Pass Amazon AWS Certified Developer - Associate Certification Exams in First Attempt Easily
Latest Amazon AWS Certified Developer - Associate Certification Exam Dumps, Practice Test Questions
Accurate & Verified Answers As Experienced in the Actual Test!
Download Free Amazon AWS Certified Developer - Associate Practice Test, AWS Certified Developer - Associate Exam Dumps Questions
Free VCE files for Amazon AWS Certified Developer - Associate certification practice test questions and answers are uploaded by real users who have taken the exam recently. Sign up today to download the latest Amazon AWS Certified Developer - Associate certification exam dumps.
Amazon AWS Certified Developer - Associate Certification Practice Test Questions, Amazon AWS Certified Developer - Associate Exam Dumps
Want to prepare by using Amazon AWS Certified Developer - Associate certification exam dumps. 100% actual Amazon AWS Certified Developer - Associate practice test questions and answers, study guide and training course from Exam-Labs provide a complete solution to pass. Amazon AWS Certified Developer - Associate exam dumps questions and answers in VCE Format make it convenient to experience the actual test before you take the real exam. Pass with Amazon AWS Certified Developer - Associate certification practice test questions and answers with Exam-Labs VCE files.
AWS - 10,000 Feet Overview
4. 10,000 Foot Overview - 3 of 4
So let's start with security and identity and this service. Identity Access Management, or I am going to do it in the very next section of the course. That's where we're going to start getting our hands dirty and using the AWS console. And this particular service comes up in every single certification exam you're ever going to do. It comes up in all eight because this is the fundamental component of AWS. This is how you basically sign in, or authenticate, to AWS. This is how you set up new users. This is how you assign user permissions. This is how you group users. You might have your users in the Administrator group, the Developer group, or a Read-Only group. This is the fundamental sort of identity and access management service needed to use AWS. So you're going to be an IAMguru in the very next section. Move onto the inspector. The Inspector is a pretty cool service. Basically, it's an agent that you install on your virtual machines, and it basically inspects those virtual machines and does security reporting as to what's going on. Believe it or not, it doesn't even feature just yet in the Security Specialty Exam. It doesn't really come up in any of the Associate's exams either. Certificate Manager is really cool. This gives you free SSL certificates for your domain names. We will be using that later on in the course. Directory service is basically a way of using Active Directory, which you use with Microsoft. With AWS. It's a way of connecting Active Directory to AWS. This one really only comes up in the Solutions Architect Associate course. So we will have a lecture on it in that course, and we'll just show you. It's going to be a theoretical lecture rather than a practical lecture, but you just need to understand the different types of directory service available. moving on to WAF, or Web application firewall. So basically, this allows you to give application-level protection to your website. Traditionally, firewalls provide network-level protection while also providing application-level protection. As a result, they prevent SQL injections, cross-site scripting, and other malicious activity at the application layer. And again, don't worry if you don't understand these terminologies. We're going to have a whole section on weapons. We're going to use it with our elastic loadbalances in the EC II section of the course, and we'll look at how it works. The only thing you need to remember is that it's a security product. Now, it doesn't really come up, to be honest. It doesn't come up even in the Security Specialty exams just yet, or at least not that I can remember. It doesn't come up in any of these social ones, either. But that being said, it's fundamentally an important technology. So we're going to cover it in a little more detail in the EC II section of the course. And finally we have a thing called "Artifacts." This is basically where you get your documentation in the AWS console. And this is probably just something easier to show you than to describe it.So if we go down to security and compliance, we go down to compliance reports, and it's an AWS artifact. And this is basically where you can get your ISO 27001 certification, or your ISO 9001 certification, or your PCI, DSS, attestation of compliance, and so on. So this is where you get all your compliance documents. So it's pretty simple. Again, it doesn't really come up too much apart from in the security specialty certificate, and it comes up all the time in that particular set, but it won't come up in any of the associate certificates. Okay, so let's move on, and we're going to move on to management tools. Now, management tools do come up in all three associate certificates. Cloud Watch mostly comes up in the SISOPS Administrator Associate course. Basically, Cloud Watch is used to monitor the performance of your AWS environment, in particular things like EC Two.You can monitor disc utilization, RAM utilisation, CPU utilization, et cetera. We will have labs on Cloud Watch in the Certified Solutions Architect Associate Course and SysOps Administrator Associate Course. Cloud Formation. So cloud formation is its own animal. The formation of clouds is what actually drove me to AWS to begin with. So if you're working with AWS, chances are you're probably going to use cloud formation in some way, shape, or form. Cloud formation is a way of turning your infrastructure into code. So instead of having physical firewalls, networkswitches, load balancers, physical servers, et cetera, cloud formation is basically a document that describes your AWS environment. And you have these things called Cloud Formation Templates. And basically, you can provision entire production environments into CloudFormation templates and just deploy them at will. You can even deploy them via the command line. You can provision a 50-server environment using multiple availability zones, autoscaling, handling failures, and everything else with a single command in the command line. It's an amazing technology. So cloud formation turns your infrastructure into code. And what we're going to do in this particular course is go out and create a fault-tolerant WordPress site. It's going to take quite a few labs to get through it all, and then we're going to look at how we can just use CloudFormation to do it all in, like, the space of 30 seconds. So CloudFormation is a fantastic technology. We do have a Cloud Formation Course, which is the Beginner's Guide to Cloud Formation, and we're about to release it at the beginning of January 2017—the deep dive to Cloud Formation. Cloud formation is the one thing you need to know inside