Free and Premium Amazon Web Services SOA-C02 Dumps Questions Answers

Here are the steps to configure an Amazon S3 bucket to serve a static error page in the event of a failure at the primary site:

Log in to the AWS Management Console and navigate to the S3 service in the us-east-2 Region.

Find the existing S3 bucket named lab-751906329398-26023898.com and click on it.

In the "Properties" tab, click on "Static website hosting" and select "Use this bucket to host a website".

In "Index Document" field, enter the name of the object that you want to use as the index document, in this case, "index.html"

In the "Permissions" tab, click on "Block Public Access", and make sure that "Block all public access" is turned OFF.

Click on "Bucket Policy" and add the following policy to allow public read access:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "PublicReadGetObject",

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::lab-751906329398-26023898.com/*"

}

]

}

Now navigate to the Amazon Route 53 service, and find the existing hosted zone named lab-751906329398-26023898.com.

Click on the "A record" and update the routing policy to "Primary - Failover" and add the existing ALB as the primary record.

Click on "Create Record" button and create a new secondary failover alias record for the domain lab-751906329398-26023898.com that routes traffic to the existing S3 bucket.

Now, when the primary site (ALB) goes down, traffic will be automatically routed to the S3 bucket serving the static error page.

Note:

You can use CloudWatch to monitor the health of your ALB.

You can use Amazon S3 to host a static website.

You can use Amazon Route 53 for routing traffic to different resources based on health checks.

You can refer to the AWS documentation for more information on how to configure and use these services:

Graphical user interface, application, Teams Description automatically generated

Here are the steps to update an existing AWS CloudFormation stack:

Log in to the AWS Management Console and navigate to the CloudFormation service in the us-east-2 Region.

Find the existing stack named 1700182 and click on it.

Click on the "Update" button.

Choose "Replace current template" and upload the updated CloudFormation template from the Amazon S3 bucket named "cloudformation-bucket"

In the "Parameter" section, update the EC2 instance type to us-east-t2.nano and add the IP address range 192.168.100.0/30 for SSH access.

Replace the instance profile IAM role with IamRoleB.

In the "Capabilities" section, check the checkbox for "IAM Resources"

Choose the role CFServiceR01e and click on "Update Stack"

Wait for the stack to be updated.

Once the update is complete, navigate to the stack and click on the "Stack options" button, and select "Prevent updates to prevent accidental deletion"

To get the value of the Prodlnstanceld , navigate to the "Outputs" tab in the CloudFormation stack and find the key "Prodlnstanceld". The value corresponding to it is the value that you need to enter in the text box below.

Note:

You can use AWS CloudFormation to update an existing stack.

You can use the AWS CloudFormation service role to deploy updates.

You can refer to the AWS CloudFormation documentation for more information on how to update and manage stacks:

Here are the steps to configure Amazon EventBridge to meet the above requirements:

Log in to the AWS Management Console by using the AWS Management Console shortcut from the VM desktop. Make sure that you are logged in to the desired AWS account.

Go to the EventBridge service in the us-east-2 Region.

In the EventBridge service, navigate to the "Event buses" page.

Click on the "Create event bus" button.

Give a name to your event bus, and select "default" as the event source type.

Navigate to "Rules" page and create a new rule named "RunFunction"

In the "Event pattern" section, select "Schedule" as the event source and set the schedule to run every 15 minutes.

In the "Actions" section, select "Send to Lambda" and choose the existing AWS Lambda function named "LogEventFunction"

Create another rule named "SpotWarning"

In the "Event pattern" section, select "EC2" as the event source, and filter the events on "EC2 Spot Instance interruption"

In the "Actions" section, select "Send to SNS topic" and create a new standard Amazon SNS topic named "TopicEvents"

In the "Input Transformer" section, set the Input Path to {“instance” : “$.detail.instance-id”} and Input template to “The EC2 Spot Instance has been interrupted on account.

Now all Amazon EC2 events in the default event bus will be replayable for past 90 days.

Note:

You can use the AWS Management Console, AWS CLI, or SDKs to create and manage EventBridge resources.

You can use CloudTrail event history to replay events from the past 90 days.

You can refer to the AWS EventBridge documentation for more information on how to configure and use the service:

 AWS Config Managed Rule for S3 Logging:

The s3-bucket-logging-enabled AWS Config rule checks whether S3 buckets have logging enabled.

Steps:

Go to the AWS Management Console.

Navigate to AWS Config.

Create a rule using s3-bucket-logging-enabled.

Add a remediation action using an AWS Lambda function or Systems Manager Automation runbook.

AWS Config Managed Rules

 Using AWS Lambda for Remediation:

Create a Lambda function that enables logging on S3 buckets.

Steps:

Write a Lambda function in Python or Node.js to enable logging.

Configure the function to trigger on non-compliant buckets.

For an RDS instance that needs high availability and automatic failover capabilities, setting it up as a Multi-AZ deployment is the most effective solution:

Multi-AZ Deployment: This feature allows Amazon RDS to automatically provision and manage a synchronous standby replica of your database in a different Availability Zone (AZ). The primary DB instance and the standby replica contain the same data, providing data redundancy and fail-safe mechanism.

Automatic Failover: In the event of a planned or unplanned outage of your primary DB instance (including DB instance failure, AZ failure, or network failure), RDS automatically fails over to the standby so that database operations can resume quickly without administrative intervention.

