Gamify your cloud journey: How AWS Jam(s) are created and why they matter

In today’s fast-paced digital landscape, gamified learning has emerged as a powerful tool to engage and empower individuals in their professional development. AWS Jam is a unique form of immersive learning in the cloud computing domain that offers an engaging approach to developing AWS skills. This blog post explores the inner workings of AWS Jam and examines the reasons why this innovative learning experience is ideal for cloud enthusiasts, professionals, and organizations alike.

Through AWS Jam, learners immerse themselves in simulated, real-world scenarios, applying their AWS knowledge and problem-solving abilities in a dynamic, competitive environment. AWS Jam is available in AWS Skill Builder, our online learning center, which also provides 600+ free, self-paced digital courses, and subscription-based offerings including AWS Jam, AWS Builder Labs, AWS Cloud Quest, and more, helping learners of all skill levels build knowledge of AWS services and best practices.

About AWS Jam

AWS Jam challenges individuals and teams to put their AWS Cloud skills to the test. By solving real-world, open-ended problems using various AWS services, participants develop their expertise through simulated use cases within an AWS Management Console sandbox.

Learners select challenges based on technical domains, roles, and difficulty levels, empowering them to tailor their learning experience to their specific needs and interests. Clues are available to help navigate the challenges, encouraging participants to explore and experiment while providing a safety net to support their problem-solving journey.

AWS Jam guides learners to use established AWS best practices to solve the challenges, enabling them to verify and enhance their skills in the AWS Cloud. Participants can complete a wide range of tasks, from common AWS use cases to operational scenarios, with only clues to guide them. The gamified approach adds an engaging element, as learners earn points for each completed task and can lose points if they choose to use a clue, fostering a spirit of friendly competition during team events.

AWS Jam offers two distinct experiences – one for teams, AWS Jam for Teams, to foster collaboration and another for individuals, and AWS Jam Journeys, to develop their AWS skills independently. The team-based Jam event promotes shared learning and creativity, while the individual Jam challenges focus on specific AWS domains and best practices.

Gamified learning

Gamified learning is a powerful approach that transforms the learning experience into an engaging, interactive, and rewarding journey. By incorporating game-like elements, such as points, leaderboards, and challenges, helps to address common problems faced by learners, such as lack of motivation, difficulty in retaining information, and the need for immediate feedback. This approach taps into the human desire for competition, achievement, and a sense of progress, ultimately leading to enhanced knowledge retention, improved problem-solving skills, and a more enjoyable learning experience.

Behind the scenes

Now that you know what AWS Jam is, how to participate, and its benefits, let’s dive into how an AWS Jam is created and functions. Understanding the behind-the-scenes implementation of AWS Jam can help you leverage similar techniques and best practices for your own projects and environments. From a technical standpoint, AWS Jam represents an excellent use case for Infrastructure-as-Code. This approach can be applied by our customers in various scenarios and industries:

• In the Training and Education sector, customers can leverage the same AWS services and techniques used in AWS Jam to build lab environments and hands-on exercises for students.
• Using Infrastructure-as-Code, customers can efficiently provision and manage resources within AWS accounts at scale. This approach simplifies the creation of environments for specific use cases—such as proofs of concept, demos, or controlled experimentation—by pre-configuring them with the necessary services and permissions, while also ensuring consistency and governance across multiple accounts.

By adopting these practices, you can streamline the management and deployment of your AWS resources, ensuring efficiency and scalability.

The scenario

Each challenge in an AWS Jam has a unique use case designed to mimic common problems, use cases, and operational tasks that we see with customers. We work backwards from these common problems and learning objectives to create the scenario and different tasks. Some common topics include remediation at scale, automation, forensics, incident response, AI/ML, DevOps, and Compliance.

