AWS Certified SysOps Administrator Study Guide E-Book

Table of Contents

Cover

Table of Contents

Title Page

Copyright

Dedication

Acknowledgments

About the Authors

About the Technical Editor

Introduction

What Does This Book Cover?

Interactive Online Learning Environment and Test Bank

Exam Objectives

Objective Map

How to Contact the Publisher

Assessment Test

Answers to Assessment Test

Chapter 1: AWS Fundamentals

Getting Started 1

The AWS Shared Responsibility Model

General Root Account Best Practices

The AWS Global Infrastructure

The AWS Command-Line Interface

The AWS Health API and Dashboards

Pricing

Summary

Exam Essentials

Hands-On Exercises

Review Questions

Chapter 2: Account Creation, Security, and Compliance

Shared Responsibility

Compliance

IAM

AWS Organizations and Control Tower

AWS Directory Service

AWS License Manager

Summary

Exam Essentials

Review Questions

Chapter 3: AWS Cost Management

AWS Cost and Usage Reports

AWS Cost Explorer

Savings Plans

AWS Budgets

Managing Costs with Managed Services

Amazon EC2 Spot Instances and Cost Optimization

Summary

Exam Essentials

Review Questions

Chapter 4: Automated Security Services and Compliance

Review Reports, Findings, and Checks

Data Protection Strategies

Network Protection Strategies

Summary

Exam Essentials

Review Questions

Chapter 5: Compute

The Hypervisor

Amazon Machine Image (AMI)

Amazon EC2

Amazon EC2 Image Builder

Compute Optimizer

Elastic Load Balancing

Auto Scaling

AWS Application Auto Scaling

AWS Lambda

Summary

Exam Essentials

Review Questions

Chapter 6: Storage, Migration, and Transfer

Storage vs. Migration

Amazon Simple Storage Service (S3)

Amazon S3 Glacier

Amazon Elastic Block Store

Amazon Elastic File System

Amazon FSx

Migration and Transfer

AWS Backup

AWS Storage Gateway

AWS DataSync

AWS Transfer Family

Summary

Exam Essentials

Review Questions

Chapter 7: Databases

Amazon Relational Database Service

Amazon ElastiCache

Summary

Exam Essentials

Review Questions

Chapter 8: Monitoring, Logging, and Remediation

Amazon CloudWatch

Monitoring on AWS

Basic CloudWatch Terms and Concepts

Monitoring Compute

Monitoring Storage

CloudWatch Alarms

CloudWatch Events

Exercises

AWS CloudTrail

API Logs Are Trails of Data

CloudTrail as a Monitoring Tool

Exercises

AWS Config

AWS Systems Manager

Exercises

Summary

Exam Essentials

Review Questions

Chapter 9: Networking

Networking

Troubleshooting

VPC IP Address Manager

Hubs, Spokes, and Bastion Hosts

Connecting to the Internet

Connecting to Networks and Services

VPC Peering

Bastion Hosts

Monitoring VPC Traffic

AWS Client VPN

VPC Endpoints

AWS Transit Gateway

Cloud WAN

Summary

Exam Essentials

Review Questions

Chapter 10: Content Delivery

Domain Name System

Amazon Route 53

Route 53 Health Checks

Routing Policies

Route 53 Traffic Flow

Route 53 Guided Exercise

Amazon CloudFront

Edge Locations

The CloudFront Cache Process

Restricting Access to S3 (OAI vs. OAC)

CloudFront Functions

CloudFront Guided Exercise

AWS Global Accelerator

Pricing

Summary

Exam Essentials

Review Questions

Chapter 11: Deployment, Provisioning, and Automation

Elastic Beanstalk

Elastic Beanstalk Extensions

AWS CloudFormation

Amazon SQS

Amazon SNS

Amazon Kinesis Services

Step Functions

Summary

Exam Essentials

Review Questions

Appendix: Answers to Review Questions

Index

End User License Agreement

List of Tables

Chapter 1

TABLE 1.1 CLI command actions and syntax

TABLE 1.2 Amazon S3 command summary

TABLE 1.3 Amazon EC2 command summary

Chapter 4

TABLE 4.1 Managed insights in AWS Security Hub and their grouping attribute...

TABLE 4.2 AWS Config resource types required per Firewall Manager policy typ...

Chapter 5

TABLE 5.1 Differences between instance stores and EBS

TABLE 5.2 Application Auto Scaling commands

Chapter 7

TABLE 7.1 Capabilities comparison of Redis vs. Memcached

TABLE 7.2 Redis cluster modes

Chapter 9

TABLE 9.1 Security groups compared to ACLs

TABLE 9.2 Example route table

TABLE 9.3 Gateway endpoints compared to interface endpoints

List of Illustrations

Chapter 1

FIGURE 1.1 AWS leads cloud market share (Q2 2023).

FIGURE 1.2 Menu Items of the AWS Console.

