26 July 2022

How to prepare for the AWS Solution Architect Professional certification (SAP-C01)

In this series, I will talk about my journey towards the AWS Solution Architect Professional certification, one of the toughest Amazon certificates out there. I’m going to talk about the skills you need to succeed in the exam, my preparations, and the exam’s content.

Exam prerequisites

Study

The official AWS statement about this exam is as follows:

AWS Certified Solutions Architect - Professional is intended for individuals with two or more years of hands-on experience designing and deploying cloud architecture on AWS. Before you take this exam, we recommend you have:

  • Familiarity with AWS CLI, AWS APIs, AWS CloudFormation templates, the AWS Billing Console, the AWS Management Console, a scripting language, and Windows and Linux environments
  • Ability to provide best practice guidance on the architectural design across multiple applications and projects of the enterprise, as well as an ability to map business objectives to application/architecture requirements
  • Ability to evaluate cloud application requirements and make architectural recommendations for implementation, deployment, and provisioning applications on AWS
  • Ability to design a hybrid architecture using key AWS technologies (e.g., VPN, AWS Direct Connect) as well as a continuous integration and deployment process

With the official statement out of the way, let’s talk about the topics you need to know and understand before taking this exam.

Network

Everything around VPC should have no secrets for you. The following topics must be fully understood, you should know where to use them, what problems they solve, what limitations they bring, and also understand the cost of the decisions you take:

  • VPC, Subnets (private, public)
  • Your internet breakouts: Internet Gateway, NAT Gateway and Egress-only Gateway
  • NACL(stateless) and Security groups(stateful)
  • Connecting networks:
    • Cloud-to-cloud: VPC Peering, Transit Gateway, S2S VPN tunnels using 3rd party VPN appliance
    • Hybrid: Direct Connect (and all the different Gateways and virtual interfaces you can connect this to), Transit Gateway, S2S VPN using Virtual Private Gateway, SSL VPN for clients
  • Hub-and-spoke model using a centralized network account for your internet breakout
  • Gateway load balancer for your cloud firewall virtual appliances
  • Application and Network load balancers
  • Creating network redundancy using Direct Connect, S2S VPN and Border Gateway Protocol (BGP)
  • DNS using Route53 and all its different routing policies
  • DNS in a hybrid setup using Route53 and Route53 inbound and outbound resolvers

IAM & Security

This shouldn’t sound like a surprise! If you’re working with AWS, then you already know that IAM is the central service that so many services revolve around. The following topics have no secrets for you:

  • IAM policy structure:
    • The JSON body structure
    • Least privilege access
    • IAM roles and STS
    • Knowing some important conditions keys like:
      • aws:SourceIP
      • aws:SourceVpc
      • aws:SourceVpce
      • s3:x-amz-server-side-encryption
  • The procedure around assuming cross-account roles must be fully understood
  • Understanding identity-based policies and resource-based policies
  • When to use CloudTrail, how to centralize logs in a multi-account setup, and how to secure these logs

Both networking and IAM are fundamental blocks in this exam. If you already have doubts about some of the topics above, please review those before moving on. I can’t emphasize enough how important both topics are for this exam.

The following topics are a great asset and will make your journey much easier if you’re familiar with them.

Compute

Expect very in-depth questions 😓. Each question expects you to make the best choice on compute taking into consideration costs. Multiple answers can be ‘technically’ correct, but there’s always one answer which also considers costs. At the very least, you should be experienced with the following services:

  • EC2
  • Lambda
  • ECS

Storage

When it comes to storage, you should be very familiar with Amazon S3, and you have a good understanding of the following:

  • Know the different storage classes
  • How to replicate your bucket
  • Giving/denying access to your bucket

Database

It’s a big plus if you have hands-on experience with RDS. The following topics are great assets to prepare for the exam:

  • How to make it highly available, both in the same region as cross-region with automatic failover
  • How to troubleshoot and remediate big workloads that cause application timeouts:
    • Caused by huge reads on the database
    • Caused by huge writes on the database
  • When to use caching

Caching

Another big topic of the exam is CloudFront. Understand CloudFront and the issues it can remediate. Know how to architect CloudFront within the AWS ecosystem! A helpful list of topics:

  • Static content caching & dynamic content caching
  • Optimize your cache hits
  • Securing your CloudFront origin using:
    • SSL/TLS
    • Origin access identity
    • Headers

Monitoring

Know the ins and outs of CloudWatch and how you can utilize CloudWatch to automate scenarios in your setup. Understanding the following topic will make things easier for you down your study road:

  • CloudWatch agent
  • CloudWatch Alarms, Metrics and Logs
  • Realizing the automation you can do utilizing CloudWatch Events
  • Utilizing CloudWatch Alarms and SNS for notification

My preparation

Preparation

As of today, I’ve been working full time as an AWS & DevOps engineer for the past 2,5 years. Before this, I was a network engineer for 6 years. In these past 2,5 years, I mainly did a combination of greenfield, migration, and optimization projects where I extensively worked with EC2, Lambda, ECS, RDS, API Gateway, CloudWatch, S3, Cloudfront, and hybrid networking. This experience helped a lot during the study to better comprehend subjects and allowed me to dissect the exam questions so that I could reduce the set of correct answers.