The pre-built environment

Most challenges start with a prebuilt environment or application. This can be an application of a mock-customer that is running. To create these environments for each JAM account, we build an AWS CloudFormation template. CloudFormation is a service that helps you model and set up your AWS resources as infrastructure as code, so you can spend less time managing those resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources you want, and CloudFormation takes care of provisioning and configuring those resources for you.

Figure 1: Visual representation of the different steps to launch an AWS CloudFormation stack for an AWS Jam challenge’s environment

As mentioned, for each AWS Jam challenge there will be a CloudFormation (CFN) template created. This YAML (Yet Another Markup Language) template will be used to launch the challenge’s AWS environment within brand new AWS account.

You don’t need to individually create and configure AWS resources and figure out what’s dependent on what CFN handles this. This CFN template will be deployed via an admin role that AWS manages within the AWS account. This is different from the participant AWS Identify and Access Management (IAM) policy that we will dive into later.

Having a secure CFN template is key to a smooth and educational challenge experience. This means we aim to restrict permissions of your resources to only what’s necessary for your challenge within the CFN template. For example, when creating an EC2 instance, we ensure it has only the necessary ingress/egress access needed for the challenge. This practice is also recommended to customers using CFN templates.

Using infrastructure as code for repeatable tasks allows us to quickly spin up lab environments for end-users and reduces errors. This approach also enables customers to organize their infrastructure into reusable modules, version control their infrastructure, and perform code reviews on templates, decreasing the chances of errors. There are many other use cases for CFN templates, such as spinning up repeatable environments in multiple regions or accounts, disaster recovery, backup, or ensuring infrastructure meets compliance requirements by using predefined, approved templates.

If you are new to AWS CloudFormation, we recommend you to look at the following training courses in AWS Skill Builder:

• Getting started with AWS CloudFormation is a 20-minute, free self-paced fundamental level digital course, intended for AWS Cloud Practitioners interested in learning how to manage their infrastructure as code. This course explains the purpose and functionality of CloudFormation and lists some typical use cases. It shows you the cost structure, what it would take to implement and how to use it from the AWS Management Console and AWS CLI.
• AWS CloudFormation Stacks – Troubleshooting is a 30-minute, free self-paced fundamental level digital course, intended for engineers who are creating AWS resources using CloudFormation. In this course, you will learn how to view important information about AWS CloudFormation stacks. Use this information to help troubleshoot common issues and provide effective support case details if you need to escalate to Amazon Web Services (AWS) Support.
• Using AWS CloudFormation for Automation Lab is a 30-minute, self-paced fundamental level lab available in AWS Skill Builder subscription and is intended for architects, cloud operators, developers, DevOps engineers and infrastructure engineers. You’ll get hands-on experience using AWS CloudFormation, Amazon Elastic Compute Cloud (Amazon EC2) and the AWS Command Line Interface (CLI). You’ll review an incomplete CloudFormation template, update it, and create a CloudFormation stack and verify that the user data processed successfully.
• Launching and Managing a Web Application with AWS CloudFormation Lab is a two-hour, self-paced intermediate level lab in AWS Skill Builder subscription and is intended for architects, developers and DevOps engineers. You’ll create an Amazon Simple Storage Service (S3) bucket using AWS CloudFormation, provision a simple PHP web application using an Amazon Linux AMI, apply an AWS CloudFormation template to an existing application, modify an existing application using AWS CloudFormation and add IAM roles and Elastic Load Balancing to the application using AWS CloudFormation.

The permissions

Lab accounts are part of an AWS Organization with strict Service Control Policies (SCP) on them, ensuring multiple layers of protection, only permitting the use of AWS services and actions necessary for any AWS Jam challenge.

Participants sign into the account as an IAM Role with a restricted set of permissions through IAM policies. This IAM role allows access to the AWS environment via single sign-on access from the JAM environment, using the associated Access Key, Secret Key, and Session token necessary to assume the role via CLI and/or script. The JSON IAM policy for participants adheres to the principle of least privilege meaning it must only allow the minimum set of permissions necessary for a participant to complete the challenge.