out if you plan on working as a solutions architect in the real world for AWS. Now, that being said, CloudFormation doesn't come up in the exams all that much. I mean, you basically just have to understand what it is. at a high level. It comes up in this security exam specialty exam. In the Professional Solutions Architect Professional Exam, you need to understand how to both deploy cloud formation templates and roll them back. But at the associate level, you don't really need to know much apart from what it is and what it does. That being said, and I'm going to break my own rule here about only teaching you what you need to know to pass the exam, You do need to know cloud formation. So we're going to have a lab on cloud formation later on in the course. Cloud Trail is a way of auditing your AWS resources. If someone goes into Access management and creates a new user, the cloud trail will record it. So Cloud Trail is used for auditing changes to your AWS environment. Again, you just need to understand what it is. At a high level, we'll probably have a lab that comes up a lot in the Security Specialty Exam. OpsWorks is basically a way of automating deployments using Chef. So basically, this really only comes up in Sys. Ops administrator associate exam There will be a lab on it. Config Manager is a tool that automatically monitors your environment and alerts you when it detects that your environment may break specific configurations that you have set. It's basically a way of auditing your environment. But unlike Cloud Trail, which basically just audits Configuration, you can set alerts. So if somebody goes in and creates a new security group that's breaking company policy, config will detect that, and it will basically send you an alert saying this person is doing something that contravenes company policy. As a result, it's an excellent way to proactively monitor changes in your environment. Again, it doesn't really come up in any of the associated exams. It does come up in the security specialty exam, though. Next up, we have an AWS service catalog. And this is a service that's designed for larger enterprises. And basically, enterprises might have specific images that they might want to use for EC2, or they might have specific AWS services that are authorised within their organization. So, for example, EC 2, S 3, or RDS, but they may also have other services that they do not want to authorize. things like workspaces, for example. A service catalogue basically allows you, as an enterprise, to build out what it is that you authorise within your organisation and what services are not authorized. And that's service catalog; don't worry too much about it because it is not an exam topic in any of the associate or professional exams. Moving on to trusted advisor, trusted advisor was actually designed by the AWS Solutions Architecture team, and basically when they would go into customer environments, they would make a series of recommendations. Trusted Advisor is their way of automating this, and basically it'll give you tips on how to do cost optimization, how to do performance optimization, any security fixes you should make, and how to build a more fault-tolerant environment. So basically, it's an automated way of scanning your environment and giving you different tips. Again, it really only comes up in the Solutions Architecture Associate Exam, and you just really need to know what it is. So we might just do a quick lab on it during the course. moving on to application services. So let's start with step functions. Step Functions is a brand new service that just announced Reinvent 2016. Because it's so new, it hasn't yet appeared in any of the exams. Basically, it's a way of visualising what's going on inside your application, or what different microservices it's using. simple workflow service definitely comes up. To be honest, it's a cornerstone of both the well, actually all three associate exams. and simple workflow services. Actually, what they use in the Amazon fulfilment center And it's a way of coordinating both automated tasks and human-led tasks. So let's say you place an order for a calculator. Somebody inside the warehouse has to actually go and locate that calculator. They have to then basically pick it up, take it over to the posting and packing area, where somebody else will apply posting and packing to it, and then it needs to be sent out to you. A simple workflow basically facilitates that. And we will cover that off in Application Services" section of the course. Okay. So let's move on to API Gateway. and basically think of an API gateway as a door. It allows you to create, publish, maintain, monitor, and secure APIs at scale. So basically, it's a door for your apps to access back-end data. As an example, it could be to access business logic or functionality from back-end services such as Lambda. We actually use it on a cloud-based platform. You're using it right now if you're using our website. Basically, we run AngularJS on our client devices. They then make calls to API Gateway, and API Gateway then triggers lambda functions, which basically respond to your request. So when you're trying to view a discussion forum, for example, that goes through the API gateway and the Lambda function is responding to your request, don't worry if that all sounds complicated because it's not going to come up in any of the exams. You just need to know what it is at a high level. I'll probably just do a quick little lecture on Just Serverless and how our actual platform works to put it all into perspective for you. But, aside from what is required for any of the Associate exams, you don't need to know much of it in detail. So just think of it as a doorway to accessing back-end services with AWS. Moving on to the App Stream App streaming is pretty cool. It's a method of delivering desktop applications to your users. Again, you don't need to worry about it for any of the exams. And, once again, we use elastic transcoder a lot for a club guru. Every single video that I recorded, we run through the Elastic transcoder, which basically just changes the video format to suit all different devices. So if you're watching this on an iPad, it'll be different for you if you're watching it on the iPad Air. Two, it will be different in terms of screen resolution if you're watching it on a laptop. So, with the elastic transcoder, basically, you upload a video and it's going to transcode that video into all these different formats. Again, it doesn't come up in any of the exams. Okay, so let's move on to developer tools. Now, surprisingly, this does not come up in the Developer Associate Exam at all. I would expect that to change in 2017. So I am going to have Labson's four different products in here. So code commit is similar to GitHub. It's a place to store your code securely in the cloud. You can either open it or close it. So you can basically just store your code in the cloud. CodeBuild is a way of compiling your code. It's brand new. It was released at Reinvent 