FIGURE 1.3 Service Quotas console panel

Chapter 2

FIGURE 2.1 Roles in the shared Responsibility Model

FIGURE 2.2 SQL Server permissions stack

FIGURE 2.3 RDS permissions stack

FIGURE 2.4 IAM request context

FIGURE 2.5 Resource vs. identity policies

FIGURE 2.6 Permissions evaluation

FIGURE 2.7 Change password policy

FIGURE 2.8 IAM Set Password Policy

FIGURE 2.9 Policy and boundary effective permissions Venn diagram

FIGURE 2.10 Manage MFA Device dialog

FIGURE 2.11 MFA browser request to see make and model of security key

FIGURE 2.12 Sign-in credentials with MFA enabled

FIGURE 2.13 Remove or resync MFA key

FIGURE 2.14 Step 1: Select Trusted Entity

FIGURE 2.15 Step 2: Add Permissions

FIGURE 2.16 SSO setup steps

FIGURE 2.17 SSO change access portal URL

FIGURE 2.18 Access Analyzer scan

FIGURE 2.19 Access Analyzer finding

FIGURE 2.20 Access Analyzer Create Analyzer

FIGURE 2.21 Basic AWS Control Tower architecture

FIGURE 2.22 AWS Organizations

FIGURE 2.23 Organizations—Moving an account

FIGURE 2.24 Guardrails

FIGURE 2.25 Control Tower Guardrail list

FIGURE 2.26 Enable Guardrail On OU

FIGURE 2.27 Control Tower Governed regions

FIGURE 2.28 Directory Services architecture

FIGURE 2.29 AWS licensing

FIGURE 2.30 License Manager customer-managed licenses

FIGURE 2.31 License Manager IAM permissions one-time setup

Chapter 3

FIGURE 3.1 The AWS Management Console Cost & Usage Reports dashboard

Chapter 4

FIGURE 4.1 GuardDuty sample findings

FIGURE 4.2 AWS KMS envelope encryption process

FIGURE 4.3 PEM-encoded certificate

FIGURE 4.4 Example web application DDoS-resilient architecture

FIGURE 4.5 Example TCP and UDP DDoS-resilient architecture

FIGURE 4.6 Sample AWS WAF architecture with and without CloudFront

Chapter 5

FIGURE 5.1 EC2 instance life cycle

FIGURE 5.2 Creating AMI

FIGURE 5.3 Create Image window

FIGURE 5.4 ELB Classic Migration tab

FIGURE 5.5 NLB integrations

FIGURE 5.6 Application load balancer

FIGURE 5.7 ALB integrations

FIGURE 5.8 The Auto Scaling triad

FIGURE 5.9 Auto Scaling

FIGURE 5.10 Auto Scaling availability vs. cost

FIGURE 5.11 Predictive scaling policy

FIGURE 5.12 DynamoDB configure RW capacity

FIGURE 5.13 RDS Aurora Add Replica Auto Scaling

FIGURE 5.14 RDS Aurora Add Auto Scaling Policy

FIGURE 5.15 Lambda Service Quotas page

FIGURE 5.16 Lambda Service Quotas Concurrent Executions

FIGURE 5.17 Lambda CloudWatch log

Chapter 6

FIGURE 6.1 Amazon S3 multipart upload process

FIGURE 6.2 Redundant Amazon EFS architecture

FIGURE 6.3 AWS Storage Gateway File Gateway architecture

Chapter 7

FIGURE 7.1 Database managed service

FIGURE 7.2 Database snapshot retention setting

FIGURE 7.3 Create Read Replica

FIGURE 7.4 Promote read replica

FIGURE 7.5 Simple Redis cache architecture

FIGURE 7.6 Redis cluster shard node

Chapter 8

FIGURE 8.1 The Amazon CloudWatch console gives you easy access to alarms, ev...

FIGURE 8.2 The overview page houses default metrics as well as a CloudWatch-...

FIGURE 8.3 The free AWS CloudTrail monitoring capture, store, act, and revie...

FIGURE 8.4 You can apply a trail to all accounts in an entire organization....

FIGURE 8.5 CloudTrail Management events, read/write

FIGURE 8.6 You can choose to log read activities, write activities, or both ...

FIGURE 8.7 You can choose to log activity for one or more AWS Lambda data ev...

FIGURE 8.8 You can choose to log activity for one or more DynamoDB data even...

FIGURE 8.9 AWS Config comes with a number of prebuilt rules.

FIGURE 8.10 AWS Config Evaluation Mode window

FIGURE 8.11 The AWS Systems Manager Console is where you will configure the ...

FIGURE 8.12 The Inventory screen in AWS Systems Manager provides insights in...

FIGURE 8.13 You can remotely administer your EC2 instances from AWS Session ...

Chapter 9

FIGURE 9.1 VPC layers

FIGURE 9.2 Home NAT

FIGURE 9.3 NAT gateway

FIGURE 9.4 Sample IPAM structure

FIGURE 9.5 IPAM discovery

FIGURE 9.6 Allocating an IPAM CIDR

FIGURE 9.7 Adding a route to an Internet gateway

FIGURE 9.8 Nontransitive VPC peering

FIGURE 9.9 A VPC peering request

FIGURE 9.10 Create Peering Connection

FIGURE 9.11 Accept Request

FIGURE 9.12 Editing the peering connection route tables

FIGURE 9.13 Create Flow Log

FIGURE 9.14 VPC flow log example

FIGURE 9.15 Enabling ELB flow logs

FIGURE 9.16 Client VPN

FIGURE 9.17 Connecting to a service without an endpoint

FIGURE 9.18 Connecting to a Marketplace service with an endpoint

FIGURE 9.19 AWS Transit Gateway connections

Chapter 10

FIGURE 10.1 The main console for Route 53 makes it simple to choose what you...

FIGURE 10.2 The main console for Amazon Route 53 to create a record in a hos...

Guide

Cover

Title Page

Copyright

Dedication

Acknowledgments

About the Authors

About the Technical Editor

Introduction

Table of Contents

Begin Reading

Appendix: Answers to Review Questions

Index

End User License Agreement

Pages

iii

iv

v

vi

vii

viii

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

AWS®Certified SysOps AdministratorStudy Guide

Associate (SOA-C02) Exam

Third Edition

Copyright © 2024 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada and the United Kingdom.

ISBNs: 9781119813101 (paperback), 9781119813125 (ePDF), 9781119813118 (ePub)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: WILEY, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. AWS is a registered trademark of Amazon.com, Inc. or its affiliates. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and authors have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2023951082

Cover image: ©Getty Images Inc./Jeremy WoodhouseCover design: Wiley

To my family, friends, and teammates at AWS, Cloud Academy, and John Wiley, for without your support, encouragement, and remarkable patience nothing worth sharing would have been possible.