This approach serves two main purposes:

• Participants should not be able to edit or view parts of the challenge that would allow them to get the answer without completing the necessary tasks. This mirrors best practices in real environments where access to sensitive data is restricted. For example, you might want to limit access to your storage or databases as certain information in here to be visible to every employee in your company.
• It prevents participants from spinning up unnecessary resources after an event has ended, thus preventing unnecessary costs. We have seen this practice applied at many customers where they put an explicit deny for the execution of more expensive actions or APIs, such as making compute reservations, spinning up large instance types or databases.

You will notice when playing a Jam that many actions or information will result in an access denial. When solving a challenge, if you see this, be ensured the action you’re trying to take is not necessary to solve the challenge. Additionally, actions outside of a lab’s target regions are also blocked by default with an explicit deny by the Service Control Policy (SCP) and cannot be allowed. By implementing these practices, we ensure that the Jam experience follows the principle of least privilege, maintaining security and cost-effectiveness.

If you are new to AWS Organizations or AWS Identity and Access Management (IAM), we recommend you to look at the following training courses on AWS Skill Builder:

• AWS Organizations Getting Started is a one-hour free, self-paced fundamental level course intended for individuals who want to better understand how AWS Organizations can help them operate AWS solutions at scale. You’ll learn the benefits and technical concepts of AWS Organizations and review the basics of Organizations and the business challenges it can solve.
• Introduction to AWS Identity and Access Management (IAM) is a 10-minute free, self-paced fundamental level course intended for AWS Cloud Practitioners interested in learning how to manage their identity and access management in AWS. You’ll learn how IAM can be used for authentication and authorization to AWS service and, how and when to use IAM policies and IAM roles.
• Deep Dive Security: AWS Identity and Access Management (IAM) is an eight-hour free, self-paced advanced level course intended for security professionals with working knowledge of AWS or users with an AWS account looking to build their knowledge of IAM. You’ll dive deep into AWS IAM and best practices for using IAM policies. It also covers advanced concepts, such as identity federation, temporary credentials, AWS Single Sign-On, and ways to troubleshoot access issues.
• Introduction to AWS Identity and Access Management Lab is a 45-minute, self-paced, fundamental lab in AWS Skill Builder subscription and is intended for architects, developers and security engineers. You’ll gain hands-on experience using AWS IAM including how to manage access and permission to AWS services. You’ll practice the steps to add users to groups, manage passwords, log-in with IAM-created users and see the effects of IAM policies on access to specific services.
• Troubleshooting IAM Access Issues Lab is a one-hour, self-paced, intermediate level lab in AWS Skill Builder subscription and is intended for architects, cloud operators, DevOps engineers and security engineers. This lab demonstrates the concept of assuming an AWS Identity and Access Management (IAM) role from the Management Console.

The validation process

To check if players complete a challenge, the environment needs a validation process. For AWS Jams, there are four ways to validate if the player completed the challenge:

• Via an AWS Lambda function:  the Jam platform invokes a Lambda function to check if the task is completed without requiring participant input.
• Via a Lambda Function with Input: Participants enter an input value, and the Jam platform supplies a Lambda function with this input to check task completion.
• Via a Dynamic Answer: Participants enter an answer unique to each instance of the challenge task, provided to the Jam platform via a CloudFormation stack output parameter.
• Via a Global Static Answer: Participants enter a predetermined answer that is the same for every instance of this challenge task.

