AWS Wishlist : Certificate Manager SNS notifications, longer validity (ACM)

I recently realized and came to know that the ACM certificates are issued for a period of 13 months – the hard way. I am sure, with browsers & hash algorithms getting more smarter (or weaker) – ACM has very big marker in AWS’s radar.

I would like to request AWS product teams for

  1. An SNS and/or Lambda trigger hook for notifications
  2. Validity of the certificates beyond 13 months

Using EC2 Run Command to Disable IE Enhanced Security

Chances are this might be the first step done engineers do right after launching a plain EC2 Windows Server instance. Windows servers tend to take some to stabilize before the full GUI becomes responsive. I was thinking what would be a good way to utilize the EC2 Run Command and this came to my mind. I have tested the solution in Windows Server 2012 R2, Windows Server 2012 and Windows Server 2008 R2.

The only pre-requisite to use EC2 Run Command is to ensure the instance is launched using the IAM Role which has the IAM privilege AmazonEC2RoleforSSM. Additional information can be found at Troubleshooting Amazon EC2 Run Command.

So this how the approach goes; you would accomplish the task in 2 passes – disable operation followed by logout. I found the code to achieve the both from StackOverflow – Disable IE security on Windows Server via PowerShell and Powershell Log Off Remote Session.

Step 0 : Ensure the Instance is launched with the IAM Role with the privilege AmazonEC2RoleforSSM.


Step 1 : Execute Run Command


Select The AWS-RunPowerShellScript and Designated Instance id


Use the  Code [ Referenced from – ]


And that’s it …


I have tried it multiple times – unless you logoff and then login again this for some reason doesn’t shows up. The EC2 Run command for doing the logoff doesn’t seem to fix this. Nevertheless – it is easy to logoff


AWS Wishlist : 1-Click CloudFormation Resource Group Creation

Resource Groups are one of coolest but most obscure features in AWS. My theory around that was around due to the powerful search bar in EC2 AWS Management Console which can accept regex, range queries and auto-suggest the tags and their values. This is looks good as long as the components you manage are only EC2 instances.

CloudFormation automatically creates a tag called aws:cloudformation:stack-id which gets applied to all of the entities created / managed by CloudFormation – AWS uses it internally to logically group the components created by the CloudFormation. The aws:cloudformation:stack-id is pretty much all that’s required to create a Resource Group.


I would like to request AWS to consider the feature like a button in the CloudFormation windows which says – Create a Resource Group which would take you the Resource Group windows to view and manage the entities at a single place.

Preparing for AWS Certified Developer

I have briefly mentioned about how I prepared for the other AWS certifications – Solution Architect and SysOps Administrator in other posts. I cleared my AWS Developer certification last week. It was indeed developer focused, which translates to heavy coverage of DynamoDB, CloudFormation, ElasticBeanstalk, SQS, SNS, Opsworks. DynamoDB stood out without any doubt.


Few interesting points – there were questions on command line, knowledge on hard limits and soft limits in AWS services, emphasis on usage of SDK (SDK user would be able to answer that question without a doubt). I am a developer not inclined to any particular platform but a more of a generic guy with bit of js, .net and python.

I have been working on AWS (and other random stuff – Azure, Office 365, Talend, Robotic Process Automation, devops) for around 6 years and I never really took a learning path to for AWS certification – associate level. I took my AWS Solution Architect by mid 2014, SysOps by mid 2015, solution architect recertification by mid of 2016 and developer certificate couple last week (end of 2016) (working on my professional level).

I would recommend the following learning path for someone who would want to face the AWS Certified Developer certification.