— Jorge Tadeo Negrón De Jesús

To my wonderfully supportive friends and family, thank you for unconditionally believing in me.

— Christoffer Jones

First and foremost, I thank God for the opportunities, trials, and triumphs which have brought me to where I am. To my parents, George and Janice Sawyer, and my wife, Mandi Sawyer, thank you for your unwavering support and encouragement.

— George Sawyer

Acknowledgments

I'd like to give special thanks to our editors and leaders Tom Dinse and Kenyon Brown for the trust, inspiration, and patience with the entire process of book writing and publishing with a group of first-time authors. Also, to my friends and co-authors Chris Jones and George Sawyer, who came to my rescue with complete and sincere support when I needed it most: thank you!

My heart goes to my family who endured a significant amount of time without my company for birthdays, holidays, and celebrations while we pursued the best results possible. To Ada De Jesús, Tato, Iván, Mayra, Taileen, Aidia, and Tadeo Negrón, thank you for always being there for me in person and spirit. You are loved!

— Jorge T. Negrón

I'd like to give special thanks to Jorge Negrón, who from the very first day we met, believed that I was something special. I'm eternally grateful for your positive attitude, warm personality, and humble friendship over the years. I knew from the first mention that you wanted to write this book that we would be in this together, and for that, I couldn't be prouder.

I would also like to thank Tom Dinse, our development editor, for spending the time to graciously answer all my questions and for staying truly positive and enthusiastic about the publishing process. You are a credit to the industry, and I could not have been successful without your knowledge and kindness.

A heartfelt thanks to all my wonderful and supportive family and friends. You are such a big part of my life and have always supported my endeavors, no matter how stressing. This includes my close friends Potato, Mark, Dunlop, and my amazingly patient wife, Erin. You each have influenced my life in continually positive ways and for that, I am eternally thankful.

— Christoffer Jones

First, I wish to acknowledge and thank my co-authors, Jorge Negrón and Christoffer Jones, for bringing their exceptional expertise and talents to this project. Of course, authors do only part of the work and I want to express my deep appreciation for the tireless and patient work of the editors and staff at Wiley.

I have been blessed to learn from and work with many great technical trainers in my career. All of these have left an impact on me, and I owe them all a great debt of gratitude. Ultimately, as a teacher, I would be nothing without my students. It has been my students who have taught me and continue to inspire me.

— George J. Sawyer, III

About the Authors

Jorge T. Negrón is part of Cloud Academy's AWS Subject Matter Expert team as well as an official AWS Community Builder based in Atlanta, Georgia. He spends his time building courses, writing blogs, and recording podcasts while helping customers learn and improve their skills in AWS-related technologies.

He was born and raised in Carolina, Puerto Rico, and has traveled the world, enabling customers and partners to gain intimate knowledge of cloud computing skills and development. His passion is in education, training delivery, and contributing to the next generation workforce with cloud computing and machine learning literacy.

In his spare time, you can find him getting tossed around in a Gracie Jiu Jitsu mat or learning the latest magic or mentalism performance from passionate, dedicated, and world-class practitioners.

You can reach Jorge through LinkedIn: www.linkedin.com/in/jorgetadeonegrondejesus.

Christoffer Jones is a Principal Delivery Practice Manager for AWS Professional Services based out of Dallas, Texas. Chris has spent the last six years focusing on increasing their AWS skills and sharing their passion of IT operations with customers and students. Chris is also a passionate and dedicated educator who shares knowledge from their prior 18 years of IT operations, networking, and architectural experience.

Chris holds a master's degree from Davenport University in Technology Management and holds the following credentials: AWS Certified DevOps Professional, AWS Certified Solutions Architect Associate, AWS Certified SysOps Administrator Associate, AWS Certified Developer Associate, and AWS Certified Security Specialty.

Chris continues to write about AWS certifications and cloud technologies. You can reach Chris through LinkedIn: www.linkedin.com/in/christofferjones.

George Sawyer has been bringing high tech down to Earth for over 20 years as an instructor and learning strategist. George was an early champion of cloud computing and has served as a senior technical trainer with AWS. He is currently writing his dissertation toward a doctorate in education, holds various technical certifications, and is an active AWS Authorized Instructor (AAI).

You can connect with George via LinkedIn at www.linkedin.com/in/georgesawyer.

About the Technical Editor

Todd Montgomery has been in the networking industry for over 40 years. Todd holds many AWS, CompTIA, Cisco and Juniper certifications. Todd has spent most of his career in the field working on-site in data centers throughout North America and around the world. He has worked on the advanced networks of equipment manufacturers, systems integrators, and end users in the Data Center and cloud computing environments of private sector, service provider and government sectors. Todd currently works as a data center network automation Engineer in Austin, Texas. He is involved in network implementation and support of emerging data center technologies and AWS public cloud services. Todd lives in Austin, Texas and in his free time enjoys auto racing, travelling, general aviation, and Austin's live music venues. He can be reached at [email protected].

Introduction

The rate of cloud computing adoption continues to rise, as it has for several years. Technology companies and startups often embrace the cloud early, while heavily regulated industries like healthcare and finance may have a slower adoption process due to security and compliance considerations. This all results in a demand for cloud systems’ operators to deploy, monitor, scale, and run the day-to-day operations of a cloud implementation.

This rate of adoption represents an opportunity for systems operators to add to their existing toolset a suite of cloud computing best practices. The best practices put forward by the well-architected framework is intended to allow you to accomplish an implementation that leverages the best and most practical intelligence available. This results in scalable, resilient, highly available, and operationally excellent workloads.

This certification of systems operations for AWS Cloud systems is intended to make sure you understand the variety of critical services that are focused on operations, monitoring, security, and networking. You can dig into the documentation since it's already available online. However, aggregating the reading list from documentation and whitepapers can add up very fast and consume a large amount of time.

