Passing the AWS Certified Solutions Architect Professional exam

My AWS Certified Solutions Architect Associate (CSA-Associate) certification expired this month (May 2016) and I was presented with two options to maintain my AWS certification credentials: either re-sit the CSA-Associate exam, or go big and pass the fabled CSA-Professional. The CSA-Associate exam in 2013 was a non-event and I passed it almost by an accident — at that time I had no previous AWS experience and I invested maybe 6 hours of combined study into preparation before I took the exam. I am always up for a challenge so I decided to upgrade myself to a CSA-Professional this time; I heard it is comprehensive and tough, requiring strong cloud architectural knowledge. Bring it on!

To set the scene, I’m not new to IT certifications. I passed 11 MCP exams in 6 consecutive days in 1998, went through PMP and CISSP in early ’00, obtained Microsoft Certified Architect (MCA) certification in 2007, IASA CITA-P cert in 2009 and got my Distinguished IT Architect certification in 2011 — just to name the big ones. To put it simply, I am confident with IT exams as I saw a good chunk of them in my career. For a full disclosure, I actually created some of the master-level architecture certifications listed above, co-wrote several large question banks for MCP exams and frequently argued with psychometrists about language interpretation and clarity of questions for non-native English speakers.

So, how did my CSA-Professional exam go? The test was 77 questions long and I got 170 minutes to complete the exam — just over 2 minutes per question. Each question was a dense wall of text — not just the description of a scenario, it provided extremely long and convoluted set of possible answers. Time to get cranking! I did the first pass through the question set in about 90 minutes, took a mental break and reviewed all of my answers in the next hour. About 25 questions were either really silly or lacked in clarity, so I spent last 20 minutes of my test trying to decipher what the examiners actually wanted to ask — some of that stuff simply didn’t make much sense to me (mind that I’m not a native English speaker). What was left at the end were 10 questions that were so obscure and unnatural that I simply played eeny-meeny-miny-moe and picked some random answers. I closed the test a minute before time expiration and got 75%. That was a passing score. So I passed. Yay.

General observations

  • There were several questions related to DR solutions with specified RPO/RTO times. Modern cloud-born solutions use completely different BCP approach, but hey, someone in AWS really likes traditional disaster recovery scenarios and is making sure that you love them too. I know it is 2016, but you need to learn the old skool BCP techniques for this exam.
  • Questions about the AWS Storage Gateway appear at least 3 times. Yeah. Storage Gateway. The stuff that cloud-native architects never saw in action — nor do we want to. You have to learn the difference between Cached Volumes, Stored Volumes and understand how VTL works.
  • Lots and lots and lots of questions on deployment management. CloudFormation. Elastic Beanstalk. OpsWorks. Learn these three technologies well — not well for an architect, but well for a 2nd-tier escalation operations engineer. One of the examiners really really really liked cloud deployment automation. And now you will like it too. Who cares if you use SaltStack, Terraform or Ansible — learn CF, Beanstalk and OpsWorks!
  • Networking questions were everywhere, like 30% of the test or even more: VPN/DirectConnect/VPC peering. For me, DDOS protection, WAF, Cloudfront, and SSL/TLS stuff is networking too, although AWS treats them as security issues. Anyway, the examiners *love* networking. Learn networking. I mean, learn it like this is a Cisco exam, not a cloud architecture exam.
  • Federated access, SAML, IAM roles and all possible AuthZ/AuthN scenarios — learn them all. Learn how IAM policies work. How cross-account trust works. And specifically how they don’t work. Think like troubleshooting support personnel and what they need to know about identity flows; that’s what you need to know for this exam.
  • Whenever you see the need for high-performing scalable solution, the answer is always DynamoDB. Even if you think that architecturally there might be a better choice (Cassandra, or CouchDB anyone?), the correct answer will be DynamoDB. People that wrote the test were clearly in love with DynamoDB, Elasticache and Kinesis. Just pick the answer that includes all three of them and you’ll be right.
  • If a scenario is asking for something cheap (cost-effective), the answer must include spot instances, SQS for throttling and perhaps S3 RRS or Glacier.
  • There were at least two questions where I was simply forced to propose the AWS Data Pipeline. Yeah, the obscure and rarely-seen Data Pipeline service, in the age when Lambda solves the same problem way more efficiently. No, Lambda was not an option at all and it didn’t appear anywhere in the test.

Parting thoughts

The CSA-Pro exam is long. Not hard or tough but just insanely and sadistically long. The style of questions is super unfriendly for non-native English speakers, as scenarios purposefully ramble and meander before posing a question. Two minutes per each wall of text keeps the pressure high and I do feel sorry for great methodical and analytical architects that want to re-read the question three times to get it just right — causing them to run out of time. The test is absolutely rigged against introvert non-English speakers with high quality bar and structured method to problem solving. It is clear that psychometricians — if they were involved at all — never worked with quiet risk-averse IT architects that deliver excellent work but require more time than caffeinated escalation engineers with fast and snappy judgements.

But here is my real beef with AWS CSA-Pro: the exam offered practically no validation of any IT architectural skills required to build AWS solutions. Perhaps I’m a spoiled grumpy old man, but as a certified master architect (three times, no less) I expected at least some questions on business requirements gathering (What would you need to know before designing a cloud solution?), anything on architectural patterns (machine learning, API publishing, controlling swarms), anything on architectural traceability or at least some validation of architectural depiction of solutions… Nope, nope and nope. :-(

Instead of architecture, there are lots of troubleshooting questions, extensive amounts of operational monitoring discipline and copious technical deep-dives into obscure depths of AWS services. Towards the end of the exam I was questioning myself: how does AWS actually define a profile and competencies of an architect? A proficient escalation engineer or L3 support person can pass this test equally well as me, but they still won’t know how to bridge business requirements with correct cloud architectural patterns. Where is architecture?

In conclusion: the exam is hard, it is interesting and provides a fine and tough experience if you are interested to see what is beyond AWS CSA-Associate level. Just don’t expect that a process of preparing for CSA-Pro will make you a better architect for cloud solutions. It won’t. You will need to look for another certification if you want to validate that.