AWS Certified Developer Associate Certification and Beyond E-Book

AWS Certified Developer Associate Certification and Beyond

A comprehensive guide to help you succeed in the AWS DVA-C02 certification exam

Rajesh Daswani

Dorian Richard

AWS Certified Developer Associate Certification and Beyond

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Authors: Rajesh Daswani and Dorian Richard

Reviewers: Mehdi Laruelle and Seema Pahelani

Publishing Product Manager: Anindya Sil

Development Editor:Richa Chauhan

Presentation Designer: Salma Patel

Editorial Board: Vijin Boricha, Megan Carlisle, Simon Cox, Ketan Giri, Saurabh Kadave, Alex Mazonowicz, Gandhali Raut, and Ankita Thakur

First Published: July 2024

Production Reference: 1300724

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB

ISBN: 978-1-80181-929-9

www.packtpub.com

Contributors

About the Authors

Rajesh Daswani Rajesh is a senior solutions architect and consultant with over 20 years of experience in core IT infrastructure services and cloud computing with a focus on both AWS and Microsoft 365 platforms. More recently, Rajesh has been delivering cloud computing training on AWS certification tracks as a corporate trainer for several clients across the UK, the USA, and India. He has also shared his expertise through in-depth published AWS courses for Packt Publishing.

In the years he has worked as an AWS trainer, Rajesh has helped thousands of IT professionals appreciate real-world applications of cloud technologies and become better equipped to facilitate clients' adoption of them. Rajesh also works closely with Learning and development organizations, offering instructor-led training, curriculum design and content, extended real-world labs, and case studies to help build practical skillsets.

When Rajesh is not immersed in the world of Cloud Computing, he can be found indulging in his love for Star Trek (TNG) shows. He also enjoys experimenting with fusion dishes, showcasing his culinary skills as a food connoisseur for his family and friends.

To the memory of my father, Devkrishin, whose commitment to constant learning and development has shown me that these are the true keys to success.

To my daughter, Ryka, your bubbling enthusiasm for all that fascinates you (from Harry Potter and Percy Jackson books to K-Pop and Anime) encourages me to pursue my passion.

To my mischievous niece, Tisya, your delightful antics and artistic skills with my notes turned this book into a marathon—I finally finished it, despite your best efforts!

Dorian Richard began his career in cloud computing in 2019 at Amazon Web Services (AWS), starting in Spain before moving to France. He has worked with a diverse range of clients, from startups to large enterprises and French tech unicorns, helping them navigate and innovate in the cloud. He has worked globally with automotive customers worldwide. Passionate about solving business challenges with the right technical solutions, Dorian employs a thorough "working backwards" approach to understand and address customer needs. His expertise includes overcoming technical hurdles in areas such as DevOps strategy, container cluster optimization, and developing machine learning POCs for customers interested in exploring new technologies. Currently, he is an independent consultant working as an AWS solutions architect and supports companies in the media and luxury sectors.

Moving forward, Dorian evolved in his roles, leading many advanced projects and navigating complex issues. Every step reinforced his commitment to innovation.

Hidden in every success story is the unwavering support of loved ones, and for Dorian, that support comes from his wife, Mélanie.

I would like to extend my heartfelt gratitude to my beloved wife, Mélanie Garrigues, for her unwavering support, encouragement, and patience throughout this writing journey. Her belief in me has been a constant source of motivation.

My mother, Myriam Vital, your wisdom and guidance have always been a beacon of light, helping me navigate the toughest challenges with confidence.

My father, Yves Richard, your unwavering faith in my abilities has given me the strength to push forward, even when the road seemed impassable.

My sister, Pauline Richard, your enthusiasm, support, admiration, and unwavering confidence in me have been infectious, continually inspiring me to strive for excellence.

My grandmother, Josiane Vital, your compassionate and understanding nature has provided me with the comfort and reassurance I needed to keep going.

My grandfather, Michel Vital, your pragmatic advice and grounded perspective have been instrumental in helping me stay focused and driven.

My grandmother, Josette Richard, your boundless kindness and unwavering support have been a cornerstone of encouragement throughout this journey.

My grandfather, André Richard, your entrepreneurial spirit and dedication have always set a benchmark for me, motivating me to pursue my goals with the same fervor and determination.

Your collective encouragement and understanding have been invaluable, and I could not have completed this work without your collective strength and support.

About the Reviewers

Mehdi Laruelle is a seasoned professional with a diverse background in the IT industry. With extensive experience working for major players and startups, he's honed his skills as a consultant, particularly in the realm of cloud AWS and DevOps culture and tools. His proficiency extends to AWS and HashiCorp software like Terraform and Vault, among others. Passionate about sharing knowledge, Mehdi actively engages in training, writing articles, and organizing meetups. As the co-organizer of the HashiCorp User Group France meetup, he fosters a community of learning and collaboration. His expertise is widely recognized, earning him distinctions as a HashiCorp Ambassador, AWS Community Builder, and AWS Authorized Instructor (AAI). You can find him on GitHub under the username "mehdilaruelle

Seema Pahelani is a seasoned Data Engineering Manager at Accenture Solutions, an innovation-driven company serving clients across over 120 countries. With 16+ years of experience, she possesses a profound passion for technology, specializing in Data Analytics, Data Visualization, and cloud computing. With 5 AWS Certifications and 2 Tableau certifications, her passion for Technology continues to fuel her professional growth as she leads Data Engineering teams that are focused on creating Data Pipelines. Outside of work, Seema enjoys spending quality time with her daughter, reading books, and exploring new places with her family. She also shares her insights on technology and more through occasional articles on LinkedIn.