We wrote this book so that you don't have to do that aggregation. The idea is to present you with a comprehensive set of services, configurations, and features that are typically in daily use during systems operations. Our hope is that this book saves you time and helps you successfully complete the certifications. We speak from experience; using Wiley cert prep books is how we gained certification our very first time a few years ago. We sincerely hope it does the same for you. Thank you for picking it up.

What Does This Book Cover?

This book covers the topics you need to understand as you prepare to take the AWS Certified SysOps Administrator – Associate exam. The topics that we cover in this book include the following:

Chapter 1

, “AWS Fundamentals”:

The first part of the book starts with the foundational topics that you need to know and understand before you dig into the rest of the book content. These topics include account creation, using the management console, using the command-line interface (CLI), and the Personal Health dashboard. This is basically a review of concepts that should be familiar to you already.

Chapter 2

, “Account Creation, Security, and Compliance”:

The second chapter covers identity and access management, Access Analyzer, AWS Organizations, AWS Directory Service, AWS Control Tower, and AWS License Management. This chapter concentrates on account creation and the different modalities to implement authentication and authorization for users and administrators. Some of the tasks covered in this chapter are:

Implementing IAM features (for example, password policies, multifactor authentication [MFA], roles, SAML, federated identity, resource policies, policy conditions)

Troubleshooting and auditing access issues by using AWS services (for example, CloudTrail, IAM Access Analyzer, IAM policy simulator)

Validating service control policies (SCPs) and permissions boundaries

Reviewing AWS Trusted Advisor security checks

Validating AWS region and service selections based on compliance requirements

Implementing secure multi-account strategies (for example, AWS Control Tower, AWS Organizations)

Chapter 3

, “AWS Cost Management”:

In the third chapter of this book, the focus shifts to cost analysis and management. The cost and usage report, AWS Cost Explorer, Savings Plan, and Budgets are discussed to give you the tools to manage your costs effectively. Some of the tasks covered in this chapter are:

Implementing cost allocation tags

Identifying and remediating underutilized or unused resources by using AWS services and tools (for example, Trusted Advisor, AWS Compute Optimizer, AWS Cost Explorer)

Configuring AWS Budgets and billing alarms

Assessing resource usage patterns to qualify workloads for EC2 Spot Instances

Identifying opportunities to use managed services (for example, Amazon RDS, AWS Fargate, Amazon EFS)

Recommending compute resources based on performance metrics

Monitoring Amazon Elastic Block Store (Amazon EBS) metrics and modifying configuration to increase performance efficiency

Implementing S3 performance features (for example, S3 Transfer Acceleration, multipart uploads)

Monitoring RDS metrics and modifying the configuration to increase performance efficiency (e.g., Performance Insights, RDS Proxy)

Enabling enhanced EC2 capabilities (e.g., Elastic Network Adapter, instance store, placement groups)

Chapter 4

, “Automated Security Services and Compliance”:

The fourth chapter of the book introduces the variety of services that are available. When you activate a service in your account and region, the service operates almost automatically for the protections it provides. Services include Amazon Inspector for EC2s, AWS Security Hub, Amazon Guard Duty, Amazon Detective, Amazon Macie, AWS Shield, AWS WAF, AWS Firewall Manager, AWS Key management services, AWS Secrets Manager, and AWS Certificate Manager. Some of the tasks covered in this chapter are:

Enforcing a data classification scheme

Creating, managing, and protecting encryption keys

Implementing encryption at rest (e.g., AWS Key Management Service [AWS KMS])

Implementing encryption in transit (e.g., AWS Certificate Manager [ACM], VPN)

Securely storing secrets by using AWS services (e.g., AWS Secrets Manager, Systems Manager Parameter Store)

Reviewing reports or findings (e.g., AWS Security Hub, Amazon GuardDuty, AWS Config, Amazon Inspector)

Chapter 5

, “Compute”:

In the fifth chapter we discuss compute services. One of the most common questions here is whether containers are included. As of this writing, Amazon Elastic Container Service and Registry (ECS and ECR) and Amazon Lightsail are “out of scope” for this exam. We cover Amazon Machine Images (AMIs), Amazon EC2, Amazon EC2 Image Builder, Elastic Load Balancers, Auto Scaling, and AWS Lambda. Some of the tasks covered in this chapter are:

Configuring Elastic Load Balancing (ELB) and Amazon Route 53 health checks

Differentiating between the use of a single availability zone and multi-AZ deployments (e.g., Amazon EC2 Auto Scaling groups, ELB, Amazon FSx, Amazon RDS)

Implementing fault-tolerant workloads (e.g., Amazon Elastic File System [Amazon EFS], Elastic IP addresses)

Chapter 6

, “Storage, Migration, and Transfer”:

As its title suggests, in

Chapter 6

we cover storage, migration, and transfer services like Amazon S3, Amazon S3 Glacier, Elastic Block Store, Elastic File System, Amazon FSx, AWS Backup, AWS Storage Gateway, AWS Data Sync, and the Snowball AWS transfer family of devices. Some of the tasks covered in this chapter are:

Automating snapshots and backups based on use cases (e.g., RDS snapshots, AWS Backup, RTO and RPO, Amazon Data Lifecycle Manager, retention policy)

Restoring databases (e.g., point-in-time restore, promote read replica)

Implementing versioning and life cycle rules

Configuring Amazon S3 Cross-Region Replication (CRR)

Performing disaster recovery procedures

Chapter 7

, “Databases”:

It is important to understand all AWS databases in terms of their name and what function they provide, and, more importantly, in which situations to use them. This chapter concentrates on the implementation and operation of Amazon RDS, including Aurora. This should provide a sign that Amazon RDS is a service that needs to be understood well for the exam. It's also important to understand how to use ElastiCache, the engines it supports, and the types of caching process that can be implemented. Some of the tasks covered in this chapter are:

Implementing caching

Implementing Amazon RDS replicas and Amazon Aurora replicas

Differentiating between horizontal scaling and vertical scaling

Chapter 8

, “Monitoring, Logging, and Remediation”:

This is probably the main chapter of the study guide as it contains the material that has the highest percentage of coverage in the exam. In this chapter we discuss Amazon CloudWatch as a service to monitor AWS and third-party tools; Amazon CloudWatch Logs, for the aggregation and processing of log streams; and Amazon CloudWatch Events (also known as Amazon EventBridge), AWS CloudTrail, AWS Config, and AWS Systems Manager as some of the services allowing for scalable deployments and operations. Some of the tasks covered in this chapter are:

Identifying, collecting, analyzing, and exporting logs (e.g., Amazon CloudWatch Logs, CloudWatch Logs Insights, AWS CloudTrail logs)

Collecting metrics and logs by using the CloudWatch agent

Creating CloudWatch alarms

Creating metric filters

Creating CloudWatch dashboards

Configuring notifications (e.g., Amazon Simple Notification Service [Amazon SNS], CloudWatch alarms, AWS Health events)

Troubleshooting or taking corrective actions based on notifications and alarms

Configuring Amazon EventBridge rules to invoke actions

Using AWS Systems Manager Automation runbooks to take action based on AWS Config rules

Chapter 9

, “Networking”:

In

Chapter 9

we discuss Amazon VPC and different possible deployments, including traffic mirroring and the AWS transit gateway as a way to interconnect multiple network components. Some of the tasks covered in this chapter are:

Configuring a VPC (e.g., subnets, route tables, network ACEs, security groups, NAT gateway, Internet gateway)

Configuring private connectivity (e.g., Systems Manager Session Manager, VPC endpoints, VPC peering, VPN)

Chapter 10

, “Content Delivery”:

Chapter 10

could have easily be called “edge services” because the services discussed all use the edge locations of the AWS global infrastructure. We discuss Route 53 and the different routing policies, how to provide private DNS, how to distribute content using Amazon CloudFront, origins, and behaviors. Finally, we discuss AWS Global Accelerator as an alternative to CloudFront to accelerate application response time instead of content distribution. Some of the tasks covered in this chapter are:

Configuring notifications (e.g., Amazon Simple Notification Service [Amazon SNS])

Implementing loosely coupled architectures

Implementing Route 53 routing policies (e.g., failover, weighted, latency based)

Chapter 11

, “Deployment, Provisioning, and Automation”:

Chapter 11

(the last chapter) covers a set of messaging services starting with Amazon SQS, Amazon SNS, and Kinesis Data Streams. We also discuss deployment automation using Elastic Beanstalk and, more importantly, CloudFormation. Some of the tasks covered in this chapter are:

Creating, managing, and troubleshooting AWS CloudFormation

Provisioning resources across multiple AWS regions and accounts (e.g., CloudFormation StackSets, IAM cross-account roles)

Selecting deployment scenarios and services (e.g., all-at-once, rolling, immutable, and Blue)

Identifying and remediating deployment issues (e.g., service quotas, subnet sizing, CloudFormation errors, permissions)

Using AWS services (e.g., Systems Manager, CloudFormation) to automate deployment processes

Implementing automated patch management

Scheduling automated tasks by using AWS services (e.g., EventBridge, AWS Config)

Interactive Online Learning Environment and Test Bank

Tools have been developed to aid you in studying for the Amazon Certified SysOps Administrator – Associate exam. These tools are all available for no additional charge here:

www.wiley.com/go/sybextestprep

Just register your book to gain access to the electronic resources that are listed here.

Practice Exams:

Two 60-question practice exams are available to test your knowledge. These questions are different from the review questions at the end of each chapter.

Flashcards:

One-hundred flashcards are available for you to test your knowledge of AWS terms and concepts. If you don't get them correct the first time through, try again! These are designed to reinforce the concepts you have learned throughout the book.

Glossary:

Throughout the book, you'll see italicized words that are important key terms. A glossary of these key terms with their definitions is provided. The best part about the glossary is that it's searchable!

 Like all exams, the Certified SysOps Administrator certification from AWS is updated periodically and may eventually be retired or replaced. At some point after [vendor] is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired, or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam’s online Sybex tools will be available once the exam is no longer available.

Exam Objectives

The AWS Certified SysOps Administrator – Associate (SOA-C02) exam is intended for system administrators in a cloud operations role. The exam validates a candidate's ability to deploy, manage, and operate workloads on AWS.

As a general rule, before you take this exam, you should have:

1–2 years of experience as a system administrator in an operations role

Experience in monitoring, logging, and troubleshooting

Knowledge of networking concepts (e.g., DNS, TCP/IP, firewalls)

Ability to implement architectural requirements (e.g., high availability, performance, capacity)

Understanding of the AWS Well-Architected Framework

Hands-on experience with the AWS Management Console and the AWS CLI

Hands-on experience in implementing security controls and compliance requirements

The exam has the following content domains and weightings:

Domain 1: Monitoring, Logging, and Remediation (

20% of scored content

)

Domain 2: Reliability and Business Continuity (

16% of scored content

)

Domain 3: Deployment, Provisioning, and Automation (

18% of scored content

)

Domain 4: Security and Compliance (

16% of scored content

)

Domain 5: Networking and Content Delivery (

18% of scored content

)

Domain 6: Cost and Performance Optimization (

12% of scored content

)

 Notice how the Domain 1 for “Monitoring, Logging, and Remediation” has the highest percentage, indicating this is the type of task considered most essential for a systems operator. Also, notice the percentage of the other domains are close to each other. This is one certification where you are required to know the service, the parts of the service, and how to configure the parts to connect to your application or to other AWS services. Experience is essential. Give yourself the chance to do the exercises.

