I recently architected a bastion solution to let employees manage their own SSH keys from the AWS interface. CodeCommit actually let you upload directly your SSH keys inside the IAM section of your user, a bit like on Github.
Benefits of this solution:
Nothing to manage once installed and configured
Let users update their public SSH keys themselves inside the console
Deploy the keys automatically and keep them up-to-date on all bastions and instances
Add and remove users on all Linux boxes automatically when you add/remove accounts in IAM
Linux usernames are generated based on IAM account email: firstname.lastname@example.org -> pchapotet
Keys are automatically deployed on bastions and instances based on the VPC where they are located
Inexpensive: the lambda is running only when there is a change in IAM:
UploadSSHPublicKey, when anyone adds a SSH Key to an IAM user
UpdateSSHPublicKey, when anyone makes active or inactive a SSH key
DeleteSSHPublicKey, when anyone deletes a SSH Key
DeleteUser, when anyone deletes an IAM user
A single S3 GET operation is needed to update the SSH keys from bastions and instances
In the diagram above, I assume that you are following AWS best practices and that you have a central account to manage IAM users, one account for production and one for your development environment. Interested in digging into the code? It’s available here: https://github.com/pchapotet/aws-bastions
I recently worked on a feature missing on GCP: a start stop scheduler for my GCP instances based on labels. I was first excited about using Cloud functions, but it seemed App Engine was the way to go for several reasons: it supports python and the task scheduling feature is already embedded.
I had a few requirements:
Ability to schedule start and stop of GCE instances every hour
Extra options to run only during working days or weekends, default is every day
It must work across all projects inside an organisation if you give the right permissions to your default App Engine service account
Inexpensive to run (or free), who wants to pay for a feature that should be available by default in the cloud?
Once it is installed, simply add a few tags to your instances and enjoy the automation! You can run it only during working days (Monday to Friday) with ‘d’ option and during weekend (Saturday and Sunday) with ‘w’ option. Feel free to comment and raise Github issues if you see anything to improve.
Taking the GCP Architect exam is quite a challenge as there is very little study material or practice questions available at the moment.
To prepare for the exam:
I first took the Coursera GCP Fundamentals for AWS Architects class. Note that I passed the 5 AWS certifications prior to this exam so it helped a lot to not review the concepts of services that basically do the same thing on AWS and GCP
Play with the platform as much as you can (App Engine, Compute Engine, Network, Firewall, Tags, Load Balancers and IAM in priority)
To sum up the exam without saying too much, it was 50 questions for a total of 120 minutes. Timing is friendly, I had about 15-20 minutes left before the end. Half of the exam worked pretty easily by proceeding by elimination to remove the craziest answers. I was surprise to see a split screen with questions on the left and a listbox on the right allowing to switch between the 4 use cases available at the moment.
About 15 questions were related to use cases. They seemed more complex, even confusing sometimes. I had to use only 2 use cases out of 4, the rest of the questions is more general and seemed to be what I would categorize as medium level questions.
A few points I would suggest to work on:
Prepare yourself with the 4 use cases available, work on them for an hour as if they were your customer and how you would deal with each point (means which service you would use on GCP instead of what they have)
Read about BQ, Bigtable, CloudStorage, Pub/Sub, Dataflow, Dataproc and when to use all of them
Container engine vs Compute Engine vs App Engine
Know cloud related business terms: capex, opex, tco, capacity planning
Best practices regarding IAM, audit logs and how to secure them
Know resources that are global vs regional vs zonal (some major differences with AWS)
Know how are structured the different databases
Learn everything about instance groups, load balancers, stress tests
CI/CD on GCP, how to architect perfectly dev/qa/stg/prod environments
You will have to look at Java and Python code as expected
Cloud deployment manager is part of the exam and interesting to know in details
Migration: how do you deal with existing DC, move data around, etc
Network: VPN, firewall, tags
Once again, good luck to everyone taking this exam!
I passed the AWS DevOps professional exam this weekend with success after a few weeks looking at the following services: CloudFormation, Autoscaling, Beanstalk, Opsworks and Cloudwatch. The strategy for the exam was to watch all https://acloud.guru videos, then do the https://cloudacademy.com/ quizzes (there is a 7-day free trial) as well as review the following:
Getting ready for the AWS Solutions Architect Professional Exam is not an easy task! It is currently one of the most difficult AWS certification to get with the DevOps one due to the number of services it covers. Plan on studying for a few months, not only AWS services but a very wide range of concepts. The level required to pass this exam is very high, nothing compared to the Associate level certification. AWS even recommends 2 years of experience on the platform.
The exam tests your ability to answer very quickly, it’s a bit more than 2 minutes per question and very few are short ones. Sometimes answers are very similar and you will have to proceed by elimination. Best tip that helped me from Reddit: Focus on the “kicker”. This is the part of the after the fluff that tells you exactly what they want. e.g. “Which option provides the MOST COST EFFECTIVE solution.
One last thing, if English is not your first language you might be able to get an extra 30 minutes by contacting the certification team, but this request can take up to a month prior to taking the exam.