You can check her posts and connect with her on LinkedIn at

https://www.linkedin.com/in/seemapahelani/

Table of Contents

Preface

1

Introduction to AWS Accounts and Global Infrastructure

Making the Most Out of This Book – Your Certification and Beyond

Introducing a Client Scenario for this Study Guide

Setting the Scene – Background Information

Business Needs

Introduction to Cloud Computing and the AWS Global Infrastructure

AWS Global Infrastructure

Overview of an AWS Account

When One AWS Account Is Not Enough

Introducing AWS Organizations

Service Control Policies (SCPs)

AWS Control Tower

Accessing Your AWS Account Using the Web Management Console, CLI, and SDKs

AWS Web Management Console

AWS CLI

AWS CloudShell

AWS SDKs

Technical Requirements

A Gmail Account

Project Tasks – Building a Multi-Account Strategy for TodoPlus Limited

Project Task 1.1 – Setting up Your First AWS Account

Project Task 1.2 – Configuring MFA for Your Root User

Project Task 1.3 – Setting up an AWS Organization

Project Task 1.4 – Creating the Development and Production AWS Accounts

Project Task 1.5 – Assigning AWS Accounts to Their Respective OUs

Project Task 1.6 – Setting up SCPs

Project Task 1.7 – Testing SCPs

Project Task 1.8 – Creating a Billing Alarm

Summary

Further Reading

Exam Readiness Drill – Chapter Review Questions

2

Securing Access with AWS Identity and Access Management

Introduction to IAM

But First, Let’s Talk about the Root User

What Are the IAM Components?

Improving Your Security Posture with MFA

Security Token-Based MFA

Accessing AWS Accounts Using Identity Federation with SAML 2.0 and Microsoft AD

Using Web Identity Federation for Application Authentication

Application Authentication and Authorization with Amazon Cognito

Amazon Cognito User Pools

Amazon Cognito Identity Pools

How AWS STS Generates Temporary Tokens

Amazon Cognito and the Todo List Application

Overview of the AWS IAM Identity Center

Exercise 2.1 – Creating an IAM User and an IAM Group within your Development Account

Technical Requirements

Project Task 2.1 – Creating an Amazon Cognito User Pool for the Todo List Application

Step 1 – Configure Sign-In Experience

Step 2 – Configure Security Requirements

Step 3 – Configure Sign-Up Experience

Step 4 – Configure Message Delivery

Step 5 – Integrate Your App

Step 6 – Review and Create

Step 7 – Testing the Cognito User Pool

Summary

Exam Readiness Drill – Chapter Review Questions

3

Understanding Object Storage with Amazon S3, Hybrid Storage, and Static Website Hosting

An Introduction to Storage Options

Block Storage

File Storage

Object Storage

An Introduction to Object Storage with Amazon S3

Amazon S3 Buckets

Amazon S3 Objects

An Amazon S3 Object’s Key

Amazon S3 Region Choice

Managing Data Storage Costs with Amazon S3 Storage Classes

The Amazon S3 Standard Storage Class

Amazon S3-IA Storage

Amazon S3 One Zone-IA

Amazon S3 Intelligent-Tiering

Amazon S3 Express One Zone

Amazon S3 Glacier

Protecting Data from Accidental Deletion in Amazon S3

Encryption Options for Amazon S3

Using Amazon S3 Versioning with S3 Lifecycle Management

Implementing Data Protection with Resource-Based Policies

Securing Access with Pre-Signed URLs

Building Static Websites with Amazon S3

CORS

Additional Amazon S3 Features

Amazon S3 Transfer Acceleration

Amazon S3 Event Notifications

Amazon S3 Select and Glacier Select

Amazon Object Tags and Metadata

Amazon S3 Replication

Amazon S3 Multipart Upload

Enforcing MFA Delete

S3 Server Access Logging

Hybrid Storage Solutions with AWS Storage Gateway

Project Task – Create an Amazon S3 Static Website for the Todo List Application

Project Task 3.1 – Create an Amazon S3 Bucket

Project Task 3.2 – Upload Your Frontend Source Code

Project Task 3.3 – Configure Bucket Policy and Permissions

Project Task 3.4 – Configure Static Website Hosting

Project Task 3.5 – Test the Website

Summary

Exam Readiness Drill – Chapter Review Questions

4

Building Private Networks in the Cloud with Amazon VPC

Introduction to VPC Fundamentals

Managing External Resources’ Exposure Using IGWs and NAT Gateways

How an IGW Works

Securing Your AWS Resources within the VPC with NACLs and Security Groups

Security Groups

Network Access Control Lists (NACLs)

Configuring VPC interconnectivity

VPC Peering

Securing Connectivity between VPCs and Other Public AWS Services

Connecting VPCs to external networks

Monitoring Traffic with VPC Flow Logs

Project – Build a VPC to Host the Todo List Application

Technical Requirements

Project Task 4.1 – Creating the VPC (us-east-1 Region)

Project Task 4.2 – Creating and Attaching an Internet Gateway

Project Task 4.3 – Creating a Public Route Table

Project Task 4.4 – Creating Subnets

Project Task 4.5 – Associating Public Subnets with a Public Route Table

Project Task 4.6 – Creating Security Groups

Summary

Exam Readiness Drill – Chapter Review Questions

5

Understanding AWS Compute Services with Amazon EC2 and Storage Options

Introduction to Amazon EC2

EC2 Instance Types

Key Features of Amazon EC2

Use Cases for Amazon EC2

Benefits of Using Amazon EC2

The Different Pricing Models of EC2

On-Demand Instances

Reserved Instances (RIs)

Savings Plans

Spot Instances

Overview of the EC2 Lifecycle

Leveraging AMIs to Launch Amazon EC2 Instances

Types of AMIs

Managing AMIs

Additional EC2 Features

Security Groups

Instance Metadata

Instance User Data

AWS Systems Monitoring: An Overview

Accessing Your EC2 Instances

Accessing Your EC2 Instances with AWS Systems Manager Session Manager

Introduction to Amazon EBS

Amazon EBS Volumes

Optimizing Backups and Restoration with Amazon EBS Snapshots

Introduction to Amazon EFS

Technical Requirements

Project Task – Deploy EC2 Instances and Create a Corporate AMI Image for TodoPlus Limited

Project Task 5.1 – Prepare AWS Systems Manager Session Manager for Your EC2 Instances

Project Task 5.2 – Launch an EC2 Instance

Project Task 5.3 – Create a Custom AMI

Summary

Exam Readiness Drill – Chapter Review Questions

6

Managing Multiple Datasets with AWS Relational and Non-Relational (NoSQL) Databases

Introduction to Amazon RDS

About Relational Database Schemas

Amazon RDS’ Features

Deploying an Amazon RDS Instance

High Availability with Multi-AZ

What about Read Replicas?

