1

Dhananjay kulkarni's photo
Dhananjay kulkarni
·

7 min read

Introduction

These are my notes while preparing for the AWS Solutions Architect Associate-Level exam. I'll cover foundational concepts, hands-on activities, and best practices. Let's start with the first topic: AWS History and Global Infrastructure.

AWS History

  • AWS was launched in 2002, focusing on infrastructure as a core strength.

  • In 2004, AWS introduced SQS (Simple Queue Service) for external use.

  • Many top organizations, including Netflix, NASA, and Amazon, leverage AWS services.

  • AWS generated $90 billion in revenue in 2023.

  • Use case: AWS enables the development of scalable applications and websites.

AWS Global Infrastructure

AWS operates a vast global infrastructure, ensuring redundancy, scalability, and low latency.

AWS Regions

AWS regions are globally distributed and consist of clusters of data centers. Most AWS services are region-specific.

How to Decide Where to Launch Your AWS Services?

Factors to consider:

  1. Compliance: Government regulations on data storage.

  2. Proximity: Reduce latency by selecting the closest region (e.g., users in India should use the India region).

  3. Availability of Services: Some AWS services are available only in specific regions.

  4. Pricing: Costs vary based on the selected region.

AWS Availability Zones (AZs)

  • Each AWS region consists of multiple Availability Zones (AZs).

  • An AZ includes one or more discrete data centers with redundant power, networking, and connectivity.

  • AZs are isolated from disasters and connected via high-bandwidth, low-latency networking.

AWS Points of Presence (Edge Locations)

  • AWS has 400+ Points of Presence in 90+ cities across 40+ countries.

  • Ensures content is delivered to users with the lowest possible latency.

AWS Global vs. Region-Specific Services

Global Services:

  • IAM (Identity & Access Management)

  • Route 53 (DNS service)

  • CloudFront (CDN service)

  • WAF (Web Application Firewall)

Region-Specific Services:

  • Amazon EC2 (Infrastructure as a Service - IaaS)

  • Elastic Beanstalk (Platform as a Service - PaaS)

  • AWS Lambda (Function as a Service - FaaS)

  • Amazon Rekognition (Software as a Service - SaaS)

Hands-On: Creating an AWS Account

  1. Sign up on AWS Console

  2. In the AWS search bar, search for any service.

  3. The top right corner will display the selected region.

    • EC2: Shows the selected region.

    • Route 53: Appears as a global service.

IAM (Identity & Access Management) & AWS CLI

IAM Basics

  • IAM is a global service that manages identities and permissions.

  • The root account is created by default but should never be used for daily operations.

  • IAM Users: Represent individuals in an organization and can belong to one or more IAM Groups.

  • IAM Permissions: Managed through policies (JSON-based documents).

    Diagram showing three user groups: Developer, Audit, and Ops, each associated with a policy document and connected to a user icon. An additional inline policy is shown with a red X, indicating disallowed direct assignment to a user.

AWS IAM Policy Inheritance Best Practices

  • Policies should be assigned to groups, not individuals.

  • Users inherit permissions based on group membership.

  • A single user should not have policies assigned directly.

  • Group-based access ensures scalability and security.

  • Engineers in multiple groups inherit permissions from all assigned groups.

  • This approach follows AWS best practices for IAM security.

IAM Hands-On: Users & Groups

  • IAM Policy Inheritance: Users can belong to multiple groups (e.g., Developers, Operations, Audit Team).

  • IAM Policy Structure:

{
  "Version": "2012-10-17",
  "Id": "ExamplePolicy",
  "Statement": [
    {
      "Sid": "AllowReadAccess",
      "Effect": "Allow",
      "Principal": { "AWS": "<User ARN>" },
      "Action": "iam:ListUsers",
      "Resource": "*"
    }
  ]
}

Hands-On: IAM Policy Testing

This hands-on exercise demonstrates how IAM policies work in AWS by assigning and revoking permissions. Follow these steps while performing the actions in your AWS account.

1. Sign in as the Root User & Create an IAM User

  • Log in to the AWS Management Console using the root account.

  • Navigate to IAM (Identity and Access Management).

  • Under the Users section, click Add User.

  • Enter a username (e.g., test-user).

  • Choose "AWS Management Console access" and set a password.

  • Click Next without assigning permissions yet.

  • Review the details and click Create user.

2. Assign the IAM ReadOnlyAccess Policy

  • In the IAM Dashboard, go to Users and select the newly created user.

  • Click on the Permissions tab and choose Add PermissionsAttach policies directly.

  • Search for ReadOnlyAccess and select it.

  • Click Next, review, and then Add permissions.