Data Integrity: This setup ensures no data loss for committed transactions, as the standby replica is always in sync with the primary.

By enabling Multi-AZ deployment, you ensure that your database environment has high availability and robustness, addressing both disaster recovery and operational continuity without losing any committed transactions.

To achieve maximum cost savings and flexibility for a 24/7 running application across different AWS regions and operating systems, the best approach is to use a Compute Savings Plan. Compute Savings Plans provide the most flexibility by automatically applying to any EC2 instance usage regardless of instance family, size, OS, tenancy, or AWS Region, and also apply to AWS Fargate and AWS Lambda usage.

Understand Compute Savings Plans:

Compute Savings Plans offer significant savings over On-Demand prices, with the flexibility to use the compute option that best suits your needs.

Purchase a Compute Savings Plan:

Login to the AWS Management Console.

Navigate to the Savings Plans section.

Choose Purchase Savings Plan and select Compute Savings Plan.

Define the hourly commitment amount and the term length (one or three years).

Monitor and Optimize Usage:

Ensure that your usage aligns with the Savings Plan to maximize savings.

Use AWS Cost Explorer and Savings Plans Utilization reports to monitor usage.

Savings Plans

Compute Savings Plans

Adding a Route to the Route Tables:

When new subnets are created, they need appropriate routing to ensure communication with on-premises networks.

Steps:

Go to the AWS Management Console.

Navigate to VPC.

Select the route table associated with the new subnets.

Choose "Edit routes."

Add a new route with the destination CIDR block of the on-premises network.

For the target, select the virtual private gateway (VGW).

This ensures that traffic destined for the on-premises network is routed correctly through the VPN connection.

AWS VPC Route Tables

To address high I/O requirements during the bootstrap process, increasing both IOPS and throughput on the EBS volume is recommended:

Increase EBS Volume IOPS: Enhances the instance’s ability to handle multiple read and write operations per second, essential for data-heavy tasks like downloading Docker images.

Increase EBS Volume Throughput: Provides higher data transfer rates, reducing bottlenecks during intensive I/O operations.

Increasing instance size is unnecessary if the primary issue is disk I/O, and changing from Nitro-based instances would not address the underlying storage performance need.

To securely connect to Amazon S3 buckets from Amazon EC2 instances over a private connection without incurring additional costs, you can use a gateway VPC endpoint for S3. This method allows you to create a single gateway VPC endpoint for all S3 buckets in the same region, ensuring secure, private communication.

Create a Gateway VPC Endpoint:

Navigate to the VPC console.

In the navigation pane, choose "Endpoints" and then click "Create Endpoint".

Select "AWS services" and then choose "com.amazonaws..s3" from the service name dropdown.

Select the VPC in which to create the endpoint and the appropriate route tables.

Click "Create endpoint".

Update the Route Tables:

The gateway VPC endpoint will automatically update the selected route tables to include routes that direct S3 traffic through the endpoint.

Ensure that the route tables associated with your subnets include routes for the S3 service pointing to the gateway VPC endpoint.

Verify the Configuration:

Ensure that instances in the VPC can access the S3 buckets using private IP addresses.

Check the routing configuration to confirm that traffic to S3 is routed through the gateway VPC endpoint.

Gateway VPC Endpoints for Amazon S3

Creating a Gateway Endpoint

To deliver digital content to authorized users through CloudFront while restricting unauthorized access, you can use an origin access identity (OAI) with signed URLs.

Store Content in S3 with Public Access Blocked:

Ensure the S3 bucket has public access blocked.

Navigate to the S3 console, select the bucket, and configure the "Block Public Access" settings.

To ensure that the Auto Scaling group scales out when CPU utilization rises above 50%, the administrator should configure the Auto Scaling group to dynamically scale based on demand. This is achieved by setting up a scaling policy that triggers based on specific CloudWatch alarms—like CPU utilization exceeding 50%. This dynamic scaling method directly responds to changes in workload, ensuring that resources are allocated efficiently and promptly as demand increases. Option C is the correct answer, aligning with best practices for managing EC2 Auto Scaling based on real-time metrics. Further guidance is available in AWS documentation on dynamic scaling Dynamic Scaling for EC2.

When receiving an InstanceLimitExceeded error in a participant account of a shared VPC, you need to request an instance quota increase from the participant account.

Requesting a Quota Increase:

Open the AWS Service Quotas console in the participant account.

In the navigation pane, choose "AWS services" and select "Amazon EC2."

Select the quota you need to increase, such as "Running On-Demand Standard (A, C, D, H, I, M, R, T, Z) instances."

Click "Request quota increase" and specify the desired limit.

Quota Management in AWS Organizations:

While shared VPCs allow resources to be used across accounts, quota limits are still managed per account.

Each participant account must manage its own quotas independently.

Service Quotas

Requesting a Quota Increase

To ensure CloudTrail is re-enabled immediately if it is disabled, you can use AWS Config with an automatic remediation action.

Create AWS Config Rule:

Configure an AWS Config rule that triggers when there are changes to the CloudTrail configuration.

Increasing the amount of memory for the Lambda function will help to improve the performance of the function. This is because the Lambda function is CPU-intensive and increasing the memory will give it access to more CPU resources and help it run faster. The other options (activating hyperthreading in the CPU launch options for the Lambda function, turning off the AWS managed encryption, and loading the required code into a custom layer) will not help to improve the performance of the Lambda function and are not the correct solutions for this issue.