Automatic and Manual Backups

Amazon RDS Security

Improving Security with AWS Secrets Manager

Enterprise Solutions with Amazon Aurora

Caching Data with Amazon ElastiCache

Memcached versus Redis

Caching Strategies

Introduction to Modern NoSQL Databases with Amazon DynamoDB

DynamoDB Core Components

All about Primary Keys and Sort Keys

DynamoDB Capacity Provisioning

DynamoDB Access Methods

More on DynamoDB APIs and Data Retrieval Options

DynamoDB Scan versus Query

DynamoDB Optimistic Locking

DynamoDB Conditional Writes

DynamoDB Time to Live (TTL)

DynamoDB Streams

Improving Performance with DynamoDB Accelerator (DAX)

Project Task – Deploying and Securing Access to an Amazon RDS Database for the Todo List Application

Technical Requirements

Project Task 6.1 – Deploying an RDS Database on AWS

Project Task 6.2 – Integrating AWS Secrets Manager

Summary

Exam Readiness Drill – Chapter Review Questions

7

Building Application Solutions with High Availability, Elasticity, and Data Security

Introduction to High Availability with Amazon Elastic Load Balancers

Application Load Balancers (ALBs)

Network Load Balancers (NLBs)

Gateway Load Balancers (GWLBs)

Classic Load Balancer (CLB)

Scaling Your Application with Amazon Auto Scaling

What Is Auto Scaling for EC2?

Automatically Adjusting Capacity Using AWS Components

Using Auto Scaling to Deliver Highly Available Applications

Introduction to Encryption on AWS and KMS

Overview of AWS KMS

Symmetric KMS Keys

Asymmetric KMS Keys

What Are Data Keys?

Amazon S3 Encryption

Amazon S3 Server-Side Encryption

Client-Side Encryption

Amazon EBS Encryption

Amazon RDS Encryption

Project Task – Deploy a Highly Available and Scalable Backend Application Component for the Todo List Application

Technical Requirements

Project Task 7.1 – Amazon S3 – Create an Application Source Code Repository

Project Task 7.2 – Modify the IAM Role Currently Configured for Your EC2 Instances

Project Task 7.3 – Create Key Pairs for Your EC2 Instances

Project Task 7.4 – Create a Target Group

Project Task 7.5 – Create a Launch Template

Project Task 7.6 – Create an Auto Scaling Group

Project Task 7.7 – Application Load Balancer

Summary

Exam Readiness Drill – Chapter Review Questions

8

Event-Driven Computing with AWS Lambda and Securing Access to Backend APIs with Amazon API Gateway

Building Event-Driven Solutions with AWS Lambda

Understanding AWS Lambda in Event-Driven Architectures

Use Cases for AWS Lambda in Event-Driven Architectures

Best Practices for AWS Lambda

Advanced Lambda Concepts

Managing Access to Backend Services with API Gateway

API Types and Endpoints

API Gateway Resource and Methods

API Gateway Integrations

API Gateway CORS

Throttling and Traffic Management

API Stages and Stage Variables

API Gateway Caching

Project Task – Deploy an API Gateway to Enable Secure Access to the Backend Services Provided by the Todo List Application

Technical Requirements

Project Task 8.1 – Create a Security Group for the Network Load Balancer

Project Task 8.2 – Create a Target Group for the Network Load Balancer

Project Task 8.3 – Create an Internal Network Load Balancer

Project Task 8.4 – Create the VPC Link

Project Task 8.5 – Integration with API Gateway

Summary

Exam Readiness Drill – Chapter Review Questions

9

Incorporating Edge Network Services to Connect to Your Application with Amazon CloudFront and Route 53

Building CDNs with Amazon CloudFront

Why Use Amazon CloudFront?

Incorporating CloudFront into Your Application Architecture

Easy Invalidations

What is a Cache Key?

Cache Misses and Cache Hits

Cache Policies Explained

Cache Behaviors

CloudFront Secure Access and Content Security

Multiple Origins and Origin Groups

Real-Time Logs

Incorporating Lambda@Edge Services for Amazon CloudFront

Customization at the Edge

Simplified Development and Deployment

Deploying Custom Domains for Your Application with Amazon Route 53

DNS Routing

Amazon Route 53 in Practice

Managing Global Traffic with Amazon Route 53

Project Tasks – Deploying AWS CloudFront Services and Updating Website Application Code to Integrate with Backend Services

Technical Requirements

Project Task 9.1 – Updating the Application Backend Code

Project Task 9.2 – Updating Frontend Code

Project Task 9.3 – Rest API Authorizer

Project Task 9.4 – Creating a CloudFront Distribution

Project Task 9.5 – Testing the Application

Summary

Exam Readiness Drill – Chapter Review Questions

10

Designing Deployment Strategies with AWS Elastic Beanstalk

Introduction to Application Deployment with Amazon Elastic Beanstalk

Amazon Elastic Beanstalk Components

Application

Application Version

Environment

Environment Configuration

Save Configuration

Platform

Understanding Various Deployment Strategies

All-at-Once Deployment

Rolling Deployment

Rolling with Additional Batch

Immutable Deployment

Traffic Splitting

Blue/Green Deployment

Advanced Elastic Beanstalk Features

Elastic Beanstalk Life Cycle Policy

Elastic Beanstalk Extensions

Elastic Beanstalk and RDS Databases

Configuring Elastic Beanstalk to Use HTTPS

Cloning an Existing Elastic Beanstalk Environment

Elastic Beanstalk and Docker

Project Task – Deploying a Multi-Tier Application Using Elastic Beanstalk and AWS Secrets Manager

Technical Requirements

Project Task 10.1 – Creating a Custom VPC

Project Task 10.2 – Creating Security Groups

Project Task 10.3 – Creating a Database Subnet Group and Launching an RDS Database

Project Task 10.4 – Configuring an RDS Secret in AWS Secrets Manager

Project Task 10.5 – Configuring an IAM Role for Your Elastic Beanstalk Application

Project Task 10.6 – Creating an Elastic Beanstalk Application

Summary

Exam Readiness Drill – Chapter Review Questions

11

Deploying a Multi-Tier Application Stack with Amazon ECS, Fargate, and EKS

Introduction to Containers and Docker

Understanding Containerization

The Role of Docker

Advantages of Using Docker

Using Amazon ECS to Run and Manage Containers at Scale

ECS Launch Types: EC2 versus Fargate

Defining IAM Roles for ECS

Task Placements

Amazon ECS Scaling Options

Networking on Amazon ECS

Load Balancing for Amazon ECS

Introduction to Amazon ECS Copilot

Using Amazon EKS to Run and Manage Containers at Scale

Understanding Amazon EKS

Key Features of Amazon EKS

Control Plane

Worker Nodes and Node Groups

AWS Fargate Integration

Networking

Storage

Security and Compliance

Project Task – Redesign the Todo List Application to Use ECS for Backend Operations