When you register for the exam, you have the choice to either sit for the exam from home or in a Pearson Vue testing center. The details for sitting for the exam from home and searching for a testing center are included in the registration process. As of this writing, the cost for the associate exam is $150 USD. The questions will be in either a multiple-choice or a multiple-answer format. You have 130 minutes to finish 65 questions in the exam.

Objective Map

This table provides you with a listing of each domain on the exam, the weights assigned to each domain, and a listing of the chapters where content in the domains is located. Chapter 1 is included as a refresher and is not specifically tied to exam domains.

Domain

Exam percentage

Chapter number(s)

Domain 1: Monitoring, Logging, and Remediation

20%

1.1: Implement metrics, alarms, and filters by using AWS monitoring and logging services.

8

1.2: Remediate issues based on monitoring and availability metrics.

8

Domain 2: Reliability and Business Continuity

16%

2.1 Implement scalability and elasticity.

6

,

7

2.2 Implement highly available and resilient environments.

6

2.3: Implement backup and restore strategies.

6

,

7

Domain 3: Deployment, Provisioning, and Automation

18%

3.1: Provision and maintain cloud resources.

5

,

11

3.2 Automate manual or repeatable processes.

11

Domain 4: Security and Compliance

16%

4.1: Implement and manage security and compliance policies.

2

,

4

4.2: Implement data and infrastructure protection strategies.

4

Domain 5: Networking and Content Delivery

18%

5.1 Implement networking features and connectivity.

4

,

9

5.2: Configure domains, DNS services, and content delivery.

6

,

10

5.3 Troubleshoot network connectivity issues.

4

,

9

,

10

Domain 6: Cost and Performance Optimization

12%

6.1 Implement cost optimization strategies.

3

,

5

,

7

6.2 Implement performance optimization strategies.

5

,

6

,

7

How to Contact the Publisher

If you believe you have found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts, an error may occur. In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”

Assessment Test

Your senior administrator has asked you to set up notifications for the AWS Budgets configuration in the organization's developer accounts. Which of the following notification options are available for AWS Budgets? (Choose two.)

Posting to the Personal Health Dashboard

Amazon SNS topics

AWS Management Console notifications

Direct integration with ServiceNow

Direct email recipients

The two strategies for cache loading include which of the following? (Choose two.)

Arbitrary acquisition

First-in, first-out (FIFO)

Lazy loading

Least effort load

Write-through

The compliance officer for the organization has asked you to confirm the maximum length of historical data that AWS Cost Explorer provides. Which of the following options will you provide to the compliance officer?

24 months

36 months

18 months

12 months

Why might you use a geoproximity routing policy rather than a geolocation routing policy?

You want to increase the size of traffic in a certain region over time.

You want to ensure that all U.S. users are directed to U.S.-based hosts.

You want to route users geographically to ensure compliance issues are met based on requestor location.

You are concerned about network latency more than requestor location.

In Auto Scaling, what does the desired capacity refers to?

The average capacity that the customer expects to need over the next billing cycle

The capacity that the customer expects to need over the next billing cycle

The initial capacity of the Auto Scaling group that the system will attempt to maintain

The lowest capacity of the Auto Scaling group at which the workload is still able to perform

You have an application deployment with endpoints in multiple countries. The application needs to have fast response times, and in the event of a failure, you cannot modify the client code to redirect traffic. Which service can help you implement a solution?

Amazon ElastiCache

Route 53

Amazon CloudFront

AWS Global Accelerator

You are securing resources in your VPC. You wish to allow only specific ports and you require stateful connections. Which of the following best fulfills these requirements?

NAT gateway

Network access control lists (NACLs)

Security groups

Web application firewall (WAF)

Which of the following saves you from provisioning keys to operate AWS services in a programmatic way?

The AWS Management Console

AWS CloudShell

Session Manager

IAM groups

You oversee monitoring of performance for several production data conversion systems running on Amazon EC2 instances. Recently the data engineers reported below normal write and read speeds coming from several application servers. Each application server is a T3.Large using gp2 EBS volumes for the operating system volume and St1 volumes for the data processing volumes. You are concerned that the volumes are throttling. Which Amazon CloudWatch EBS volume metric will confirm EBS volume throttling?

VolumeQueueLength

VolumeWriteOps

VolumeReadBytes

BurstBalance

Inline IAM policies are best used when:

Inline policies are not recommended.

Customer-managed policies must be kept secure.

An appropriate AWS-managed policy does not exist.

Resource-based policies must be tightly integrated with identity-based policies.

Your organization is undergoing an application modernization effort and focusing on decommissioning and consolidating applications on-premises into a new AWS environment. Several applications require the use of Secure File Transfer Protocol (SFTP) to move files between the application server and the customer. To reduce cost and assist with consolidation, you want to move all SFTP servers into AWS. Which AWS service provides the most scalable and cost-effective solution?

Amazon EFS

AWS Transfer Family

AWS DataSync

Amazon EC2

Which AWS services have CLI wizards available? (Choose three.)

Amazon EC2

AWS Lambda functions

Amazon DynamoDB

AWS IAM

Amazon RDS

Amazon S3

You have been contacted by the security team because they are receiving too many findings from Macie in Security Hub. The security team has asked if it is possible to change the frequency of findings being sent into Security Hub from Macie. Which of the following frequencies are supported by Macie? (Choose three.)

15 minutes

5 minutes

1 hour

3 hours

6 hours

30 minutes

A company wants to analyze the click sequence of their website users. The website is very busy and receives traffic of 10,000 requests per second. Which service provides a near-real-time solution to capturing the data?

Kinesis Data Streams

Kinesis Data Firehose

Kinesis Data Analytics

Kinesis Video Stream

Which of the following statements about RDS read replicas is true? (Choose two.)

A replica can be promoted to replace the primary DB instance.

Read replicas are used as read-only copies of the primary DB instance.

Read replicas should be created in a different VPC from the primary DB instance.

The read replica and primary DB instance replicate synchronously.