Content-MD5 Header:

The Content-MD5 header provides an MD5 checksum of the object being uploaded. Amazon S3 uses this checksum to verify the integrity of the object.

Steps:

When uploading an object to S3, calculate the MD5 checksum of the object.

Include the Content-MD5 header with the base64-encoded MD5 checksum value in the upload request.

This ensures that S3 can detect if the object is corrupted during the upload process.

PUT Object - Amazon Simple Storage Service

HTTP 502 errors from CloudFront can occur because of the following reasons:

There's an SSL negotiation failure because the origin is using SSL/TLS protocols and ciphers that aren't supported by CloudFront.

There's an SSL negotiation failure because the SSL certificate on the origin is expired or invalid, or because the certificate chain is invalid.

There's a host header mismatch in the SSL negotiation between your CloudFront distribution and the custom origin.

The custom origin isn't responding on the ports specified in the origin settings of the CloudFront distribution.

The custom origin is ending the connection to CloudFront too quickly.

To automate the execution of a Python script every night efficiently:

Convert Python Script to Lambda:

Create an AWS Lambda function and upload the Python script.

Ensure the function has the necessary IAM permissions to perform the required maintenance tasks.

To maintain a documented trail of any changes made to the security groups and receive notifications, AWS Config is the best solution.

AWS Config:

AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

You can set up AWS Config to record changes to your security groups.

Setting Up AWS Config:

Open the AWS Config console and choose "Set up AWS Config."

Select the resource types you want to record (in this case, security groups).

Specify an Amazon S3 bucket to store configuration snapshots and history files.

Notifications:

Create an Amazon SNS topic for notifications about configuration changes.

Subscribe the SysOps administrator's email address to the SNS topic.

AWS Config

Setting Up AWS Config

To host a static website on Amazon S3, the SysOps administrator needs to configure the bucket for public access and set up the static website hosting. Here's how to complete this process:

Turn off "Block all public access": Amazon S3 buckets have "Block all public access" settings enabled by default for security. Since the webpage needs to be accessible publicly, this setting must be disabled. This step is crucial to allow public read access to the web content.

Set a bucket policy: After disabling "Block all public access," set a bucket policy that explicitly allows public read access to the S3 bucket. This policy should allow the s3:GetObject action for everyone, which can be set by specifying "Principal": "*". This policy ensures that anyone can view the webpage but does not grant permissions to modify or delete the content.

Create an index.html document and configure static website hosting: The next step is to create an index.html file, which will serve as the entry point of the website. After creating this file, upload it to the bucket. Then, configure the bucket for static website hosting through the S3 management console. This setting enables the S3 bucket to serve the webpage directly from the index.html file.

Combining these actions, the S3 bucket will be properly configured to host and serve the static website with minimal operational overhead and maximum accessibility.

Amazon S3 Cross-Region Replication (CRR) is a feature that automatically replicates objects across AWS regions. When CRR is configured, certain aspects are replicated by default, and some are not. Here are the details:

Objects in the source S3 bucket for which the bucket owner does not have permissions: CRR does not replicate objects for which the bucket owner does not have permissions.

Objects that are stored in S3 Glacier: Objects in the S3 Glacier storage class are not replicated by CRR.

Objects that existed before replication was configured: Only objects created or modified after the replication configuration will be replicated. Objects that existed before the configuration are not replicated by default.

Object metadata: CRR replicates the object metadata along with the object to ensure that the replica in the destination bucket is as accurate as possible.

Amazon S3 Cross-Region Replication

Replication Configuration Examples

To meet the requirements of storing and rotating database credentials monthly and handling write-intensive traffic with variable client connections, you can use AWS Secrets Manager and Amazon RDS Proxy.

AWS Secrets Manager for Credential Rotation:

Open the AWS Secrets Manager console at AWS Secrets Manager Console.

Store the database credentials as a new secret and configure automatic rotation for every 30 days.

AWS Secrets Manager will handle the rotation process and update the secret with new credentials.

Amazon RDS Proxy for Connection Management:

Open the Amazon RDS console at Amazon RDS Console.

Create an RDS Proxy for the PostgreSQL DB instance.

Configure the proxy to handle the connection pooling and manage the connections efficiently.

The proxy will help manage the database connections, reduce the overhead on the database, and improve performance during peak loads.

This solution ensures that database credentials are securely stored and rotated automatically while handling increased database connections effectively.

AWS Secrets Manager

Using AWS Secrets Manager to Rotate Amazon RDS Database Credentials

Amazon RDS Proxy

Using AWS CloudFormation stack sets allows you to manage CloudWatch alarms across multiple accounts efficiently:

Create Stack Set: Use a CloudFormation template that defines the required CloudWatch alarms and configures them to publish alerts to an SNS topic.

Specify SNS Topic: Ensure the SNS topic is located in the logging account and has the necessary permissions set to receive publications from all accounts in the organization.

Deploy Across Organization: Implement the stack set across all accounts, ensuring centralized management and standardized deployment.

AWS Documentation Reference:

Learn more about deploying resources with CloudFormation StackSets: Working with AWS CloudFormation StackSets.