Technical Requirements

Project Task 11.1 – Create an Amazon Elastic Container Registry (ECR) Repository

Project Task 11.2 – Launch an Instance for Creating Docker Images

Project Task 11.3 – Build the Docker Image

Project Task 11.4 – Push the Docker Image to ECR

Project Task 11.5 – Create an IAM Role for Your ECS Tasks

Project Task 11.6 – Create a Task Definition

Project Task 11.7 – Create an ECS Cluster

Project Task 11.8 – Create an ECS Service

Project Task 11.9 – Redirect Inbound Traffic to ECS

Project Task 11.10 – Scale Down the Auto Scaling Group

Summary

Exam Readiness Drill – Chapter Review Questions

12

Getting to Grips with DevOps Using AWS CI/CD Tools

What Is DevOps?

Implementing DevOps through CI/CD

Continuous Integration

Continuous Delivery

Continuous Deployment

Tools and Processes Used by DevOps Teams

AWS CodeCommit

AWS CodeBuild

AWS CodeDeploy

AWS CodePipeline

Using AWS CodePipeline in a Multi-Account Environment

Project Task – Design a CI/CD Pipeline for the Todo List Application

Technical Requirements

Project Task 12.1 – Prerequisites: Install Git on Your System

Project Task 12.2 – Create AWS CodeCommit Repositories

Project Task 12.3 – Create and Upload an SSH Public Key

Project Task 12.4 – Upload Your Frontend and Backend Code to AWS CodeCommit

Project Task 12.5 – Create a CI/CD Pipeline for Your Frontend Application

Project Task 12.6 – Create a CI/CD Pipeline for Your Backend Application

Summary

Exam Readiness Drill – Chapter Review Questions

13

Building Infrastructure Using Code with CloudFormation and the Cloud Development Kit (CDK)

AWS CloudFormation Overview

Anatomy of a CloudFormation Template

CloudFormation Capabilities

CloudFormation Change Sets

CloudFormation Rollbacks

CloudFormation Deletion Policy Attribute

CloudFormation Custom Resources

CloudFormation Nested Stacks

CloudFormation StackSets

CloudFormation Stack Roles

AWS CDK Overview

Project Task – Create a VPC

Technical Requirements

Project Task 13.1: Create a CloudFormation Template for a VPC Stack

Project Task 13.2: Delete a CloudFormation Stack

Summary

Exam Readiness Drill – Chapter Review Questions

14

Designing Serverless Applications with AWS Serverless Application Model (SAM) and AWS AppSync

Using AWS Serverless Application Model (SAM) to Develop and Deploy Serverless Applications

Overview of AWS SAM

Key Components of AWS SAM

Developing with AWS SAM

Deploying Your Application

Overview of sam sync

Overview of AWS AppSync

Core Features of AWS AppSync

How AWS AppSync Works

Integrating AWS AppSync with Amazon DynamoDB

Data Management and Flow

Query and Mutation Examples

Real-Time Data with Subscriptions

Project Task: Using SAM to Deploy the To-Do List Application’s Coming Soon Page

Technical Requirements

Project Task 14.1: Installing the AWS CLI and SAM CLI

Project Task 14.2: Configuring the AWS CLI with Bob’s Access Keys

Project Task 14.3: Configuring SAM and Performing the Necessary Prerequisites to Deploy Your Application

Project Task 14.4: Building and Deploying Your Application

Project Task 14.5: Deleting a CloudFormation Stack

Summary

Exam Readiness Drill – Chapter Review Questions

15

Decoupling the Application Stack and Managing Data Ingestion

Monolith versus Microservices Design Overview

Transition to Microservices Architecture

Comparing Monoliths and Microservices

Building Loosely Coupled Applications with Amazon SQS and SNS

Decoupling with Amazon SQS

Amazon SQS Queue Types

SQS Queue Access Policies

Message Visibility Timeout

Message Polling Strategies

Dead-Letter Queues

SQS Delay Queues

Push-Based Notifications with Amazon SNS

Amazon SNS and SQS Fanout Pattern

Message Ordering and Deduplication with FIFO Topics

SNS Subscriptions and Message Filtering

Designing Application Workflow with AWS Step Functions

What Are States?

Designing Workflows with Step Functions

Error Handling with Step Functions

Waiting for a Task Token

Ingesting and Consuming Streaming Data with Amazon Kinesis

Kinesis Data Streams

Scaling Kinesis Data Streams

Kinesis Data Stream Capacity Modes

Kinesis Client Library

Consuming Data with Kinesis Data Firehose

Real-Time Data Processing with Kinesis Data Analytics

Summary

Exam Readiness Drill – Chapter Review Questions

16

Monitoring with Amazon CloudWatch and AWS CloudTrail

Monitoring and Maintaining Application Availability with Amazon CloudWatch

CloudWatch Metrics

Overview of CloudWatch Alarms

Amazon CloudWatch Logs

CloudWatch Events (Amazon EventBridge)

Introduction to AWS CloudTrail

Amazon EventBridge and AWS CloudTrail

Distributed Tracing with AWS X-Ray

AWS X-Ray Annotations, Metadata, and Filter Expressions

Project Task – Create a VPC Flow Log

Technical Requirements

Project Task 16.1 – Create an IAM Role for Publishing Flow Logs to CloudWatch Logs

Project Task 16.2 – Create a VPC Flow Log and Publish to CloudWatch Logs

Project Task 16.3 – Viewing Flow Log Data

Summary

Exam Readiness Drill – Chapter Review Questions

17

Accessing the Online Practice Resources

Other Books You May Enjoy

Preface

Developing and deploying applications in the cloud has become an indispensable component of modern business technology plans. As organizations embark on their digital transformation journey and migrate their applications to the cloud, the demand for skilled and certified professionals who can develop, secure, deploy, and manage cloud-based applications has grown phenomenally.