  • The user now has read-only access to AWS resources.

3. Log in as the IAM User & Test Access

  • Sign out from the root account or log in from incognitive mode.

  • Log in to the AWS Console using the IAM user’s credentials.

  • Try navigating to various AWS services (e.g., EC2, S3, IAM).

  • The user should be able to view resources but not modify them.

  • Attempt to access the IAM Dashboard—it should be read-only, meaning no changes can be made.

4. Remove ReadOnlyAccess Permission & Re-Test

  • Sign out from the IAM user account and log back in as the root user.

  • Go to IAMUsers and select the IAM user.

  • In the Permissions tab, remove the ReadOnlyAccess policy.

  • Save changes and sign out.

5. Log in Again as the IAM User & Observe the Restriction

  • Log in with the IAM user’s credentials again.

  • Try accessing any AWS service or the IAM Dashboard.

  • Access should now be denied, confirming that permissions are enforced properly

  • Add back policy to the user again, which will be useful in further demos.

Securing AWS Accounts

1. Password Policy

  • Set strong passwords.

  • Define a minimum password length.

  • Allow password changes.

  • Set password expiration.

  • Prevent password reuse.

2. Multi-Factor Authentication (MFA)

  • Password + MFA = Secure Login

  • MFA Device Options:

    • Virtual MFA apps (Google Authenticator, Authy)

    • Hardware security keys

    • SMS-based MFA

Setting Up MFA in AWS

  1. Navigate to IAM > Security Credentials.

  2. Enable MFA and link it to an authentication device.

  3. Test login with MFA enabled.

Accessing AWS Services

Three ways to access AWS:

  1. AWS Management Console: Web-based UI, login via password & MFA.

  2. AWS CLI: Command-line access using Access Key ID & Secret Key.

  3. AWS SDK: Programmatic access using APIs (Supports Python, Java, Node.js, etc.).

AWS CLI Setup on Windows

  1. 1. Create Access Keys for IAM User

    To interact with AWS using the CLI, you need access keys. Follow these steps to generate them:

    • Log in to the AWS Management Console as an IAM user with appropriate permissions.

    • Navigate to IAM (Identity and Access Management).

    • Go to Security Credentials under your IAM user settings(remember the user we created earlier).

    • Click Create Access Key.

    • Copy the Access Key ID and Secret Access Key (store them securely).

2. Configure AWS CLI

Now, set up AWS CLI on your local machine using the generated access keys.

  • Open a terminal or command prompt.

  • Run the following command:

      aws configure

  • Enter the requested details:

    • AWS Access Key ID: (Paste the copied key)

    • AWS Secret Access Key: (Paste the secret key)

    • Default region: (e.g., us-east-1 or your preferred region)

    • Default output format: (Choose json, table, or text)

3. Verify IAM Users via AWS CLI

Once configured, use AWS CLI commands to list IAM users:

    aws iam list-users

This command retrieves a list of IAM users in your AWS account. If configured correctly, the output will display user details.

CloudShell: AWS Terminal

  • AWS CloudShell is a browser-based terminal (free to use).

  • Not available in all AWS regions.

  • Can upload/download files, run AWS CLI commands.

Hands-On: CloudShell

  1. Open CloudShell from AWS Console.

  2. Check installed AWS CLI version:

     aws --version

  3. List IAM users:

     aws iam list-users

IAM Roles for AWS Services

Some AWS services need roles to perform actions on your behalf.

  • Common IAM Roles:

    • EC2 Instance Role

    • Lambda Function Role

    • Roles for CloudFormation

Hands-On: Creating an IAM Role

  1. Navigate to IAM > Roles > Create Role.

  2. Select AWS Service > Use Case = EC2.

  3. Attach IAM ReadOnlyAccess Policy.

  4. Name the role and create it.

IAM Security Tools

IAM Credentials Report (Account Level)

  • Lists all users and credential status.

  • Download from IAM > Credentials Report.

IAM Access Advisor (User Level)

  • Shows last accessed AWS services for each user.

  • Helps refine IAM permissions.

IAM Best Practices

✅ Avoid using the root account. ✅ One physical user = One IAM user. ✅ Assign users to groups and manage permissions at the group level. ✅ Implement strong password policies & MFA. ✅ Use IAM Roles for AWS services. ✅ Audit permissions using IAM Credentials Report & IAM Access Advisor. ✅ Never share IAM access keys.

Stay tuned for Day 2, where we’ll dive into EC2 & Storage Services! 🚀

Did you find this article valuable?

Support Dhananjay Kulkarni by becoming a sponsor. Any amount is appreciated!

AWSsolutionarchitect