If users are unable to connect to a specific Ubuntu EC2 instance using AWS Systems Manager Session Manager while other instances are accessible, the issue is likely due to IAM permissions:

Instance Profile Permissions: Ensure that the EC2 instance has the necessary IAM permissions to interact with Systems Manager. The AmazonSSMManagedInstanceCore managed policy includes permissions required for the SSM Agent on the instance to communicate with the AWS Systems Manager service.

Attach Managed Policy: Attach the AmazonSSMManagedInstanceCore policy to the IAM role that is associated with the Ubuntu instance's instance profile. This step is crucial as it authorizes the instance to use Systems Manager services, including Session Manager.

Verify Configuration and Connectivity: After updating the instance profile, verify that users can connect via Session Manager. This solution does not require any changes to network security settings like security groups.

By ensuring that the instance has the appropriate IAM permissions, you resolve issues related to access control and Systems Manager functionality, allowing authorized personnel to connect securely without using SSH or RDP.

AWS Secrets Manager is the recommended and native solution for managing secrets such as RDS DB credentials, with built-in support for automatic password rotation.

From Secrets Manager RDS integration documentation:

Secrets Manager supports automatic rotation for Amazon RDS databases. You can configure rotation for the master user credentials using a predefined Lambda rotation function provided by AWS.

This is the least operational effort option:

No custom Lambda code required

Seamlessly integrates with RDS

Fully managed password rotation

To manage incomplete multipart uploads in an Amazon S3 bucket, creating an S3 Lifecycle rule to specifically address these uploads is the most effective method. The rule can be configured to automatically delete expired multipart upload parts, which helps in cleaning up unused data and reducing storage costs. Option A is correct as it directly addresses the requirement to manage incomplete uploads effectively. Reference on setting up S3 Lifecycle policies can be found here Amazon S3 Lifecycle.

When using Amazon S3 Object Lock configured in governance mode, deleting objects before their retention period ends requires specific permissions. To bypass these governance restrictions, the administrator must:

C: Assume a role that has the s3:BypassGovernanceRetention permission. This permission allows the role to override the governance mode restrictions.

D: Include the x-amz-bypass-governance-retention:true header in the delete request. This header is necessary to programmatically bypass the governance retention settings when making a delete request via the AWS CLI or SDK. These steps enable the deletion of objects under governance mode retention without waiting for the retention period to expire, addressing the need to remove unintended data uploads effectively. For further details, refer to the AWS documentation on S3 Object Lock Amazon S3 Object Lock.

For predictable, significant traffic increases during a specific time period every day:

EC2 Auto Scaling Group: Set up an Auto Scaling group for the EC2 instances running the web application. This group automatically adjusts the number of instances based on policies defined.

Scheduled Scaling Policy: Use a scheduled scaling policy to pre-emptively increase the number of instances before the expected increase in traffic each day. Scheduled scaling allows you to specify the scaling actions to occur at specific times, based on known or expected demand patterns.

Attach to ALB: Ensure the Auto Scaling group is attached to the Application Load Balancer, which will distribute incoming traffic across the dynamically adjusted pool of EC2 instances.

This approach ensures that the application scales up resources ahead of the expected load, maintaining performance and user experience without manual intervention.

To ensure all EC2 instances have the required tags and terminate any noncompliant instances, AWS Config can be used to check the compliance, and AWS Systems Manager Automation can be invoked to take action on noncompliant instances.

Create AWS Config Rule:

Open the AWS Config console at AWS Config Console.

Create a new rule to check for the required tags on EC2 instances. Use the managed rule required-tags.

Create AWS Systems Manager Automation Document:

Open the AWS Systems Manager console at AWS Systems Manager Console.

Create an Automation document to terminate noncompliant instances.

Link AWS Config Rule to Automation:

In the AWS Config console, configure the rule to invoke the Systems Manager Automation document if an instance is found to be noncompliant.

AWS Config Rules

AWS Systems Manager Automation

AWS Config Managed Rules

"You can add tags to resources when you create the resource. You can use the resource's service console or API to add, change, or remove those tags one resource at a time. To add tags to—or edit or delete tags of—multiple resources at once, use Tag Editor. With Tag Editor, you search for the resources that you want to tag, and then manage tags for the resources in your search results."

This solution is operationally efficient and leverages AWS services to provide notifications when the Lambda function is not invoked, indicating that the file did not arrive.

Steps:

Create a CloudWatch Alarm:

Open the Amazon CloudWatch console.

In the navigation pane, choose "Alarms" and then "Create Alarm".

Select Lambda Metrics:

Choose "Select metric" and then navigate to "AWS Lambda" metrics.

Select the Lambda function that processes the S3 files.

Choose the "Invocations" metric.

Configure the Alarm:

Set the period to 1 hour.

Define the threshold condition to trigger when the Invocations metric is zero.

Under "Additional configuration", configure the alarm to treat missing data as "breaching".

Set Alarm Actions:

Configure the alarm action to send a notification to an Amazon SNS topic.

Create an SNS topic if one does not exist, and subscribe the application team to this topic.

Testing and Verification:

Ensure that the alarm triggers correctly by simulating a missing file scenario and confirming that the notification is sent to the SNS topic.

This approach uses CloudWatch to monitor the invocation frequency of the Lambda function, ensuring that the application team is notified whenever the expected file does not arrive within the specified timeframe.