2016. And Code Build is actually interesting because you pay by the minute for it, but it's just a way of compiling your code in different environments. On the Ten, Code Deploy is exactly what it sounds like. It's a way of deploying your code to your EC. Two instances. It does it in a very automated and regulated fashion. And then Code Pipeline is a way of keeping track of all your different, basically, versions of code. So you might have different code in Test and Production; you might have different code in Actual Production; you might have different code in UAT; etc. These all are fantastic developer tools. You would think that this would be in the Developer Associate Exam. You think it would be one of the cornerstones of the Developer Associate Exam, but it has not yet been added. I would expect that to change, though. And for that reason, I'm going to have a lab on every single product in this particular section of the course, and it's optional as to whether or not you do that. Okay, so almost all of the next few services don't come up in any of the Associate-Level exams. And then messaging does come up quite a bit. So I'm just going to go through it really quickly and just give you a high-level overview. Remember that you should always have a good understanding of what these services are. So, moving on to mobile services, let's start with Mobile Hub. Basically, this lets you add, configure, and design features for your mobile apps. This includes things like user authentication, data storage, backend logic, push notifications, content delivery, and analytics. The way to think of Mobile Hub is that you've got the AWS console, which we're going to be logging into all the time. Mobile Hub has its own console for mobile apps. So basically, if you're a mobile app developer, you'll be logging into Mobile Hub all the time, and it has its own console inside there. And the console basically consists of all these different elements. So it consists of things like Cognito. Cognito makes it easy for you to have users sign up and sign into your apps using things like social identity providers. So, Cognito, we do this in iOS using AWS Course. We use Cognito for that, and we allow people to sign in using basically their Gmail credentials and all of that information. So their first name, their surname, and their email address are all stored incognito. Again, this doesn't come up in any of the associated exams, really. This is real-world application stuff. If you want to use Cognito, check out our iOS with AWS Course, which will teach you how to build an Instagram clone using AWS back end services. So you'll take a photo, it'll store that photo in S3, it will write the metadata to DynamoDB, it will trigger lambda functions to generate thumbnails of that photo, and it will store all of basically everyone's user data incognito. And they basically sign in using their Gmail account. Again, it's a great course, but it has nothing to do with certifications. moving on to the device farm. Basically, this enables you to improve the quality of your Android, iOS, and Fire OS apps by quickly and securely testing them on hundreds of real smartphones. So it's literally a farm of all these different devices. And you can test your apps on physical devices in the AWS data center. moving onto mobile analytics. This is a service that lets you basically, simply, and cost-effectively collect and analyse app usage data. So it's a way of analysing your mobile data. And then Pinpoint is a brand new service. It's been announced for Reinvent 2016. And this basically enables you to understand and engage with your application. Users. Think of Pinpoint as Google Analytics for your mobile applications. So you use Pinpoint to gather data on what your users are doing with the apps that you've built, where they are in the world, how they do different purchases, et cetera. It allows you to understand user behavior, and then you can define who to engage, determine what notifications to send, and then decide when to deliver these notifications. And then you can track the results of these campaigns. So basically, think of it as a way of combining Google Analytics with targeted marketing campaigns. And again, because it's a brand new service, it doesn't come up in any of the exams. moving on to business productivity. Work Docs is a way of securely storing your important work documents in the cloud. It's more or less using S3, but it has a whole bunch of different security features tied into it. not in any of the exam work. Think of it as an exchange for AWS, that is, by way of sending and receiving email. Again, not in any of the exams. moving on to the Internet of Things, or IoT. IoT is its own immense service. It was announced at Reinvent in 2015. And it's basically a way of having thousands, millions, or billions of devices out there and then keeping track of them. You use an IoT gateway. IoT will probably be its own certification. That's my own bet. Perhaps in 2017, perhaps in 2018. Again, it's quite new. It was announced at Reinvent. 2015 doesn't appear in any of the exams at present. moving on to desktop and app streaming. So we've got workspaces for those of you who know what VDI is. Basically, workspaces are just VDI. Think of workspaces as a way of having your desktop on the cloud. So if you're using a Windows PC, you might have a thin client. So it might just be a tablet or something that has no local operating system installed on it. The actual operating system itself would run on the AWS cloud. so you run your Windows environment out there. Apart from knowing what it is, it doesn't play a big role in the exam. And then we have apps for 20. This is again very similar to App Stream One. App Stream One has been retired now, but it still sits in the AWS console. So it's simply a method of delivering desktop applications to your users. moving on to artificial intelligence. And I could talk about this all day. This is one of the biggest announcements at Reinvent. AI encompasses a wide range of new services. If you're a fan of Elon Musk, you probably follow AI a lot. Elon Musk are those that don't know. Is the founder of Tesla, also the founder of SpaceX. He's basically Iron Man. The character Iron Man was based, more or less,of Elon Musk, if you believe the rumors. And Elon Musk is always warning usagainst the dangers of artificial intelligence. He says it's like, basically, seven times more dangerous than nuclear weapons. It's nuclear weapons to the nth degree. Artificial intelligence is here. It's growing faster every day. It is pretty scary stuff. I really started getting into AI when Elon Musk tweeted about this book. It's called "Super Intelligence" by Nick Bostrom. I recommend you read it. It's fantastic. Go ahead and have a look at this on Amazon.com. We're out of time now, guys. You've been really patient. One more lecture, and then we'll finish this section of the course. So go have yourself a coffee, and when you've got the time, please join me in the next lecture. Thank you.