Developers are expected to possess knowledge and practice skills of various architecture design patterns—from virtual machine deployments to containers and from event-driven architectures to loosely coupled serverless solutions.

This book aims to help you pass the AWS Certified Developer Associate (DVA-C02) certification and gain invaluable practical experience that employers and clients demand. To facilitate this, the book has been designed from the ground up to focus on developing and deploying an application for a fictitious company named Todo Plus Limited. In the given scenario, the company wants to build a productivity web application that is globally accessible, highly available, scalable, and secure. It must make strategic decisions on the most effective technologies and focus on incorporating rapid deployments, reducing management overhead, and improving security, all while being cost-effective.

As you progress through this book, you will focus on developing skills that help you select the right technology for your application stack so that you can tackle a wide range of use cases. You will understand the core theoretical concepts of those technologies and, more importantly, how to configure those tools and services to host and support your application practically. Step-by-step guides are provided across project exercises in all the chapters. These will help you develop expertise in planning, configuring, and supporting the various services critical to successfully hosting and managing your application.

This book covers topics relevant to the AWS Certified Developer Associate (DVA-C02) exam, including designing your application with an emphasis on security, adopting best practices to develop loosely coupled architectures, incorporating automation and continuous integration/continuous delivery (CI/CD) DevOps principles, and more.

By the end of this study guide, you will have all the tools necessary to pass the AWS Certified Developer Associate (DVA-C02) exam and develop real-world skills in application development, security, deployment, and management.

Who This Book Is For

This book is for those preparing to take the AWS Certified Developer Associate (DVA-C02) exam and who want to develop real-world skills in developing, deploying, and maintaining applications on AWS.

What This Book Covers

Chapter 1, Introduction to AWS Accounts and Global Infrastructure, introduces the fundamental security concepts for setting up and configuring an AWS multi-account architecture to facilitate application development life cycle strategies. The chapter also covers core concepts related to the AWS Global Cloud Infrastructure, which are fundamental to using AWS services and launching resources following best practices.

Chapter 2, Securing Access with AWS Identity and Access Management, focuses on developing secure access to AWS accounts following the principle of least privilege (POLP) and examines strategies for building a robust authentication and authorization solution for applications hosted on AWS.

Chapter 3, Understanding Object Storage with Amazon S3, Hybrid Storage, and Static Website Hosting, focuses on data storage with Amazon S3, with its vast array of features designed to help build highly available and scalable cloud storage solutions. The chapter also discusses the core benefits of using Amazon S3 for static website hosting—the entry point for most cloud-hosted applications.

Chapter 4, Building Private Networks in the Cloud with Amazon VPC, offers the reader a thorough understanding of how to build secure private networks in the cloud. Hosting backend services with restricted access through firewalls and traffic routing strategies is critical when designing application solutions with security in mind.

Chapter 5, Understanding AWS Compute Services with Amazon EC2 and Storage Options, discusses the fundamental concepts of virtual machine architecture and configuration options for hosting your application’s business logic. You will also learn about associated block storage and the filesystem storage services commonly used with EC2 instances.

Chapter 6, Managing Multiple Datasets with AWS Relational and Non-Relational (NoSQL) Databases, covers how hosting, managing, and manipulating data lie at the heart of every application. This chapter focuses on the wide range of database solutions you can use for your application stack, covering core concepts around security, performance, and reliability.

Chapter 7, Building Application Solutions with High Availability, Elasticity, and Data Security, focuses on building your application solution to be highly available and scalable, with reduced downtime and the flexibility to provision capacity on demand. In addition, the chapter examines the fundamentals of data security using encryption technologies for data in transit and at rest.

Chapter 8, Event-Driven Computing with AWS Lambda and Securing Access to Backend APIs with Amazon API Gateway, covers the paradigm shift from traditional server-based architecture to modern serverless solutions, incorporating event-driven solutions. The chapter introduces the core concept of creating, publishing, and managing application programming interfaces (APIs) to enhance security, drive performance, and build scalable solutions.

Chapter 9, Incorporating Edge Network Services to Connect Your Application with Amazon CloudFront and Route 53, looks at how serving a global customer base requires a thorough understanding of how to make your application accessible over low-latency connectivity to ensure an excellent end user experience. In this chapter, you will learn how to build a content delivery network with Amazon CloudFront and integrate domain name system (DNS) services to design efficient traffic routing strategies.

Chapter 10, Designing Deployment Strategies with AWS Elastic Beanstalk, enables developers to focus on application design and development rather than worrying about the underlying heavy lifting of infrastructure. This chapter also teaches you about different deployment strategies to help ensure minimum downtime for rollouts, updates, and upgrades of your application.

Chapter 11, Deploying a Multi-Tier Application Stack with Amazon ECS, Fargate, and EKS, discusses shifting from traditional virtual machine architecture to containerized solutions for hosting your application, enabling you to bundle application code with files and libraries that can run on any infrastructure.

Chapter 12, Getting to Grips with DevOps Using AWS CI/CD Tools, focuses on developing your application following DevOps principles, enabling rapid deployment, faster issue resolution, and more stable environments through automation.

Chapter 13, Building Infrastructure Using Code with CloudFormation and Cloud Development Kit (CDK), covers how CloudFormation and CDK are designed to help the developer quickly provision underlying infrastructure that is reliable, stable, and can be repeatedly deployed across different environments through automation.

Chapter 14, Designing Serverless Applications with AWS Serverless Application Model (SAM) and AWS AppSync, enables developers to redesign their applications using serverless concepts, thereby avoiding unnecessary costs associated with traditional IT architectures. The chapter also teaches you how to connect your application to data and events securely using GraphQL and Pub/Sub APIs.

Chapter 15, Decoupling the Application Stack and Managing Data Ingestion, discusses the strategies and technologies that can help you build microservices and loosely coupled architectures. This chapter also introduces you to data streaming services on AWS.

Chapter 16, Monitoring with Amazon CloudWatch and AWS CloudTrail, focuses on monitoring, triaging, and managing your application health and performance on AWS, enabling you to quickly resolve issues related to performance and remediate any bottlenecks.