Split-tunnel routing allows you to specify that only the traffic destined for your VPC is routed through the VPN tunnel. All other internet traffic is routed through the user’s local network.

Steps:

Open the Client VPN Console:

Sign in to the AWS Management Console.

Open the Amazon VPC console.

Modify the Client VPN Endpoint:

Select the Client VPN endpoint.

Choose "Modify Client VPN endpoint".

Enable the "Split-tunnel" option.

Update Route Table:

Ensure that the route table associated with the Client VPN endpoint routes traffic destined for the VPC IP range to the appropriate target (e.g., VPC subnet).

This configuration ensures that only traffic destined for resources in the VPC is sent over the VPN tunnel, while other traffic uses the user’s local internet connection.

"When you enable log file integrity validation, CloudTrail creates a hash for every log file that it delivers. Every hour, CloudTrail also creates and delivers a file that references the log files for the last hour and contains a hash of each. This file is called a digest file. Validated log files are invaluable in security and forensic investigations"

After increasing the size of an Amazon EBS volume, the operating system must be configured to use the additional space. For a Windows instance, you need to extend the file system using disk management tools.

Open Disk Management:

Connect to your Windows EC2 instance using RDP.

Open the Disk Management tool by right-clicking the Start button and selecting Disk Management.

Extend the Volume:

Locate the EBS volume that was resized.

Right-click on the volume and select Extend Volume.

Follow the Extend Volume Wizard to allocate the newly available space to the file system.

Verify the New Size:

After extending the volume, verify that the file system reflects the increased storage capacity.

Modifying the Size, IOPS, or Throughput of an EBS Volume

Extending a Windows File System After Resizing a Volume

To minimize costs while moving from EC2 instances to AWS Fargate, Compute Savings Plans are the most flexible and cost-effective option. Compute Savings Plans apply to a variety of compute services including AWS Fargate, Amazon EC2, and AWS Lambda, allowing for greater flexibility in managing costs as the company transitions to using only Fargate.

Compute Savings Plans:

Savings Plans provide significant savings over On-Demand pricing, up to 66% savings.

Compute Savings Plans offer the flexibility to move across instance types, AWS Regions, and operating systems.

Payment Options:

The No Upfront payment option provides the most flexibility and avoids large upfront capital expenditures.

The Partial Upfront payment option offers more savings but requires an initial payment.

1-Year Term:

A 1-year term is suitable for the company's 6-month transition period, allowing for cost savings without a long-term commitment.

AWS Savings Plans

Compute Savings Plans

To fix the "403 Forbidden - Access Denied" error when accessing a static website hosted on Amazon S3, you need to ensure that the objects in the bucket have the appropriate permissions for public access. Here’s how to do it:

Login to AWS Management Console:

Open the Amazon S3 console at Amazon S3 Console.

Navigate to the Bucket:

In the S3 console, select the bucket hosting the static website.

Add a Bucket Policy:

Go to the Permissions tab.

Choose Bucket Policy and add the following policy to grant public read access to all objects in the bucket:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::your-bucket-name/*"

}

]

}

Save the Policy:

After adding the policy, save the changes.

This policy ensures that all objects in the bucket are publicly accessible, resolving the 403 Forbidden error.

Hosting a Static Website on Amazon S3

Bucket Policy Examples

Step-by-Step Explanation:

AWS Budgets Overview:

AWS Budgets enables you to set custom cost and usage budgets, and it provides alerts when you exceed those thresholds. It is designed for cost management with minimal operational overhead.

Recurring Cost Budget Creation:

Go to the AWS Budgets Console.

Select Create a budget.

Choose the Cost budget option.

Define whether this budget tracks actual costs or forecasted costs (you will create two budgets, one for each).

Configure the Budget Thresholds:

Set your budget thresholds for both actual costs and forecasted costs.

For example:

Actual Costs Alert: Budget = $1000, Alert at 80% usage ($800).

Forecasted Costs Alert: Budget = $1000, Alert at forecasted usage exceeding 80% ($800).

Alert Configuration:

In the budget creation process, enable Notifications and Actions.

Specify the email addresses or an Amazon SNS Topic to receive alerts.

Set up alerts for both:

Actual Cost Exceeding Budget.

Forecasted Cost Exceeding Budget.

Amazon SNS Setup:

If using an SNS topic, ensure an Amazon SNS topic is created.

Grant appropriate permissions for the Budget service to publish to the SNS topic.

Add subscribers (e.g., email addresses or endpoints) to the SNS topic.

Automation and Monitoring:

Once set up, AWS Budgets continuously monitors actual and forecasted costs.

Alerts are sent automatically when thresholds are breached, reducing manual overhead and reliance on periodic monitoring.

Why This is the Best Option (Least Operational Overhead):

AWS Budgets directly integrates with SNS, allowing real-time alerts without building custom workflows or parsing reports.

It is a native AWS service specifically designed for cost tracking, minimizing complexity and setup time.

No custom code or additional services like Lambda or Step Functions are required, reducing operational maintenance.

For routing based on the user's geographic location to comply with data residency requirements, the best solution is to use Amazon Route 53 geolocation routing policy. This policy allows you to configure DNS responses based on the geographic location of the user, ensuring that requests are directed to specific AWS Regions that align with the company’s data residency requirements. Option C is correct. The AWS Route 53 documentation provides details on implementing geolocation routing policies Amazon Route 53 Geolocation Routing.