5. 10,000 Foot Overview - 4 of 4
So we were just talking about artificial intelligence. Do check out that book by Nick Bostrom. It is really good. It is a bit of a dry read, but the stuff he says in there is super, super important. AI is by far the big thing to watch in the next 10 to 15 or 20 years. And by all means, basically, Nick says that AI (human-level intelligence) is not a stop; it's basically a freight train. You hit human-level intelligence, and then you hit super intelligence after that. And it could happen very quickly. So definitely keep an eye out for AI. So in terms of AI at Reinvent 2016, it was a major theme. For those of you who have heard of Alexa, it's Amazon's voice service in the cloud. You use it to basically communicate to Alexa using an echo, and essentially all you're doing is talking to Lambda. Now, what drives that service is actually what's inside the Alexa service, and it's called Lex. So Lex was announced at Reinvent 2016, and it means that you no longer necessarily need an Echo to communicate with Alexa. You can basically just start creating software. You can embed her on all kinds of different devices. We then had Polly; we now have Poly. And Polly basically takes any text and turns it into a voice. It can turn it into MP3 files, for example. And Polly is the same technology that helps Alexa render her voice. Now, Poly is available in a whole bunch of different voices and a whole bunch of different languages. It's super advanced stuff. It is very new, so it won't feature in any of the exams. However, we do use it in the course. What we're going to do later on in the course is create a serverless application that converts all the notes that you're going to write when you're studying into MP3 files. And then you can listen to these notes on the go, so you can download them, render them in any voice you want, and then listen to them as if they were a podcast, so you can study without being in front of your computer. So we would encourage you to take notes throughout this course. It doesn't have to be anything fancy. Plain text is fine because when you convert it to poly, you've got to have just plain text anyway. But we will be using Poly later on in the course, and that lab is actually one of my favorites. It's so much fun to go out and make something. And this is really cutting-edge stuff. Machine learning has actually been out for a little while. Machine learning, again, doesn't feature in any of the exams, but basically you give AWS a data set. You tell it what the outcomes are based on that data set. So whether or not a customer bought, perhaps the data set would be their age, their name, their address, what their occupation is, whether they're married, how many children they have, et cetera. And Amazon will then use machine learning to analyse that data set. And then you can predict outcomes based on that data set for future decisions. So you might have a customer come to your site who fits your profile perfectly. Perhaps you've got an online men's gift shop and somebody arrives at your side who's a 32-year-old male who is married with two children. That's a perfect candidate for you. Whereas if a 70-year-old woman came on, that might not be a good fit for you. Or it could be because she's buying her son a Father's Day or, I don't know, a birthday present. So, basically, machine learning allows you to predict databases based on previous performance, rather than performance in the exam. And then the newest service for AI was recognition. Recognition is a great service. Basically, you can upload a picture to it and it will tell you what's in that picture, give you tags, and tell you that there's a person, there's a mountain bike, there's a crest, it's outdoors, and there's a rock. It also uses facial recognition, so you can compare faces in databases. So you could build up a database of faces, and then when somebody uploads a picture, you could say whether or not that person is recognized, and it will give you a percentage of recognition. So that is recognition. Again, completely brand new services don't feature in any of the exams, but these are all pretty powerful services launched by AWS. moving on to messaging. And messaging does come up in all three associate exams. So SNS is simply a notification service. This is a way of notifying you either via email or via text message, for example, or of whole different ways of publishing using SNS. You can even publish to https endpoints—we will cover this in a lab. We then have SQS. Again. This really comes up a lot in the Certified Solutions Architect Associate Exam, as well as the Certified Developer Associate Exam. You need to understand SQS. SQS is a way of decoupling your applications. Basically, it's a queue system, so you can post jobs to a queue. The way I like to remember this is Let's say you've got a website that generates memes. Someone uploads a picture to the website and then puts some funny writing across it. Basically, SQS will store that as a job. And then your EC2 instance, which actually creates the picture and then puts the text over the picture, will pull the SQS queue looking for jobs, and it'll say, "Oh look, somebody wants to create a new meme," or go through and create that meme for you. Now, if your EC2 instance dies during that process, the message is still stored in SQS, and it will become visible later on. And then another EC-2 instance will pick it up. So it's simply a method of decoupling your applications so that they don't have tightly coupled dependencies. And again, if that doesn't make a lot of sense, we will have an entire section or a couple of lectures on this later on in the course. And then we have simple email services. and this is basically a way of sending and receiving emails using AWS. It does come up in the exams, and we will have a lab on it in the course. Okay, so I know what you're thinking. You're thinking, Oh my God, look at all these different sections and then all the different services that fall under this section. So I'm going to remind you again: remember, you only need to know certain sections in order to pass the Certified Solutions Architect Associate Exam. Really, it's these sections. So in your global infrastructure, you're going to need to understand the difference between a region and an availability zone. Remember, a region is a geographical area, whereas an availability zone is an actual physical data center. You're going to need to understand networking and content delivery, compute databases, storage, security, and identity, and in particular, identity access management, which we're going to cover in the very next section. Of course, management tools really are around. The formation of clouds for the solutions. Architect associate exam Desktop and app streaming only, at a very high level. You just need to understand what a workspace is. Here's a hint: it's virtual desktops in the cloud. So if you want to run VDI in the cloud, you use Workspaces. And that's literally all you really need to know. And for messaging, we're going to have a bunch of different labs on the various messaging components. So it does seem like an awful lot, but we will walk you through it. You've been really patient to get this far. Go have a really long break, and then come and join me in the next section, of course, where we're going to discuss IAM. We're going to start logging into the AWS console and getting our hands dirty. So if you've got the time, join me for the next lecture. Thank you.
