AWS Certification Track and Lambdas

It’s really awkward to know what to pick next in the AWS certification ecosystem.

Background

I earned my AWS Certified Cloud Practitioner certification about a year ago, and have been pretty deep into AWS and DevSecOps ever since.

More recent realizations

At home and at work, I have come through a few major growth spurts of everything-Lambda and everything-API Gateway, and I’ve learned a few things.

AWS X-Ray

X-Ray is dead simple to read about, and then bolt on. Wherever possible (e.g. not HttpApi API Gateways), you should integrate it into your services. It’s well-worth knowing that you can at least trace through an issue, even if the results it gives are sometimes mysterious (a 200 response from SES with error false and warning true?).

X-Ray Instrumentation

Create a Lambda layer that contains aws-sdk and aws-xray-sdk. If this is for NodeJS, make a package.json file with these dependencies, run npm i, point your SAM/IaC template at the directory with package.json in it, then mkdir -p nodejs && mv node_modules nodejs to get the layering correct.

This will allow you to attach this layer to all your NodeJS Lambdas, where you’ll be able to instrument easily.

Wrap all your http calls with X-Ray. This ensure you will trace e.g. axios calls made by your lambda.

AWSXRay.captureHTTPsGlobal(require('http'));

Similarly, wrap all AWS calls with X-Ray:

const AWSXRay = require('aws-xray-sdk');
const AWS = AWSXRay.captureAWS(require('aws-sdk'));
// ...
await new AWS.SNS({ apiVersion: '2010-03-31' }).publish(params).promise();
// ...

Infrastructure as Code (IaC) with SAM

SAM is a wonderful and fast way to slam IaC into your codebase. It’s a CloudFormation transform, and it’s generally pretty great. Use it, and watch @edjgeek and his great videos; he’s a stand-up guy and was exceedingly responsive the one time I ended up pinging him for a feature-request.

My typical build-pattern out into unknown hinterlands is as follows (this is the path I most-recently took with bringing in a reCaptcha challenge to a front-end CTA page, where I wanted first to leverage SES to email me, then thought about future-state and how that collection method should be handled via DynamoDB, so cut over to SNS):

1. Click-ops the thing into existence with the AWS Console. This may mean, “create a new SNS and Topic and attach an endpoint.

2. Assign roles, policies as-appropriate.

3. Test.

4. If it works, start to bring these pieces into your IaC of choice (I like SAM at home and in my not-day-job work).

5. Take a last look in the AWS Console. Take screencaps if it’s useful.

6. Manually tear-down the resources you just created via click-ops.

7. Deploy your IaC.

Setting Environment Variables

Need, say, an ARN in a Lambda because you want to invoke a service? Hook a !Ref to the service to a SCREAMING_SNAKE_CASE variable described in your lambda’s Environment block. ARNs aren’t secret, so don’t need to go into something like HashiCorp Vault or an AWS Secrets Manager instance–but are still encrypted at rest when an environment variable.

AWSTemplateFormatVersion: 2010-09-09
Description: XXX.TLD
Transform: AWS::Serverless-2016-10-31
Resources:
    ## SNS Topics
    ReCaptchaTopic:
        Type: AWS::SNS::Topic
        Properties:
            ## ...
            Subscription:
                - Endpoint: XXX@YYY.com
                Protocol: email
            TopicName: reCaptcha-cta-XXX-TLD
    CloudWatchAlarmsTopic:
        Type: AWS::SNS::Topic
        Properties:
            ## ...
    ## ...
    sendEmailNotificationLambda:
        Type: AWS::Serverless::Function
        Properties:
            ## ...
            Environment:
                Variables:
                    SNS_TOPIC_ARN: !Ref ReCaptchaTopic

Then you can pull it into your NodeJS lambda code:

const snsTopic = process.env.SNS_TOPIC_ARN;
// ...
// Create publish parameters
const params = {
    Message: messageBody,
    TopicArn: snsTopic
};

try {
    const publishTextPromise = await new AWS.SNS({ apiVersion: '2010-03-31' }).publish(params).promise();
    // ...

Finally, test and ensure your new service and its hooks are working end to end.

“How” versus “What”

You’ll notice that this information is all about implementation and the how of building, rather than the what. This would be an obvious lead-in to the AWS Developer Associate exam … but I don’t have that slated next.

Instead, what I worry about most at this point is not knowing what to build. The how I can hammer through; I’m good enough to clear these hurdles. But the what is an entirely different beast. For instance, is HttpApi better than an ALB for my needs? Well, right now, yes, but I would imagine that when I look to go multi-AZ, multi-region and have hot failover, my views could change.

AWS Certification Order (YMMV)

It’s really awkward to know what to pick next in the AWS certification ecosystem. Perhaps this list will be useful to someone; it’s a rough overview of my own plan:

1. AWS Certified Cloud Practitioner: 2020 October

2. AWS Certified Solutions Architect – Associate: 2021 Q4

3. AWS Certified Developer – Associate: 2022 Q1

4. AWS Certified Security – Specialty 2022 Q3

5. AWS Certified Solutions Architect – Professional 2022 Q4 - 2023 Q1

6. AWS Certified Advanced Networking – Specialty

7. AWS Certified DevOps Engineer – Professional

8. AWS Certified SysOps Administrator – Associate

9. AWS Certified Alexa Skill Builder - Specialty

10. AWS Certified Database - Specialty

11. AWS Certified Big Data – Specialty