The best combination of steps to meet this requirement is to sign in to the new account by using root user credentials and change the support plan, and to create an IAM user that has administrator privileges in the new account.

Signing in to the new account by using root user credentials will allow the SysOps administrator to access the account and change the support plan to AWS Business Support. Additionally, creating an IAM user that has administrator privileges in the new account will ensure that the SysOps administrator has the necessary access to manage the account and make changes to the support plan if necessary.

This is the most operationally efficient solution that meets the requirements, as it will allow the company to monitor the number of times that the web server returns an HTTP 404 response in real-time. The other solutions (creating a CloudWatch Logs subscription filter, an AWS Lambda function, or a script) will require additional steps and resources to monitor the number of times that the web server returns an HTTP 404 response.

A metric filter allows you to search for specific terms, phrases, or values in your log events, and then to create a metric based on the number of occurrences of those search terms. This allows you to create a CloudWatch Metric that can be used to create alarms and dashboards, which can be used to monitor the number of HTTP 404 responses returned by the web server.

If the MFA device for the root user is lost, you can regain access to the AWS account by using email and phone verification. AWS Support provides a process to recover root account access.

Recover Root Account Access:

Go to the AWS sign-in page and choose Root user.

Enter the root user email address.

On the MFA prompt page, choose Troubleshoot MFA.

Follow the prompts for email and phone verification to verify your identity.

Set Up a New MFA Device:

Once you regain access, navigate to the IAM console at IAM Console.

Go to the Users section and select the root user.

Set up a new MFA device.

Change the Root User Password:

It is recommended to change the root user password after recovering access for security reasons.

Enabling and Managing Virtual MFA Devices (AWS Management Console)

Troubleshooting Multi-Factor Authentication

Applying SCPs to an Organizational Unit:

Service Control Policies (SCPs) allow you to manage permissions for multiple AWS accounts within an organization.

Steps:

Go to the AWS Management Console.

Navigate to AWS Organizations.

Create an Organizational Unit (OU) if not already created.

Move the target accounts into the OU.

Create an SCP that denies the use of the specific EC2 instance family.

Attach the SCP to the OU.

This approach ensures that the policy is applied consistently across all accounts in the OU.

AWS Organizations SCPs

To view the cost details of each project in an AWS account using Cost Explorer, you need to activate cost allocation tags and tag the resources with a project identifier.

Activate Cost Allocation Tags:

Navigate to the AWS Billing and Cost Management console.

In the navigation pane, choose "Cost allocation tags".

Select the tags you want to activate (e.g., "Project") and click "Activate".

Tag Resources with Project Identifier:

Go to the AWS Management Console for each service where resources are deployed (e.g., EC2, S3, RDS).

For each resource, add a tag with the key "Project" and a value that identifies the project (e.g., "ProjectA").

Ensure that all relevant resources are tagged appropriately.

View Cost Allocation in Cost Explorer:

Navigate to the Cost Explorer console.

Use the "Group by" option to group costs by the "Project" tag.

Review the cost details for each project based on the tags applied to the resources.

Using Cost Allocation Tags

Analyzing Your Costs with Cost Explorer

Scaling Policies in Auto Scaling:

When multiple scaling policies trigger at the same time, each policy is executed independently.

If both policies are set to add 5 instances when CPU utilization reaches 80%, they will both be executed when the threshold is met.

Therefore, the total number of instances added will be the sum of the instances specified in both policies.

In this case, 5 instances from one policy and 5 instances from the other policy will result in a total of 10 instances being added.

Steps to Configure and Verify Scaling Policies:

Go to the AWS Management Console.

Navigate to EC2 and select "Auto Scaling Groups."

Select your Auto Scaling group and review the scaling policies.

Ensure that both scaling policies are configured to trigger at 80% CPU utilization.

Monitor the Auto Scaling group's activity to verify the addition of instances when the CPU utilization threshold is reached.

Scaling Policies for Amazon EC2 Auto Scaling

To supply documentation of Payment Card Industry Data Security Standard (PCI DSS) compliance for the infrastructure managed by AWS, the SysOps administrator should download the applicable reports from the AWS Artifact portal.

AWS Artifact:

AWS Artifact is a service that provides on-demand access to AWS’ security and compliance reports and select online agreements.

It includes compliance reports for standards such as PCI DSS, SOC, ISO, and more.

Steps to Access Reports:

Open the AWS Management Console.

Navigate to the AWS Artifact console.

Browse and download the PCI DSS compliance report.

Providing Documentation:

Download the relevant PCI DSS reports and provide them to the auditors as required.

AWS Artifact

PCI DSS Compliance

To secure the S3 bucket and allow access only from CloudFront, the following steps should be taken:

Create an OAI in CloudFront:

In the CloudFront console, create an origin access identity (OAI) and associate it with your CloudFront distribution.

 Enable Access Logging for the ALB:

Access logging provides detailed information about requests sent to your load balancer.

Steps:

Go to the AWS Management Console.

Navigate to EC2 and select "Load Balancers."

Select your Application Load Balancer.

Under the "Attributes" tab, enable "Access logs."

Specify an S3 bucket where the logs will be saved.

Enable Access Logs for Your Load Balancer

 Use Amazon Athena to Query the ALB Logs:

Athena allows you to run SQL queries on data stored in S3.