Identity Access Management (IAM)
1. IAM 101
So, IAM, what is it? Well, essentially it allows you to manage users and their level of access to the AWS console. It's important to understand I AM and how it works both for the exam and for administering a company's AWS account in real life. So this is one of the core concepts that you're going to need to understand going into the exam. So what do I actually give you? Well, it gives you centralised control of your AWS account and gives you shared access to your AWS account. It gives you granular permissions. It gives you identity federation. What do I mean by that? It just means that you can connect your IAM up to Active Directory or to Facebook or LinkedIn, for example, so you can actually federate with different identity providers. And we'll cover how to do that in a later lecture. It also allows you to do multifactor authentication, so you can use two-factor authentication when logging in. And we're actually going to set that up in the next lab. And IAM also allows you to provide temporary access for users, devices, and services where necessary. So you can actually set it up so that if you're developing something like a web application or a mobile phone application, that application can temporarily access your AWS account and perhaps store things in things like DynamoDB in S3, for example. It allows you to set up and manage your own password rotation policy. It integrates with many different AWS services, and it supports PCI DSS compliance. Okay, so before we start our lab, I just want to introduce you to some critical terms. So the first one is a user, and it's pretty obvious what a user is; think end users or people. We then have groups. And groups are simply a collection of users under one set of permissions. So you might have a group that's your finance group, or you might have your systems administrator group, or you might have your HR group. Essentially, it's a way of grouping your users together and applying one or more sets of permissions to that group. Then we have roles. Now, a role is really important, and the best way to understand what a role is is to go on and use it. and we're going to do this a lot in the coming labs. So you create roles, and you can then assign them to AWS resources. So you might have an EC2 instance, which is a virtual machine, and you might give it the role in order to access S 3. And then that EC Two instance can write files directly to S Three, and you don't need to set up usernames and passwords for that EC Two instance. And that's exactly what we're going to do in the next couple of labs. And you have policies. Now, policies are simply a document that defines one or more permissions. So policy is basically permissions, and you apply policies or attach policies to users, groups, and roles, right? They connect up with each other. So you can attach a policy to a user, to a group, or to a role. And users, groups, and roles can all share the same policy documents. A policy document basically sits on top of each of those three pillars. Okay, that's really it, guys. The best way to learn IAM is to start using it. So let's start our first lab. If you've got the time, feel free to move on to the next lecture. Thank you. Bye.
2. IAM – Lab
Okay, so here we are in the AWS console, and this is a brand new AWS account that I've set up. I've never used it before. You can see I've never visited any other services before. And this is what the console looks like. You can go through and go down all these different learning pathways, and they'll teach you about specific products. Sometimes they have video tutorials, and sometimes they have labs. The labs could either be free or you could pay for them. It really depends on what you use. But if we go all the way to the top, there's something I just want to show you. The top right-hand corner This is where you select your region. So it's probably best if you select a region that's closest to you. But you should also be aware that not all regions have the same services. So things like glaciers might not be available in a particular region. So pick the region that's closest to you. I'm based out of London, so I'm going to do the London region. And then we'll go ahead and start, just making sure for the rest of this course that you use a region that's closest to you. If you see something that is on my screen but is not on your screen, then I would change regions. It's probably true that there will be a service that's not available in your particular region. So what we need to do to get into IAM is go up to the services section, and we can see now that we've got a drop-down of all the different high-level services and low-level services in the AWS console. So identity access management comes under security. identity and compliance. And we go in here and click on IAM. You'll use IAM a lot in the real world when you're dealing with AWS. Okay, so we've logged into IAM, and the very first thing you should notice is up here. Notice how IAM doesn't have a region; it just says "Global," and that is because IAM is global. So when you create users, groups, roles, and all of that, they will be available all across the world. It doesn't matter what region you're in, they're universally available. And that is a subject that can come up in the exam. So, do remember that. It says IAM userssign in the link over here, and then it gives you a number to sign in AWS Amazon.com Consul. Now that number isn't random. That is actually your AWS account number. And you can get that if you ever need it by clicking on your username and then clicking on my account. Now, that can obviously be difficult to remember. So what can you do? Well, you can customise it, so we can type in here something that we remember. So this will set up a new DNS namespace. DNS is obviously going to be unique, so if I type in a cloud guru, we won't be able to get it because somebody has already taken it. So it says the alias already exists, but I'll try Cloud Guru 2017. Hopefully, no one has taken that. I can't believe it. Somebody has already taken that. So I'll just go ahead and hit Yes, Create, and guys, don't steal 2018. I'll be mad next year. Okay, you'll notice that we have security status and five different items here, that we've already set our delete your route access keys, and that we have four more things to do. And the very first thing is to activate multifactor authentication on your Route account. Now what is a root account? Well, your root account is simply the email address that you use to sign up with AWS. And when you log in with a root account, you have root-level access. So you could go in and provision 20 virtual machines that have huge amounts of compute and memory capacity, and it will start costing you a fortune. So a root account gives you unlimited access to do things in the cloud. Now, of course, you probably don't want all your employees in an organisation to have that level of power. You might want human resources to only be able to read files inside of S3, for example. So what we would normally do, and what Amazon recommends that you do, is that you only ever log into the root accounts once or twice when you need to. But you create users inside your AWS account and then group those users into groups and then assign permissions to those users. So the first thing we're going to do is enable multi-factor authentication in our root account. The reason we're doing this is that in case somebody finds out our email and our password, they still won't be able to log in without a physical device. So let's go ahead and click on that and go manage MFA. And as you can see, there are two different types. You can have a virtual MFA device or a hardware MFA device. So we're going to go for virtual. Go ahead