How to Get the Most Out of This Book

This book is crafted to equip you with the knowledge and skills necessary to pass the AWS Certified Developer Associate certification through memorable explanations and coverage of the core topics tested on the exam. It is also designed to help you gain real-world experience in developing, deploying, and monitoring applications hosted on AWS while ensuring high levels of security. Through a real-world use case and its application using the vast array of technology services on AWS, you will gain much-needed hands-on experience demanded by employers and clients. Therefore, you must complete all project tasks and exercises in the order provided in this book, as each new project task builds on ones completed earlier. By the end of this book, you will be able to start working on real-world projects with confidence.

Online Practice Resources

With this book, you will unlock unlimited access to our online exam-prep platform (Figure 0.1). This is your place to practice everything you learn in the book.

How to Access These Materials

To learn how to access the online resources, refer to Chapter 17, Accessing the Online Practice Resources at the end of this book.

Figure 0.1 – Online exam-prep platform on a desktop device

Sharpen your knowledge of DVA-C02 concepts with multiple sets of mock exams, interactive flashcards, and practical exercises that are accessible from all modern web browsers. If you get stuck, you can raise your concerns with the author directly through the website. Before doing that, go through the list of resolved questions as well. These are based on questions asked by other users. Finally, review the exam tips on the website to ensure you are well prepared.

Download the Color Images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://packt.link/eGArV

Conventions Used

There are some text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and X (formerly known as Twitter) handles. Here is an example: “In the development account, you must configure a role with a trust policy that identifies the trusted account (in this case, the Identities account). In this example, we named the IAM role IAM-User-S3-AccessRole.”

A block of code is as follows:

Any command-line input or output is written as follows

The concepts covered in the exam and in this book are platform agnostic, that is, they can be executed through Windows, Mac, and Linux operating systems. The standard Linux prompt ($) has not been included in code samples as the code samples may differ depending on the platform and build.

For more information, refer to https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/install-sam-cli.html.

Bold: Indicates a new term, an important word, or words you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: “These services will include compute, network, storage, databases, and Software as a Service (SaaS) products.”

Tips or important notes

Appear like this.

Get in Touch

Feedback from our readers is always welcome.

General feedback: If you have any questions about this book, please mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you could report this to us. Please visit www.packtpub.com/support/errata and complete the form. We ensure all valid errata are promptly updated in the GitHub repository at https://packt.link/BMImP.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you could provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Connect with Your Authors

Rajesh Daswani: https://www.linkedin.com/in/rdcloudtech/

Dorian Richard: https://www.linkedin.com/in/dorianri/

YouTube: https://www.youtube.com/@awstraining

Share Your Thoughts

Once you’ve read AWS Certified Developer Associate Certification and Beyond, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a Free PDF Copy of This Book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily.

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781801819299

1

Introduction to AWS Accounts and Global Infrastructure

Cloud computing is the on-demand delivery of IT services, enabling customers to provision IT resources such as infrastructure, platform, and software components to host and manage their applications. Cloud computing offers several advantages over traditional on-premises solutions, such as access to cutting-edge technologies, elasticity and scalability, and reduced management overhead. One of the biggest advantages of moving to the cloud is the ability to trade fixed costs for variable costs – this is because customers need not purchase any infrastructure hardware and instead rent capacity on the provider’s underlying infrastructure using a pay-as-go model.

Amazon Web Services (AWS) is the largest provider of cloud computing services today, followed by Microsoft and Google as per the Gartner 2023 Magic Quadrant for Strategic Cloud Platform Services. AWS offers over 200 services designed to help businesses of all sizes build, design, and deploy scalable, secure, and cost-effective solutions in the cloud. Furthermore, AWS offers access to its global data centers, enabling businesses to deploy their applications closer to their customers without the need to procure and provision infrastructure in those locations. Even small start-ups can access a global customer base and fulfill compliance and regulatory requirements.

This book will teach you all the skills necessary to pass the AWS Certified Developer Associate certification and excel at typical job roles such as cloud developer, junior DevOps engineer, cloud engineer, and many more. It covers AWS architecture design patterns following industry standard best practices and helps you build proficiency in developing, deploying, and debugging cloud-based applications on AWS. This book has also been designed to help you develop real-world practical skills from the ground up. This is achieved by incorporating a scenario throughout the chapters such that, as you learn new technologies and concepts, you also develop the skills to put that knowledge to practical use using the project exercises provided.

We will start by introducing the AWS Global Infrastructure, which represents the vast collection of data center facilities located across multiple countries throughout the world, which you can access to design, build, and deploy cloud resources. You will also learn about the various tools used to help effectively manage your AWS accounts. Furthermore, you will also complete a series of exercises that will help you to apply the principles related to having a multi-account AWS architecture in real-world use cases.

Making the Most Out of This Book – Your Certification and Beyond

This book and its accompanying online resources are designed to be a complete preparation tool for your DVA-C02 Exam.

The book is written in a way that you can apply everything you’ve learned here even after your certification. The online practice resources that come with this book (Figure 1.1) are designed to improve your test-taking skills. They are loaded with timed mock exams, interactive flashcards, and exam tips to help you work on your exam readiness from now till your test day.

Before You Proceed

To learn how to access these resources, head over to Chapter 17, Accessing the Online Practice Resources, at the end of the book.

Figure 1.1 – Dashboard interface of the online practice resources

Here are some tips on how to make the most out of this book so that you can clear your certification and retain your knowledge beyond your exam:

This chapter covers the following topics:

Introducing a Client Scenario for this Study Guide

To help you maximize your learning experience and develop real-world skills, the primary requirement for most technical job roles, this study guide has been designed to teach you how to fulfill a set of requirements for a fictitious company called TodoPlus Limited. This study guide will teach you how to architect, build, deploy, debug, and manage cloud-based applications. You will learn application security concepts, best practices, and development and deployment strategies, all of which will be tested in the AWS Certified Developer Associate exam.

This study guide will help you understand how the cloud can address TodoPlus Limited’s needs and challenges. By delving into security, scalability, high availability, and effective financial operations (FinOps), you will learn how the cloud can provide solutions that meet these needs and offer the potential for growth and innovation. By the end of this journey, you should clearly understand how cloud computing can be leveraged to drive business success in a realistic scenario. You will also be well-equipped to pass the AWS Certified Developer Associate exam. This exam will test your knowledge and ability to develop applications on AWS, learn how to secure application code, and understand the fundamentals of DevOps by applying continuous integration and continuous delivery as your application design workflows.