Steps:

Go to the AWS Management Console.

Navigate to Athena.

Create a table for the ALB logs using the appropriate schema.

Run queries to calculate the total bytes sent and received, grouped by the target

field.

Example query:

SELECT target, SUM(received_bytes) as total_received, SUM(sent_bytes) as total_sent

FROM alb_logs

GROUP BY target, port

AWS Config is the best service to automatically manage and remediate S3 bucket permissions that violate corporate policies against public access. AWS Config continuously monitors and records AWS resource configurations and allows you to create rules that trigger automatic responses when public access configurations are detected. This approach is highly operationally efficient as it automates compliance and enforcement of security policies without manual intervention. Option A is correct. AWS Config can be used to assess, audit, and evaluate the configurations of AWS resources, including S3 buckets. Reference AWS Config.

The policy provided includes two statements:

The first statement explicitly denies the Update:* action on resources with a LogicalResourceId that begins with "Production".

The second statement allows the Update:* action on all resources.

In AWS IAM policy evaluation logic, explicit denies always take precedence over allows. Therefore, the effect of this policy is that users can update all resources in the stack except for those with a logical ID that begins with "Production".

To restrict access to an Amazon S3 bucket to Amazon EC2 instances in a VPC only, and ensure all traffic is over the AWS private network, the SysOps administrator should create a VPC endpoint for the S3 bucket and create an S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.

Create a VPC Endpoint for S3:

Open the VPC console.

Choose "Endpoints" and then "Create Endpoint."

Select the service name "com.amazonaws.[region].s3."

Choose the VPC and the subnets where the EC2 instances reside.

Configure the route tables to include the VPC endpoint.

Create an S3 Bucket Policy:

Open the S3 console and select the bucket.

Go to the "Permissions" tab and edit the bucket policy.

Add a condition to the policy to allow access only from the VPC endpoint.

Example policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": "*",

"Action": "s3:*",

"Resource": [

"arn:aws:s3:::your-bucket-name",

"arn:aws:s3:::your-bucket-name/*"

],

"Condition": {

"StringEquals": {

"aws:sourceVpce": "vpce-12345678"

}

}

}

]

}

Amazon S3 VPC Endpoints

Amazon S3 Bucket Policies

To ensure high availability and failover for RDS, converting the instance to a Multi-AZ deployment is the best practice. Multi-AZ configurations provide automated standby in a different Availability Zone, automatically failing over to the standby in case of instance or Availability Zone issues.

Modify DB instance: AWS allows for seamless conversion of an existing Single-AZ RDS instance to a Multi-AZ deployment, making it more resilient to outages without requiring significant application changes.

Failover mechanism: In Multi-AZ, failover is managed automatically by AWS, minimizing application downtime.

To reduce costs effectively for jobs that are flexible in their scheduling and have a clear, predictable runtime:

Spot Instances with Defined Duration (Spot Blocks): Spot Instances offer significant discounts compared to On-Demand pricing. For workloads like the described jobs that have a predictable duration (slightly less than 2 hours), requesting Spot Instances with a defined duration (also known as Spot Blocks) is ideal. This option allows you to request Spot Instances guaranteed to not be terminated by AWS due to price changes for the duration specified.

Cost Efficiency: This method ensures that the instances will run for the duration required to complete the jobs without interruption, unless AWS experiences an exceptional shortage of capacity. The cost savings compared to On-Demand Instances can be substantial, especially for regular, predictable workloads.

Risk Mitigation: Although Spot Instances can be interrupted, using them with a defined duration reduces the risk of interruptions within the set time frame, making them suitable for jobs that can tolerate a restart in rare cases of interruption after the block time expires.

This strategy combines cost savings with the performance requirements of the jobs, making it an optimal choice for tasks that are not time-critical but need completion within a predictable timeframe.

Amazon EC2 and Availability Zones:

EC2 instances are tied to a specific Availability Zone within a region. Moving an instance directly is not possible.

Creating an Amazon Machine Image (AMI) allows the instance to be recreated in another Availability Zone.

Steps to Migrate an EC2 Instance to a New Availability Zone:

Create an AMI:

Open the EC2 Console.

Select the EC2 instance you want to migrate.

Choose Actions > Image and templates > Create Image.

Configure the AMI creation settings and create the image.

Launch a New Instance:

Navigate to the AMI section in the EC2 Console.

Select the newly created AMI.

Click Launch Instance from Image.

Specify the new Availability Zone during the instance configuration.

Terminate the Original Instance:

After validating that the new instance is functioning correctly, terminate the original instance to avoid additional costs.

Why Other Options Are Incorrect:

A: Directly copying an instance to another AZ is not supported.

C: There is no AWS CLI command to move an EC2 instance between AZs.

D: Stopping and modifying the AZ of an existing instance is not possible.

Improve S3 Upload Performance:

Using multiple bucket prefixes can improve throughput by allowing parallel upload streams.

Steps:

Modify the application to write files to different prefixes in the S3 bucket.

Example: Instead of writing all files to s3://bucket-name/, write to s3://bucket-name/prefix1/, s3://bucket-name/prefix2/, etc.

Best Practices for Amazon S3 Performance

AWS WAF (Web Application Firewall) is designed to protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF can help mitigate cross-site scripting (XSS) vulnerabilities by allowing users to create rules to filter specific types of HTTP requests.