and hit Next. And it says to activate a virtual MFA device, you must first install an AWS MFA-compatible application onto the user's smartphone, PC, or other device. And if you click here, you can actually get a whole list of different devices that are supported. And if we scroll all the way down, you can see virtual MFA applications. Right now. It's supported for Android, iPhone, Windows Phone, and BlackBerry. And most of the time we're using Google Authenticator. So if you've got an Android iPhone or BlackBerry, go ahead and download Google Authenticator. If you've got a Windows Phone, go ahead and download Authenticator and install it on your phone. Once you've done that, go back to the AWS Console. So come back over here, and we're going to go ahead and hit Next Step. Now, what will happen is that you'll get one of these. And these are QR codes. And all you need to do is go into Google Authenticator and scan this QR code. Okay, so this is what Google Authenticator looks like on my phone. I pressed the plus sign, and you can see scan barcode, scan barcode, hold it up. And there we go. And now all I have to do is enter this code. So it's seven to one. And then I'm going to wait for the code to change, and then I'll enter the second code, and there we go. So it's eight: 4129-484-1294, and go ahead and hit "Activate virtual multi-factor authentication." And there we go. The message says the device was successfully associated. And if I just refresh this page, we should be able to see we've got our second green tick. Okay, so in here we've got our username. I'm just going to type in my name. So it's going to be Ryan. We can add other users if we want, but I'm just going to keep it quite simple. In fact, let's do two users. We'll do it, Ryan. And we'll do it, John. As you can see, it says "select AWS access type" down here. Select how these users will access AWS. Now you can access AWS in two different ways. You can access it via the management console, which is what we're in right now. And then there's also programmatic access. So this is where your applications could access AWS. You might have the command-line tools installed on your laptop or desktop, and you want to store your files in s three.That would be programmatic access. And I'll show you how to do all that later on in the course. So I'm going to say for my access type that my users want both programmatic as well as AWS management console access. Now you can see, down here, it says Console Password. Do you want to auto generatea password or custom password? Just leave that as auto-generated and then require a password reset. Users must create a new password at their next sign in.I'm just going to leave that as is. We go next and add permissions. And you can see here that it's saying "Set permissions for Ryan and John." And you can add users to groups, copy permissions from existing users, or attach existing policies directly. And so what I'm going to do is we're going to go in and create groups. So go ahead and hit Next. Now what is a group? Well, obviously groups are what we mentioned earlier in the last lecture. So you could have a group for your finance department; you could have a group for your developers; you could have a group for your system administrators. So here, I'm going to do exactly that. I'm going to say system admins. And in terms of the policy, the policy is a document that you attach to either users or groups. So what do I want my system administrators to be able to do well? I want them to be able to administrate my AWS environment. So in here we can just type "admin," and you can see it's going to give us a whole bunch of different policies. So we've got administrator access, and we've got system administrators. Now if you want to know the difference between the two, you can actually just drill down. So this is what a policy document looks like. You can see that it's in an adjacent format. Jason: Basically, it's key-value pairs. So we've got our version here, followed by our statement, and then we'll see what effect it has. So the result of allowing action is a plethora of different things. So, for example, inside Cloud Trail, these people would be allowed to describe trails, and you could go through and read them. But don't worry too much, you'll never be tested on this at this level anyway. Later on you might be tested on it in the Sydops administrator associate exam or even in the security exam. So you can see the document down there. I'm going to scroll down and have it Let's compare it to what our document says about administrator access. Administrator Access here says it provides full access to AWS services and resources. Administrator access is essentially the same level of lack of access as what you have for your root account. And it's a really simple policy. It basically says to allow action on everything, including resources. So it's basically saying, "Yes, you're allowed to do anything in this account." Now of course you probably wouldn't want to give administrator access to your sysadmins, but it really depends on your organization, and if you trust them for argument's sake, I'm just going to do it and go ahead and create our group. So what we need to do now is scroll down. We can go to the next review, and we've created our group. Go ahead and hit "Create Users." And we've also created our users. Okay, so now we have created our users, Ryan and John, and we've applied them to our group. and you'll notice that we get a lot of different things here. So Ryan Ryan has an access key ID and a secret access key. And we can see what that is by basically clicking here. Now this access key ID and secret access key are the tokens that you would use in order to programmatically interact with Amazon Web Services. So you can install the command line tools on your laptop, for example, and then you can actually run commands that execute against the AWS cloud. So you could have a whole bunch of different S-3 buckets show up, and you could copy files from your laptop over to S-3. And that's actually how Dropbox was started. A programmer started using S3, and he decided he could design a really kick-off storage solution. That's how Dropbox was founded. So when you do that, when you're programmatically interacting with AWS, you use your access key ID and your secret access key. When you're logging into the console, however, you're going to use your username, and you're going to use the password here. Okay? So there are two different ways to interact with AWS. Now you will only see these details once. So if you lose these details, you're going to have to regenerate the access key ID and the secret access keys. You won't be able to see these ever again. Now it's a very important point to understand that the access key ID and secret access key can only be used when you're programmatically interacting with AWS. You can't use this access key ID and secret access key to log into the console. And likewise, you can't use your username and password to programmatically interact with AWS. And we'll have lots more practical labs like that later on in the course. So once you've basically downloaded these credentials, definitely download the CSV file. Go ahead and hit close. and we can see our users. Now, John and Ryan are in a group each. They haven't ever signed in. They've got an access key ID. And this is the day of creation time.There's not much more we can do with these users. All we can do is add more users or delete them. So let's go ahead in here and create a new group. And we're going to put John into this group. We'll just call it maybe. John works in our HR department, so we'll call it HR. And then what I'm going to do in here is tell my HR users to only be able to read S 3. So Amazon's three steps are: grant