  1. VPC, Subnets, Security Groups, Elastic IP, Public IP, Private IP – have this by heart by all means. (although this is pretty much applicable for all the AWS certifications)
  2. EC2, AMI – try launching & relaunching in different AZ, different region, change size, change application version, snapshots – attach & detach
  3. S3 is really important – method of securing S3 items (ACL, IAM) – static web site, logging, storage classes and GLACIER [ I want to thank Craig Carl for his re:Invent session – please spend time in this video you would also thank Craig Carl when you face the certification)
  4. I would recommend ditching AWS management console for couple of weeks and using with AWS CLI and that should level up your skills in IAM Access Key – Secret Key, and understand the AWS API nature. Bonus points is when you try aws-shell.
  5. I remember watching one of the youtube videos by Matt Wood himself where he starts all the way from 101 in DynamoDB. I would recommend trying to build a web application using one of the SDKs with DynamoDB as backend + some CRUD application should help you get your hands dirty in DynamoDB. Please spend time, effort, money, social life on indexes in dynamodb.
  6. Try releasing the above application to the wide through OpsWorks and Beanstalk that would be help check lot of items in the exam blue print
  7. Try using RDS, SNS, SQS wherever and however possible
  8. If you are able to meaningfully represent the above stated items over a CloudFormation you are good to go here. I am bragging this.
  9. FAQs are super important for the services – I would do this multiple times before facing the certification exam
  10.  All the patterns and anti-patterns (When do you CloudFormation vs Elastic BeanStalk, AMI vs user data, RDS vs DynamoDB) would help filter the wrong answers. I felt this was a theme the whole time.

All the best

Sleep function in AWS CloudFormation

IMHO one of the most important missing pieces in CloudFormation is not having the ability to explicitly specify a SLEEP or WAIT function. It is not that it is totally impossible to the implement the same, except that, it would involve having a hard work around one of which is to inject the wait script via the user data with WaitHandle and WaitConditions on EC2 instances.

A sample implementation of wait using EC2 Instance’s WaitHandle

There is absolutely no downside to the approach and also it is easier to bake the wait script inside the CloudFormation template; the problem would arise if you wanted to have the same WAIT functionality to be implemented for the stacks which do not have EC2 instances as part of the stack.

I tried and succeeded using Amazon Lambda for the purpose instead of EC2. To summarize the implementation; a CloudFormation custom resource would call a lambda function and all that the function would do is to respond after 5 minutes [current maximum execution time for lambda function execution time]. Again, if you need to wait longer than 5 minutes, you would use the DependsOn in CloudFormation and cascade the Custom Resource Calling.

Wait Function – AWS Lambda

Below is the sample Code where you create a VPC and a Security Group after waiting a 5 minute delay time and 10 minute delay.




Preparing for Recertification – AWS Certified Solution Architect – Associate

I took and successfully cleared the Recertification exam for AWS Certified Solution Architect – Associate Level today. I am still regretting not attemting advancing to the professional level; anyway … here is the blog post about the recertification exam. I previously blogged about the Preparing for the AWS Certified Solution Architect – Associate level, 2 years ago.

I felt a couple of questions having been repeated from the original Solution Architect exam which I wrote 2 years back; I completely understand and agree the importance & reason why those were repeated again (I abide by the NDA signed hence not disclosing which questions – they are).

  • It was a quick 80 mins and 60 questions test
  • VPC, IAM, EC2, S3 – the core services are still important and had lot of depth and count
  • Following the same Learning Strategy for the original exam would still be relevant
  • Amazon did a good job of drawing a line to determine what are the points and factors (costing, sizing, strategy, design, optimal solution) which would affect or effect an Architect
  • If you are continuing your day to day AWS operations after you have Cleared your original AWS Certified Solution Architect – Associate Level, you be able to win hands down

I highly recommend giving it thought about NOT taking the recertification exam – Associate Level, and consider Professional Level, on clearing; you would be able to renew both the levels for next 2 years. I received a 50% voucher code almost a year back, I am sure you would have received one too for taking Professional Level (50% discount of $300).
PS : You get a new AWS-ASA XXX number instead of the same number renewed for next 2 years. It is good to know that lot of people are taking the certification exam – 2 years ago my certification number was in 2000s and now it is 20,000s; in short it is almost like a brand new exam but a discounted rate of $75 instead of $150.