As study guides, I used Stephane Maarek’s Ultimate Solution Architect Professional 2022 video course. I recommend this course for the following reasons:

  • Stephane is a great instructor and explains things very clearly. His video courses are very popular and receive enormous amounts of positive feedback
  • The topics are all on point and are all relevant exam topics
  • His videos are never longer than 13 minutes, where he explains all the core fundamentals of that service that you should need to know
  • He gives great advice on how the exam can ask for a certain scenario about a certain resource to give you an idea of what to expect
  • He gives multiple global architectures where you can see the bigger picture and see how all these services get connected to each other. These global architectural overviews helped me a lot during my preparations
  • At the end of the course, he also goes through a couple of exam questions and explains how you can digest the questions and answers to find the correct answer. This mindset will definitely help you throughout the exam

To verify I was ready for the exam, I purchased Tutorials Dojo AWS Certified Solution Architect Professional Practice Exam 2022. Those are great tests to verify your knowledge and to pinpoint which area you need to improve. Also, for wrong answers, you’ll receive an explanation and link to the AWS documentation. The style of questions is in the same way as the exam, giving you an idea of what to expect!

After indicating the areas you need to improve on, you can review the videos on those topics and dig deeper into the AWS documentation. I repeated this procedure until I scored at least 80% on the Tutorials Dojo practice tests.

The Exam

Exam

The 5 domains where the exam will test you are the following:

Domain% of Exam
Domain 1: Design for Organizational Complexity12,5%
Domain 2: Design for New Solutions31%
Domain 3: Migration Planning15%
Domain 4: Cost Control12,5%
Domain 5: Continuous Improvement29%
Total100%

A key benefit of the Tutorial Dojo practice tests is showing you in which domain(s) you failed your test. It gives you a good idea of the domain you need to investigate more time.

The exam consists of 75 multiple-choice questions. You have 180 minutes to complete this exam, but if English isn’t your mother tongue, you can ask for 30 minutes extra accommodation time. I highly recommend getting that extra time because the exam is really time-consuming!

The questions tend to be long with a lot of side information. On every question, you need to ask yourself:

  • What is the issue?
  • What can solve this issue/what do they expect from me?
  • What are the additional requirements?

Most of the time, the general issue is clear in the question. With “general issue” I mean:

  • The application doesn’t scale and has performance issues
  • Reads on the database are slow
  • User receives an error while visiting a website that sits behind CloudFront
  • Company’s application had downtime, and now they want to make it highly available

When I read the general issue, I already had some solutions in mind without reading the answers yet. For example:

IssuePossible Solutions
Company’s application had downtime, and now they want to make it highly availableRDS Multi-AZ, EC2 autoscaling in multiple availability zones
User receives an error while visiting a website that sits behind CloudFrontOrigin misconfiguration? SSL/TLS issues?
The application doesn’t scale and has performance issuesLoad balancer and autoscaling
Reads on the database are slowUtilizing caching

That’s why the additional requirements are utterly important as well. The extra requirements can completely change the question’s outcome. For example:

  • Company X wants to achieve this with the LEAST cost involved
  • Company Y wants to achieve this with the LEAST operational overhead
  • Company Z wants to achieve this in the QUICKEST way possible

After reading the question, I asked myself what the issue and expectations were. Then, I started to go through the answers and removed the impossible ones. Using this approach, you often end up with only two almost similar answers. Both answers are valid, but one is more suitable for the particular scenario.

If you’re stuck on a question, flag it and move on to the next one. When you’re finished, you can always review the flagged questions. Don’t forget this is a lengthy exam, so time management is necessary while going through the exam.

My last tip, this additional list of topics you should understand for succeeding in this exam:

  • AWS Organizations and SSO
  • CloudTrail, SCP’s and AWS Config
  • DynamoDB and Aurora
  • AWS Firewall Manager
  • AWS Database Migration Service (DMS)
  • AWS Server Migration Service (SMS, the old way of lift and shift)
  • AWS Application Migration Service (MGN, the new way of lift and shift)
  • Snow family
  • AWS Storage Gateway
  • Cost optimization utilizing Saving Plans and Spot Fleet Instances
  • Kinesis Data Streams, Data Firehose and Data Analytics
  • AWS API Gateway

Summary

To summarize what we’ve discussed in the post:

  • Some fundamental requirements before approaching this exam
  • Study material and the approach I used to succeed on this exam
  • The anatomy of the exam and how you should approach it

If all of this sounds overwhelming, don’t panic! Take your time and finish domain by domain. Enjoy the journey and before you know it, you’re also a Certified AWS Solution Architect Professional 😉

Links to the study material:

If you enjoyed this post, then don’t hesitate to share it with friends and colleagues.

Until the next time, take care!