read-only access, go ahead and hit next, and go ahead and create the group. So what I can do now is click on the group. I can remove John from this group. Go ahead and hit "Remove." And then if we go into our groups and come back here, we can go and add him to the HR group. So we go ahead and add John. Go ahead and hit "Add Users. And there we go. So now only John is able to, and we click on Permissions. You can actually see what permissions are applied to this group. So he's only able to access three in a read-only capacity. Okay, so let's click on Users, and we'll go into John himself. And now you can see his different permissions. So under the Permissions section, you can see he can change his password, and then you can see he's getting this permission. Amazon's three-read-only access And it's a groupHR-managed policy with links to the group. So what we can do now is go, and we can add permissions to John individually rather than adding them to a group. So let's click in here, and perhaps we want John to have glacier access, but only him, not members of HR. Maybe John is the data archivist, so it's his responsibility to archive the data off the glacier. So go in here and go, basically, scroll down here and go next, and then we'll go and add permissions. and this will add permissions directly to John. So you can see here that he's got read-only access, and it's not from a group, it's just directly attached to him. So you can attach permissions to users as well as to groups. The other thing I just want to quickly show you is his security credentials. So if we do, we've got his access key ID. Notice that you won't see his secret access key. So you only get those credentials once, which is why you download them as a CSV or email them to him. And if you want to make them inactive, you can. So now, by clicking on that, he would no longer be able to programmatically access AWS. And then you can regenerate the keys by clicking here, "Create an access key." And so that has created a new access key ID and secret access key, which you can see here. And now John will be able to interact with the AWS Platform using that access key ID and secret access key. Now we can scroll back up here and click on groups. We can see that John is just a member of the HR group. And if we actually go into the HR group, we can see that the only policy attached to it is "three-read only access." So people in this group would not get access to Glacier. That's a policy document that's applied only to John only.Now if we go back to our dashboard, we've actually created our individual IAM users and we've used groups to assign permissions. We've got one last thing that we can do, which is apply an identity access management policy. So let's go ahead and do that. And basically, this is just a password policy. So let's say our minimum password should be twelve characters. We want at least one uppercase letter and one lowercase letter. We want the password to expire every 90 days. We don't want the password to be reused. And then you can basically go ahead and hit "Apply password policy. And there we go. If we go back to our dashboard, we have completed five out of five, and our security status is all lit up as green. Okay, so there's one last thing I need to show you before we continue, and that's roles. And you'll need this in the EC 2 section of the course, which is coming up. So let's click on the roles. And roles are basically a way to grant permission to entities that you trust. And we'll go through this in a whole bunch of detail as we go through the course. But it could be an Identity Access Management user in another account. You could grant them a role so that they could spin up EC2 instances, for example. Or perhaps they could write to an S-3 bucket. It could be application code running on EC2 that needs to perform actions on an AWS resource. This is the most common. This is what we're going to use in the EC Two section. Of course, it could be an AWS service that needs to act on resources in your account to provide its features. Or it could be users from a corporate directory who use identity federation with Sam's. And don't worry if that sounds scary. We're going to come to that in a bit. So what we want to do is create a role, and we're going to create a role that allows our ECTwo instances to be able to write files to S Three. So here you select your role type, and role type is broken down by a whole bunch of different AWS services. So in this course, we're probably going to be using EC 2 as well as Lambda. We'll click on EC 2 just to begin with and then select your use case. allows EC to run two instances on your behalf to call AWS services. EC has two roles for Simple Systems Manager. Which is where? EC2 instances with access to Amazon Simple SystemsManager, SSM Cloud Watch, EC2, etc. So don't worry about that. We're not going to use it. And this is for spot flights. And it allows EC2 spot flights to request and terminate spot instances on your behalf. Don't worry about that, we're not using that either. So it's just this one that allows EC2 instances to call AWS Services on your behalf. So what we're going to use this role for later on in the course is we're going to have our EC2 instances be able to store files on S3, and we'll come to it as we go. Let's go ahead and hit Next for your permissions. Now here, permissions are applied through a set of policies, and Amazon has a whole bunch of default policies. So this is the Administrator Access Policy, and it provides full access to AWS services and resources. Now, if you gave your EC2 instance administrator access, you could then log into your EC2 instance, and you could go in and start provisioning other EC2 instances via the command line. You could create S-three buckets; you could spin up entire cloud formation templates; et cetera. You probably don't want to give this to God, essentially. You don't want to give your EC2 instances godmode unless there's a very good reason. So what we're going to do is just type in here "S three." And in here, you can see there are four different policies. And the one that we want is going to be Amazon's three-year full access. So go ahead and click on that. Go ahead and hit Next. We're going to make this role quite descriptive, so we'll just say "S Three Admin," hyphenated access. And then we'll say, "This is full access to Section Three Four, EC Two, and your description is optional." You don't have to type that in yourself. Let's go ahead and create that role. Once that role has been created, you'll see it down here in Roles, and we're going to be able to basically apply that role to an EC-2 instance when we first get into the EC-2 section of the course. So now I'm going to go back to my dashboard, and now everything is green. And we've created our first role, which will allow ECTwo to talk to S3, and we'll be using that role later on in the EC Two section. Of course, that's all we're going to do for the time being because you'll need to know it in more detail later on before you take your exam. But I don't want to start scaring you by talking about how we can federate with ActiveDirectory or how security token services work. It becomes quite complex. Let's just take it easy at this stage. And in the next section of the course, we'll move onto S3, and we'll look at how we can basically store objects in buckets now that we have started using AWS. However, I'm just going to give you a quick lab on how we can set up billing alarms so that we don't go over a specific amount of billing per month. So we'll finish that off in the next lab. It should be a very quick lab, and then we'll just summarise what we've learned in this section of the course. So if you've got the time, please join me in the next lecture. Thank you.