Your workload spikes every Thursday evening while batch processing runs, and processes are frequently throttled as soon as processing begins. Which of the following scaling methods will most effectively solve this problem?

Predictive scaling

Simple scaling

Step scaling

Target tracking

The principal of trust between two unrelated networks is known as:

Distributed computing

Federation

Hybrid computing

Interoperability

Which of the following does Elastic Beanstalk store in S3? (Choose two.)

Server log files

Database swap files

Application files

Elastic Beanstalk log files

You have been tasked by the CISO to protect all web applications in the production AWS account from SQL injection attacks and cross-site scripting. Which AWS service will you use to accomplish this goal?

Amazon VPC security groups

AWS Web Application Firewall

AWS Network Firewall

AWS Shield

You wish to allow administrators to securely connect to hosts in a private subnet in your VPC. Which of the following will best solve this problem?

Bastion host

Client VPN

NAT gateway

Transit gateway

Answers to Assessment Test

B, E. When configuring AWS Budgets for notifications, you can select from emailing up to 10 recipients directly from the budget configuration. You can also use Amazon SNS to send SMS messages or take other actions through event triggers with Lambda. See

Chapter 3

for more information.

C, E. Only options C and E are valid caching strategies. See

Chapter 7

for more information.

D. AWS Cost Explorer provides current month, prior 12 months, and the ability to forecast the next 12 months of AWS cost and usage using the same dataset as the AWS Cost and Usage reports. See

Chapter 3

for more information.

A. A geoproximity policy, like a geolocation policy, routes users to the closest geographical region. This means that options B and C are incorrect, as they are common to both types of routing policy. Option D would imply the use of latency-based routing, leaving only option A. This is the purpose of a geoproximity policy: you can apply a bias to adjust traffic to a region. See

Chapter 10

for more information.

C. There are three limits that are set for an Auto Scaling group: the minimum, desired, and maximum capacities. The minimum is the smallest acceptable group size. The maximum is as large as the group will be allowed to scale. The desired is the initial size of the group. Auto Scaling then attempts to maintain that size. When demand causes the group to scale out, Auto Scaling will then scale in at the end of the event back to the desired capacity. See

Chapter 5

for more information.

D. The anycast IP addresses provisioned by AWS Global Accelerator will allow you to reach a healthy endpoint without having to switch IP addressing, modify the client code, or be concerned about DNS caching. See

Chapter 10

for more information.

C. A NAT gateway is used by resources in a private subnet to initiate communication with the Internet. A WAF monitors and protects HTTP(S) requests. NACLs and security groups are very similar, and you will need to know the differences. The security group is stateful and the NACL is stateless. Additionally, the question only asks for traffic to be allowed with no requirement for deny rules. NACLs allow deny rules. Given the choice between a security group and an NACL, the security group is the preferred method if all else is equal. See

Chapter 9

for more information.

B. AWS CloudShell provides a mechanism for operators to use the AWS CLI without having to provision access keys in a local machine. This adds a new layer of security as it saves time and effort in executing one-line and simple administrative CLI commands. See

Chapter 1

for more information.

D. In this scenario the data engineers are reporting below normal write and read speeds, which is a great indicator that the volume is throttling. The EBS volumes used in this deployment are gp2 and st1 volume types, which both use burst bucket balance to maintain performance above the baseline available IOPS for the volume. Checking for depletion of the

BucketBalance

metric for the volume can identify depletion of the burst bucket and result in low performance for the EBS volume. See

Chapter 6

for more information.

A. While inline policies are available as an option, they are not recommended. Inline policies can be difficult to troubleshoot, and there are almost always better options. See

Chapter 2

for more information.

B. In this scenario the organization is looking for a scalable and cost-effective solution to migrate SFTP services from on-premises to the AWS Cloud. This automatically eliminates the option of using Amazon EFS and AWS DataSync as they do not offer a method of enabling SFTP. Amazon EC2 is a potential option but would require custom configuration of an SFTP server on Amazon EC2, including the need for configuring scaling using Auto Scaling. This increases the overall cost and complexity of the solution. The most cost-effective and scalable option is to use AWS Transfer Family, which is a managed service that lets you configure an SFTP service that scales to meet customer demand; AWS manages the underlying infrastructure. See

Chapter 6

for more information.

B, C, D. Wizards will query existing resources and prompt you for data in the process of setting up for the service invoked. As of this writing, wizards are available for

configure

,

dynamodb

,

iam

, and

lambda

functions. For example, the command

aws dynamodb wizard new-table

will guide you in creating a DynamoDB table. Also, note that the configure command does not use a wizard name. It's invoked as aws configure wizard. See Chapter 1 for more information.

A, C, E. Macie allows customizable frequencies for when findings are published to Security Hub. You can update the publication setting to fit the needs of the security team by adjusting the findings publication from the default of 15 minutes to either every one hour or every six hours. If you modify the publication timings within one region, you will need to modify every other region where Macie is in use as well. See

Chapter 4

for more information.

A. This is a classic use case for Kinesis Data Streams. See

Chapter 11

for more information.

A, B. Replication between the primary and read replicas is asynchronous. Creating read replicas in VPCs outside of the primary instance's VPC can create conflicts with the Classless Inter-Domain Routing (CIDR). See

Chapter 7

for more information.

A. While simple, step, and target tracking scaling will scale out the workload, they only begin scaling after the metric indicates a problem. Predictive scaling anticipates the event based on historical data and scales out ahead of the Thursday evening batch processing so that throttling is avoided. See

Chapter 5

for more information.

B. Federation is a trust between two parties or systems for the purpose of authenticating users and conveying information needed to authorize their access to resources. Distributed computing is, at its most fundamental, just computing between two or more computers via messaging usually along a network. It does not imply trust. Hybrid computing refers to a combination of cloud and on-premises resources. Again, no trust is implied. Interoperability is the ability of one computer or application to talk to another. Standards and protocols provide us with interoperability but do not imply trust. See

Chapter 2

for more information.