As you can see, Lambda functions play a crucial role in validating the completion of tasks. You can use AWS Lambda to validate certain resources being created or changed in your account. You can do it by following these two steps:

• Step 1: Create a Lambda Function: Write a Lambda function to validate if the participant successfully set up the resources or configurations. Let’s take an example, imagine you want to check if Lambda function “NAME-LAMBDA” is triggered by an Amazon Simple Storage Service (S3) bucket as event source. In that case we need to write a validation Lambda function that checks if this configuration for the “NAME-LAMBDA” function is successfully implemented. An example of such a function can be found below.
• Step 2: Set Up the Event Source: In order for my validation Lambda function to be triggered, I need to set up an event source. There are two ways to set this up. One option is to use the API call logs in AWS CloudTrail as an event source and use Amazon EventBridge to capture specific API calls and trigger the lambda function. This allows us to only trigger the Lambda function when certain resources are changed, which can result in a more cost-efficient trigger. A second option would be to opt for periodic checks with EventBridge. You can set up EventBridge to trigger a Lambda function at regular intervals (e.g., every 1 minute) to perform checks.

import boto3
 
def lambda_handler(event, context):
    s3 = boto3.client('s3')
    lambda_client = boto3.client('lambda')
    function_name = 'NAME-LAMBDA'
    
    # List all buckets
    buckets = s3.list_buckets()
    
    # Check each bucket's event notification configuration
    for bucket in buckets['Buckets']:
        bucket_name = bucket['Name']
        try:
            notification = s3.get_bucket_notification_configuration(Bucket=bucket_name)
            
            # Check for Lambda function configurations
            if 'LambdaFunctionConfigurations' in notification:
                for config in notification['LambdaFunctionConfigurations']:
                    if config['LambdaFunctionArn'].split(':')[-1] == function_name:
                        print(f"S3 bucket {bucket_name} is configured to trigger Lambda function {function_name}.")
                        return {"status": "success", "message": f"S3 bucket {bucket_name} is configured to trigger Lambda function {function_name}."}
        except Exception as e:
            print(f"Error getting notification configuration for bucket {bucket_name}: {e}")
    
    print(f"No S3 buckets are configured to trigger Lambda function {function_name}.")
    return {"status": "failure", "message": f"No S3 buckets are configured to trigger Lambda function {function_name}."}

This Lambda function performs the following steps:

1. Lists all S3 buckets in the account.
2. Iterates through each bucket to retrieve its notification configuration.
3. Checks if any Lambda function configurations in the notification configuration match the specified Lambda function name (NAME-LAMBDA).
4. Returns a success message if a matching configuration is found or a failure message if no matching configuration is found.

Using Lambda functions in this way ensures that resources are created and modified according to the predefined rules and requirements, providing real-time validation and feedback to participants.

If you are new to AWS Lambda, we recommend you to look at the following resources on AWS Skill Builder:

• AWS Lambda Foundations is a two-hour free, self-paced fundamental level course, intended for Cloud architects and developers. In this course you will learn how AWS Lambda works and how to write and configure Lambda functions. You will explore deployment and testing considerations and finally end with a discussion on monitoring and troubleshooting Lambda functions.
• Introduction to AWS Lambda Lab is a 45-minute self-paced, fundamental level lab in AWS Skill Builder subscription, intended for developers. It demonstrates the basic steps required to get started to create and deploy a Lambda function in an event-driven environment.
• Update Security Groups Automatically Using AWS Lambda Lab is a one-hour, self-paced intermediate level lab in AWS Skill Builder subscription and is intended for architects and security engineers. This lab will present a solution, among many, to enhance your security. This lab walks through a method to automatically update your Virtual Private Cloud (VPC) Security Groups to only allow access from Amazon CloudFront and AWS Web Application Firewall (WAF). Defining Security Groups rules this way prevents malicious requests from by-passing AWS WAF security rules and accessing your EC2 instances directly.

Call to action

Are you interested to participate in an AWS Jam alone or with your team? You can access the AWS Jam for individuals, available with AWS Skill Builder subscriptions, or the AWS Jam for teams via an AWS Skill Builder Team subscription. We also recommend to keep an eye on our event pages for any live Jams. Reinforce your team’s learning by adding an additional day of team-based gamified learning to your classroom training with AWS Jam.

Additionally, follow the AWS Training and Certification Blog for our monthly course launch updates (published the last week of each month) and AWS Skill Builder for all the latest training offerings.