3. Security Token Service (STS)
So let's talk about the STS service. Basically, it grants users limited and temporary access to AWS resources. Users can come from three different sources. So Federation, which is typically Active Directory, uses Security Assertive Markup Language, which is abbreviated to SAML, and it grants temporary access based on the user's Active Directory credentials. It does not need to be a user in identity access management, and it also allows single sign-on for users to login to the AWS console without assigning IAM credentials. We then also have federation with mobile apps, so users can use their Facebook, Amazon, Google, or other OpenID providers to log in or to basically work with the AWS resources. And then we also have S3, which is used for cross-account access, so it lets users from one AWS account access resources in another. So let's just break down some of the terms because it can sound quite complex, and I just want to put it into plain English so you understand the terms when you go in and tackle these exam questions. So federation simply means combining or joining a list of users in one domain, such as identity access management, with a list of users in another domain, such as Active Directory, Facebook, LinkedIn, Google, Amazon itself, et cetera. Okay, so that's what "federation" is. You're just combining a list of users from one service with a list of users from another service. An identity broker is a service that allows you to take an identity from point A and join it or federate it with another identity at point B. Okay? That's what an identity broker is. And most of the time, you have to develop your own identity brokers because they don't come out of the box. and that's a really key thing to look for in the exam. If you develop your own identity broker, and there are two questions like that, those are the two correct answers, and then you need to whistle it down from there. An identity store? Well, services like ActiveDirectory, Facebook, Google, etc. And then identities are users of a service like Facebook, so they're end users, users of Active Directory, users of Google, et cetera. Okay, so I'm going to give you a scenario, and then we're going to go through this as how you'll sort of see it in the exam, or we'll go through an exam question, but let's talk about the scenario, and we'll go through it in depth as to how it actually works. So you're hosting a company website on some EC2 web servers in your VPC, and users of the website must log in to the site, which then authenticates against the company's Active Directory servers, which are based on site at the company's headquarters. Your VPC is connected to your company's HQ. Virus IPsec VPN Once logged in, the user can only have access to their own three buckets. How do you go ahead and set this up? Okay, so let's have a look at this diagram. This is exactly how we would go ahead and set it up. So our enterprise reporting application is basically our Web application that our employees need to access. They will then need to authenticate against Active Directory and basically be able to access the Amazon service. So we're going to break each step down. And so I just want you to have a clear understanding. So number one, step number one, theemployee enters their username and password. Step number two: The application calls an identity broker, and the broker captures the username and password. Now, if you remember, an identity broker basically allows us to speak from one identity provider to another. The identity broker in step three uses the organisation's LDAP directory to validate the employee's identity. So it's taking the username and password and checking that they're correct using LDAP. And then we're moving on to Step Four. Once it is correct, the identity broker calls Get Federation Token" using the IAM credentials. The call must include an IAM policy and a duration. so between one and 36 hours. And this duration is how long the user is going to be able to connect to the AWS resources, along with a policy that specifies the permissions to be granted to the temporary security credentials. Okay, in step five, the security token service then confirms that the policy of the IAM user making the call to Get Federation Token" is correct and gives the permission to create new tokens, and it then returns four values to the application: an access key, a secret access key, a token, and a duration, which is basically the token's lifetime and how long that token is valid for. In step six, the identity broker returns the temporary security credentials to the reporting application. And then in step seven, the data storage application uses the temporary security credentials, including the token, to make requests to Amazon S 3. Step eight, Amazon S3, uses IAM to verify the credentials and allow the requested operation on the given S3 bucket and key. And then in step nine, IAM provides S3 with the go-ahead to perform the requested operation. So those are the nine steps. And I know what you're thinking. Complete mind overload. How the hell am I going to remember those nine steps in the exam? Well, the good news is that you don't really have to. You just need to have a basic understanding of how it works, and I'm going to distil it down for you. So essentially the first step you need to take is to develop an identity broker to communicate with LDAP and Amazon's SNS service. Okay? You're going to need to develop this inhouse. Essentially your identity broker is going to needto take the username and password from thefront end, communicate with Active Directory, and thencommunicate with Amazon's Sts service. The identity broker always authenticates with LDAP first and then with AWS STS. Okay, so you develop an identity broker and then just remember the order. It's always LDAP first and then Amazon S3. The application then gets temporary access to the AWS resources. If you remember those three steps, you'll be able to pass the exam because that really just distils the process down. You don't have to go in there. Remembering all nine in Scenario Two can be slightly different. So you develop an identity broker to communicate with LDAP and AWS systems. Now, instead of using user authentication, it could assume a role. So your identity broker could always authenticate with LDAP first. But it could ask your Active Directory server, "What role is associated with this user?" Is this user a power user? Are they administrators? And it could get a predefined role from Active Directory. The application would then authenticate with Sandbox and assume that role. So we're using roles here rather than user credentials, and then the application uses that role to interact with S 3. Okay, so I know it can seem quite complicated if you just remember scenario one. So in the exam, basically, you develop an identity broker. The identity broker speaks to Active Directory first and then to Amazon Simple, a security token service. And then the application gets temporary access to the AWS resources. You remember that going into the exam You're going to fly through any exam question that talks about this in detail. Okay, guys? I hope that makes sense. If you have any questions, please let me know. If not, feel free to move on to the next lecture. Thank you.
So when looking for preparing, you need Amazon AWS Certified Developer - Associate certification exam dumps, practice test questions and answers, study guide and complete training course to study. Open in Avanset VCE Player & study in real exam environment. However, Amazon AWS Certified Developer - Associate exam practice test questions in VCE format are updated and checked by experts so that you can download Amazon AWS Certified Developer - Associate certification exam dumps in VCE format.