A, C. Elastic Beanstalk will store application files and server log files in S3. See

Chapter 11

for more information.

B. The AWS Web Application Firewall (AWS WAF) is a layer 7 firewall used to protect your web applications from DDoS attacks, SQL injection attacks, and cross-site scripting attacks. You can also allow, block, or count web requests coming into an application based on criteria that you set, such as IP addresses, geolocations, and HTTP headers. See

Chapter 4

for more information.

A. The NAT gateway and bastion host are often confused. A NAT gateway allows communication out, whereas a bastion host allows communication in. See

Chapter 9

for more information.

Chapter 1AWS Fundamentals

THE AWS CERTIFIED SYSOPS ADMINISTRATOR EXAM OBJECTIVES COVERED IN THIS CHAPTER INCLUDE:

Understand AWS networking resources and security services

Implement security controls to meet compliance requirements

Perform operations by using the AWS Management Console and the AWS CLI

Welcome operators! Thank you for investing in this book and yourself as it will cover the basics of Amazon Web Services (AWS) importance and operation in the event you are not familiar with the fundamentals before getting to start operating workloads using AWS.

As cloud adoption continues to gain traction in the enterprise and startup space, the concept of system operations at scale becomes essential in the implementation of migration and cloud-native initiatives. Amazon Web Services (AWS) Cloud computing brings into play the ideas of rapid and flexible provisioning with a pay-per-use pricing model that is attractive to everyone who can take advantage of it. In general, AWS customers benefit by leveraging agility, cost savings, elasticity, faster innovation by using complex functionality offered by services, and the ability to attain a global scope of accessibility by customers in a matter of minutes if needed.

In this chapter, you'll learn the fundamentals of AWS.

Getting Started 1

To take advantage of cloud computing, organizations must recruit and retain competent systems operators who will be responsible for the migration, deployment, automation, monitoring, maintenance, and troubleshooting of cloud-related workloads. This book will empower you to be successful at the AWS Certified SysOps Administrator – Associate exam and to be able to operate workloads efficiently at scale using AWS. As shown in Figure 1.1, AWS continues to be a leader in the cloud computing space in part due to the remarkable pace of innovation implemented and made available to customers. As of this writing the AWS rate of innovation continues to accelerate with dozens of new services and hundreds of new features added to existing services every year. It's no surprise that AWS hosts millions of active customers and tens of thousands of partners around the globe. According to the Synergy Research Group (a leading technology market analyst) and reported by Statista.com, “Amazon's market share in the worldwide cloud infrastructure market amounted to 32 percent in the second quarter of 2023, still close to matching the combined market share of its two largest competitors” (www.statista.com/chart/18819/worldwide-market-share-of-leading-cloud-infrastructure-service-providers).

As a result of its continuous expansion of services to support virtually any cloud workload, AWS now has more than 200 fully featured services for compute, storage, databases, networking, analytics, machine learning, Internet of Things (IoT), mobile, security, hybrid, virtual and augmented reality (VR and AR), media, and application development, deployment, and management. All you need to do is look at the AWS Management Console to get a sense of the vast and complex ecosystem of services being offered. Let's get started with that process.

FIGURE 1.1 AWS leads cloud market share (Q2 2023).

Source: Statista, Inc.

AWS Account Creation

To create an account with AWS, you will need the following information:

A functional and operable email address

An idea for what you would want to name your account

A unique password to assign the account

A specification for account use as business or personal

Your full name, address, and phone number

A credit card to cover expenses incurred

An idea of what support plan will be needed for your use

Finally, a web browser and access to your email and phone

The account name, specification of business or personal, and choice of support can be changed later and at any time after you gain access to the console. Exercise 1.1 is optional if you already have an account. You do not need to perform the steps explained, but it will be useful to follow along to note the most recent process of account creation.

EXERCISE 1.1

Creating an AWS Account

Using your web browser, navigate to

http://aws.amazon.com

. If you don't see the Create An AWS Account button at the top right, you may need to use a private browsing session.

Click Create An AWS Account.

On the Sign Up For AWS page, enter your email address and an AWS account name.

Click Verify Email Address. AWS sends an email to the address you provided containing a verification code, which you will need for the next step.

Obtain the verification code from your mailbox and enter it in the response page. The code will be a six-digit number and will be valid for 10 minutes.

Click Verify.

Once your email is verified, enter your choice of password. Passwords need to be at least eight characters and contain at least three of the following: uppercase letters, lowercase letters, numbers, and nonalphanumeric characters.

Click the Continue (Step 1 Of 5) button and complete the CAPTCHA check.

Click the Continue (Step 1 Of 5) button again.

On the next page, enter your personal details and select how you plan to use AWS.

Click Continue (Step 2 Of 5).

Enter your credit card billing information. (For international users outside the United States, please refer to the following URL for payment methods accepted by AWS:

https://aws.amazon.com/premiumsupport/knowledge-center/accepted-payment-methods

.)

Click Verify And Continue (Step 3 Of 5).

Provide your phone number to confirm your identity. You will receive an automated phone call asking you to provide a verification code. Also, you will need to satisfy the CAPTCHA security check before the call happens.

Click Call Me Now (Step 4 Of 5). The resulting page will alert you that a call is being made and provide a 4-digit number.

Answer the call from AWS, and when prompted, enter the 4-digit number using your phone's keypad.

On the next page, select a support plan for your expected use. Your choices are Free – Basic support, Developer support from $29/month, and Business support from $100/month. Please refer to the following URL to compare AWS support plans and choose the best option for you:

https://aws.amazon.com/premiumsupport/plans

.

Click Complete Sign Up.

Click Go To The AWS Management Console.

Select the Root User option and enter your email.

Click Next.

Enter your chosen password.

Click Sign In.