I recently architected a bastion solution to let employees manage their own SSH keys from the AWS interface. CodeCommit actually let you upload directly your SSH keys inside the IAM section of your user, a bit like on Github.
Benefits of this solution:
- Nothing to manage once installed and configured
- Let users update their public SSH keys themselves inside the console
- Deploy the keys automatically and keep them up-to-date on all bastions and instances
- Add and remove users on all Linux boxes automatically when you add/remove accounts in IAM
- Linux usernames are generated based on IAM account email: firstname.lastname@example.org -> pchapotet
- Keys are automatically deployed on bastions and instances based on the VPC where they are located
- Inexpensive: the lambda is running only when there is a change in IAM:
- UploadSSHPublicKey, when anyone adds a SSH Key to an IAM user
- UpdateSSHPublicKey, when anyone makes active or inactive a SSH key
- DeleteSSHPublicKey, when anyone deletes a SSH Key
- DeleteUser, when anyone deletes an IAM user
- A single S3 GET operation is needed to update the SSH keys from bastions and instances
In the diagram above, I assume that you are following AWS best practices and that you have a central account to manage IAM users, one account for production and one for your development environment. Interested in digging into the code? It’s available here: https://github.com/pchapotet/aws-bastions
I passed the AWS DevOps professional exam this weekend with success after a few weeks looking at the following services: CloudFormation, Autoscaling, Beanstalk, Opsworks and Cloudwatch. The strategy for the exam was to watch all https://acloud.guru videos, then do the https://cloudacademy.com/ quizzes (there is a 7-day free trial) as well as review the following:
- Rolling Updates versus Rolling Deployments
- Blue-green strategies on Opsworks, Beanstalk and with Route 53 and AutoScaling
- A/B deployments
- AutoScaling lifecycle hooks
- Cloudwatch Logs
- Opsworks CLI commands
- CF Custom resources, cfn signals and wait conditions
- Kinesis, Cloudtrail, S3 Logging
Getting ready for the AWS Solutions Architect Professional Exam is not an easy task! It is currently one of the most difficult AWS certification to get with the DevOps one due to the number of services it covers. Plan on studying for a few months, not only AWS services but a very wide range of concepts. The level required to pass this exam is very high, nothing compared to the Associate level certification. AWS even recommends 2 years of experience on the platform.
As usual a good start is to follow the awesome https://acloud.guru/ courses.
Don’t forget to study all the AWS Reference Architectures and watch AWS Summit videos:
The exam tests your ability to answer very quickly, it’s a bit more than 2 minutes per question and very few are short ones. Sometimes answers are very similar and you will have to proceed by elimination. Best tip that helped me from Reddit: Focus on the “kicker”. This is the part of the after the fluff that tells you exactly what they want. e.g. “Which option provides the MOST COST EFFECTIVE solution.
One last thing, if English is not your first language you might be able to get an extra 30 minutes by contacting the certification team, but this request can take up to a month prior to taking the exam.
Good luck to everyone taking this exam!