Setting the Scene – Background Information

TodoPlus Limited, based in New Jersey, specializes in creating custom productivity apps for small to medium-sized businesses. Their unique approach involves tailoring applications to meet the specific needs of each client. Now, they have a new goal – to develop and sell off-the-shelf (OTS) productivity apps directly to the public.

The company, which previously focused on creating apps for clients to use internally or sell to end users, wants to enter the retail market with its own line of products. The first step is launching a “To-Do List” application for individual users by the end of the year. Later, they plan to expand their offerings to businesses.

The board of directors is excited about this new venture and believes it’s a market where TodoPlus can make a significant impact.

In this study guide, you will see how the AWS cloud platform can facilitate the application’s build, design, hosting, and management for TodoPlus.

Business Needs

TodoPlus aims to create a task management application that’s dependable, user-friendly, and accessible to anyone at any time or place. The application must handle millions of concurrent users without compromising service quality. Additionally, given the sensitive nature of the information, security is a significant concern. Lastly, TodoPlus must be able to scale its application offering to support users globally and anticipate uptake from end users, backed by the capabilities of its in-house marketing team, all while keeping operational costs under control.

How the Cloud Meets These Needs

TodoPlus knows that the application will need to be hosted on a cloud platform that can offer the required levels of security, scalability, and fault tolerance and be cost-effective. Let us look at how the AWS cloud can fulfill these core underlying business requirements:

In summary, the cloud enables TodoPlus to create a task management application that meets its business needs regarding security, scalability, high availability, and effective financial management.

As we move to the next section, you will delve deeper into the fundamentals of cloud computing and explore the extensive capabilities of the AWS Global Infrastructure, providing a solid foundation to understand how it can be harnessed for applications such as our TodoPlus use case.

Introduction to Cloud Computing and the AWS Global Infrastructure

As discussed previously, computing refers to on-demand access and delivery of IT services, which customers can consume over the standard public internet or some form of wide-area network. These services will include compute, network, storage, databases, and Software as a Service (SaaS) products. Cloud computing has enabled businesses to design and deploy applications without requiring expensive hardware upfront. Instead, they lease/rent required IT infrastructure from such third-party providers.

Of the various providers of cloud computing services, AWS is the largest provider, offering a variety of cloud IT services. These services fall into various categories: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) solutions. Businesses can consume those services rather than create their own dedicated environments to host applications. With established infrastructure across multiple countries and massive economies of scale, AWS can offer infrastructure and software service at a fraction of the cost, with redundancy, scalability, high availability, and security.

In the following section, you will learn about the AWS Global Infrastructure, which enables customers across the globe to access AWS services. Furthermore, customers in one location can consume cloud services worldwide, enabling access to a global customer base, and fulfilling any compliance or regulatory needs.

AWS Global Infrastructure

The AWS Global Infrastructure is a vast collection of data center facilities across multiple countries globally. The geographical locations where AWS hosts its data center services comprising compute, storage, and network, along with its vast array of cloud services, are known as AWS Regions. You will find the map at https://aws.amazon.com/about-aws/global-infrastructure/.

Within each AWS region are small groups of data centers that are logically and physically separated by a distance that falls within 100 kilometers (km) (60 miles) of each other. These logically and physically separated groups of data centers form what we call Availability Zones (AZs). Furthermore, AWS designs its regions with multiple AZs per region. Most AWS regions have at least three AZs, and some have even more. For example, the North Virginia region (us-east-1) has six AZs.

In the next section, you’ll look at the core components of the AWS Global Infrastructure in more detail.

Regions

As explained earlier, AWS regions are physical locations across the globe where AWS hosts its infrastructure facilities. These comprise data centers designed to enable customers to access a vast collection of infrastructure services with which they can deploy cloud resources, such as compute, network, storage, and database services. Customers can connect to a given region anywhere across the Global Infrastructure.

Choosing a region to provision cloud resources ultimately depends on the use case of the business. Often, this will be based on multiple factors, including the following:

Note

In the case of our fictitious client, TodoPlus, the initial offering for the application will be based in the US to fulfill compliance and regulatory requirements for storing data within the US borders. Should the product be successful, TodoPlus would be looking to expand into Europe and Asia Pacific once all necessary laws and regulatory requirements have been analyzed, and measures are taken to adhere to them.

AZs

Within each AWS region, you will find multiple AZs, which are metropolitan areas housing one or more data center facilities in each region. Each AZ will host hardware components such as servers, storage, and network equipment, all fitted with redundant power, connectivity, cooling, and security controls.

The primary purpose of having multiple AZs in each region is to enable customers to host their applications and workloads in a manner that offers high availability, fault tolerance, and scalability. With multiple AZs, you can host copies or replica application resources across these AZs, which ultimately means that you can continue to serve your customers even if there is an outage of one AZ in the given region.

This is all possible because, although each AZ operates independently, they are still connected over high-speed, high-bandwidth, low network latency, and fully redundant, dedicated metro fiber connectivity.

Note

Concerning our company, TodoPlus, their initial choice of region to host their application will be set to the US-East-1 (North Virginia) region. This region is selected because the company will start promoting its new productivity application in local markets. However, they plan to make the application available to customers across the US and later globally.

Edge Locations and Regional Edge Caches

The AWS Global Infrastructure also comprises edge locations and Regional Edge Caches. Edge locations or points of presence (POPs) offer massive amounts of storage, high-bandwidth networking equipment, and edge computing services that enable data to be accessed, processed, and analyzed closer to the end customers’ physical location.

These edge locations are connected to AWS regions through the AWS backbone network. This comprises fully redundant, multiple 100-Gigabit Ethernet (GbE) parallel fiber connections that substantially improve throughput and offer low-latency connectivity. You can review the current list and types of edge locations (POPs) at https://aws.amazon.com/cloudfront/features/.

Edge locations are different from standard regions and AZs. You cannot connect directly to a given edge location to set up resources. Instead, you consume certain AWS services that use these edge locations’ storage, caching, and high network connectivity. One service that uses these edge locations is Amazon CloudFront.

Regional Edge Caches are like edge locations. However, they are strategically placed and have a larger storage capacity to hold cache data longer than individual edge locations. Individual edge locations have a shorter time-to-live than Regional Edge Caches, ensuring that stale data isn’t hosted too long. If the same cache data is later accessed, an attempt is made to see whether it is still available at regional edge caches before sending a request to the origin.

Amazon CloudFront is a content delivery network (CDN) service that enables you to efficiently distribute content to end users in a manner that reduces overall latency. With CloudFront, regularly accessed content is cached in the edge location and in regional edge caches, which offer the lowest latency to end users who attempt to access your content. This means those users do not have to fetch frequently accessed content from the origin if it resides in the cache.

Note

In the case of our fictitious company, TodoPlus Limited, the application will be hosted in the N.Virginia (us-east-1) region. CloudFront can be used to cache static content such as images, videos, and user guides to help reduce the latency for end users as they access the application from various parts of the US and, ultimately, from across continents when our client expands its offering globally.

Edge locations can allow customers to upload data to AWS storage services such as Amazon S3 over the AWS backbone network, offering low latency and high-bandwidth throughput using a service known as S3 Transfer Acceleration (S3TA).

The AWS Global Infrastructure also comprises other infrastructure services, including the following:

This section examined the AWS Global Infrastructure and identified some of its core components. Understanding how the Global Infrastructure is architected will enable you to design applications for high availability, scalability, security, and cost-effectiveness.

In the next section, we will look at how you can access the vast array of AWS services via an AWS account as a customer.

Overview of an AWS Account

AWS, a global public cloud provider, offers a comprehensive suite of infrastructure, platform, and software services. An AWS account is necessary to utilize these services, enabling customers to create a wide range of resources and host their applications on AWS.

Each customer needs to have a secure environment within which to create and manage IT resources; this is where the concept of an AWS account comes in. An AWS account, by its very nature, offers an isolated resource container that grants secure access to AWS services and enables customers to configure necessary resources to host their applications.

While setting up an AWS account, you must provide an email address and password. These credentials are used to create the primary owner, who has full control over the account. On AWS, we call this owner the root user. Every AWS account created will have its dedicated root user. This root user can perform all account and billing-related activities and close the account if no longer required. Each AWS account also provides a natural billing boundary for costs incurred in that account and is associated with a specified billing method. Overall, an AWS account offers a means to securely administer all your resources and is only accessible to you and any entity you choose to grant access to.

In the following section, you’ll discover why many companies choose to set up multiple AWS accounts for handling diverse workloads. You’ll also learn why this practice of a multi-account strategy is considered a best practice in the industry.

When One AWS Account Is Not Enough

While hosting all your different applications, workloads, and environments in a single account is possible, this can easily become difficult to manage. Each application requires a different environment to support the various stages of its lifecycle, such as development, testing, and production. Hosting multiple environments for multiple applications in a single account is possible, but this can quickly turn complicated. This complexity arises for various reasons, including the need to ensure separation and isolation of workloads and environments for security reasons or budget and cost allocation.

Furthermore, hosting all your application workloads and environments in a single AWS account increases the risk of significant mishaps, which could wipe out all your applications and their different stages of development.

Having a separate account for development, testing, and production and one (or multiple) separate account(s) for experimental workloads makes sense. As depicted in Figure 1.2, any adverse events in the sandbox (experimental) account will not affect workloads in the other accounts.

Figure 1.2 – AWS Organization – limiting the blast radius of major disasters

AWS highly recommends adopting a multi-account strategy and provides specific services to help build and manage such multiple accounts. In the following subsection, you’ll get to understand how AWS Organizations enable the secure and efficient management of multiple AWS accounts.

Introducing AWS Organizations

You can create several AWS accounts to help you separate different workloads or application life cycles. However, you need a mechanism to secure and manage them. You also need to define policies and permissions in the form of guardrails that allow you to specify what services can be consumed in each account, what resources can be deployed, and even what regions those accounts can deploy applications in. This ensures that you adhere to strict compliance and regulatory requirements for your industry and helps you meet corporate governance and management.

The AWS Organizations service is the ultimate tool to help you effectively provision and manage multiple AWS accounts. To set up AWS Organizations, you must designate an AWS account as the management account. This account hosts the actual AWS Organizations service for your business. You can then invite existing accounts or create additional AWS accounts that will become member accounts of the organization.

You can also have multiple member accounts in your AWS organization, where some share similar workloads or functions. For example, you may have multiple development accounts or multiple production accounts. These logical groups of accounts may share similar security requirements as well. To effectively manage these groups, you can create Organization Units (OUs), logical containers that club members’ accounts within the AWS Organization that share common workloads. So, for example, as depicted in the following diagram, we have three different OUs. Within each OU, you can place the relevant AWS accounts and apply policies and permissions that the members of the OU may share in the organization, as shown in Figure 1.3:

Figure 1.3 – AWS Organizations with OUs and SCPs

The number of AWS accounts required for your business is not a fixed quantity. It varies based on several factors including the functional needs of your business, the complexity of workloads, and the specific security and compliance requirements your business must adhere to. Often, you have some shared services accounts, too – for example, a separate identities account that can be used to centrally manage users (usually representing your colleagues or technical staff) and define the permissions on what they can do in your member accounts. Using a process known as cross-account access or single sign-on (SSO), discussed in Chapter 2, Securing Access with AWS Identity and Access Management, Federation, and Amazon Cognito, you will learn how these users can switch roles into other AWS accounts within your organization and carry out various job functions.

In the next subsection, we look at service control policies, a mechanism to enforce rules in how your AWS accounts are used, what services can be consumed, and even which regions you can access.

Service Control Policies (SCPs)

As depicted in Figure 1.2, you can apply SCPs that act as guardrails on what services can be consumed in each AWS account. SCPs are policy documents written in JavaScript Object Notation (JSON) format, and they enable you to define what type of resources can be deployed in your AWS account and what actions can be performed against those services. SCPs can also restrict which regions those accounts can provision resources in. The guardrails are designed to help ensure that only approved services can be accessed in your AWS accounts.

Note

SCPs do not define what individual users can do in your AWS account. They define the maximum permissions administrators can assign to those users and what actions against AWS services are permitted.

The AWS Identify and Access Management (IAM) service is then used to assign those permitted permissions to those individual users. We will look at the IAM service in greater detail in the next chapter.

SCPs are disabled when setting up AWS Organizations. When you enable them, a default SCP policy called FullAWSAccess is attached to the root and applied to any OUs and AWS accounts in the organization.

Note