Create a Web ACL:

Go to the AWS WAF & Shield console.

Click "Create web ACL" and specify a name and the AWS resource to protect (e.g., an Application Load Balancer).

Add Rules to Mitigate XSS:

Within the Web ACL, add a new rule.

Select "Rule builder" and choose a rule type. For mitigating XSS, use "AWS Managed Rules" or create a custom rule.

AWS Managed Rules include a predefined set for XSS that you can enable.

Configure the XSS Rule:

If using a custom rule, configure it to inspect requests and block any that contain XSS patterns.

Use regular expressions or specific patterns to identify malicious scripts.

Deploy the Web ACL:

Once configured, save the Web ACL.

Associate it with your Application Load Balancer or CloudFront distribution to start filtering requests.

Monitor and Adjust:

Monitor the requests being blocked by AWS WAF.

Adjust the rules as necessary to ensure legitimate traffic is not affected and the application remains protected.

AWS WAF Developer Guide

AWS WAF Managed Rules

Amazon CloudFront is a global content delivery network (CDN) service that delivers your content with low latency and high transfer speeds. By distributing the static content (images and videos) to CloudFront edge locations, users in the United States and Europe can access the content from the nearest edge location, significantly improving the load times.

Create a CloudFront Distribution:

Open the Amazon CloudFront console at Amazon CloudFront Console.

Choose Create Distribution and select Web.

Specify the S3 bucket as the origin where your static content is stored.

Configure Distribution Settings:

Configure the settings, such as cache behaviors and SSL/TLS settings.

Optionally, configure additional features like geo-restriction and logging.

Update DNS Configuration:

Update your DNS records to point to the CloudFront distribution. This can be done via Amazon Route 53 or your DNS provider.

Monitor Performance:

Use CloudFront reports and logs to monitor the performance and adjust configurations if needed.

Amazon CloudFront Overview

Creating a CloudFront Distribution

To give the application the ability to resolve internal domain names, the SysOps administrator should create an Amazon Route 53 Resolver outbound endpoint and configure it to forward DNS queries to the on-premises DNS server.

Route 53 Resolver Outbound Endpoint:

An outbound endpoint enables DNS queries to be forwarded from AWS resources in a VPC to an on-premises DNS server.

Steps to Implement:

In the Route 53 console, create a new outbound endpoint in the VPC.

Configure the outbound endpoint with the IP address of the on-premises DNS server.

Update the VPC DNS settings to use the Route 53 Resolver.

Route 53 Resolver Endpoints

Creating an Outbound Endpoint

Step-by-Step Explanation:

Understand the Problem:

A user cannot upload an object to an S3 bucket using a presigned URL, even though the URL is valid and the bucket has no policy applied.

Analyze the Requirements:

Determine the cause of the issue preventing the upload via the presigned URL.

Evaluate the Options:

Option A: The user has not properly configured the AWS CLI.

CLI configuration is not relevant to using a presigned URL.

Option B: The SysOps administrator does not have the necessary permissions.

The administrator's permissions are required to generate a valid presigned URL with sufficient permissions.

Option C: A bucket policy is required.

A bucket policy is not necessary if the presigned URL has the correct permissions.

Option D: The object has already been uploaded.

A presigned URL remains valid until it expires or the specified permissions are revoked.

Select the Best Solution:

Option B: Ensuring that the SysOps administrator has the necessary permissions to upload objects to the S3 bucket is crucial for generating valid presigned URLs.

Amazon S3 Presigned URLs

IAM Policies for Amazon S3

The SysOps administrator must have the necessary permissions to upload objects to the S3 bucket, ensuring that the presigned URL generated allows the user to upload successfully.

Ensuring that all the EC2 instances have an instance profile with Systems Manager access is the most effective way to fix this issue. Having an instance profile with Systems Manager access will allow the SysOps administrator to configure the inventory collection for all the instances in the subnet, regardless of whether or not they are managed by Systems Manager.

To share Amazon RDS database snapshots between different accounts while ensuring all data is encrypted at rest, follow these steps:

Update the KMS Key Policy:

Navigate to the AWS KMS console.

Select the KMS key used to encrypt the RDS snapshots.

Update the key policy to grant the relevant AWS accounts permission to use the key.

To meet the requirement of using only IPv6 for all EC2 instances while allowing outbound internet access and preventing inbound internet access, an egress-only internet gateway is the correct solution. An egress-only internet gateway allows outbound communication over IPv6 and blocks inbound communication, ensuring that the instances can access the internet but are not directly accessible from the internet.

Create an Egress-Only Internet Gateway:

Open the Amazon VPC console at Amazon VPC Console.

In the navigation pane, choose Egress-only internet gateways.

Choose Create egress-only internet gateway, and then attach it to your VPC.

Create a Custom Route Table:

In the VPC console, navigate to Route Tables.

Create a new route table or select an existing one.

Add a route with the destination set to ::/0 (which represents all IPv6 addresses) and the target set to the egress-only internet gateway.

Attach the Route Table to IPv6-Only Subnets:

Associate the route table with the IPv6-only subnets in your VPC.

This configuration ensures that your IPv6-only EC2 instances can access the internet while being protected from inbound internet traffic.

Egress-Only Internet Gateways

IPv6 Addresses

Objective:

Provision Spot Instances with the highest availability while using a wide range of instance types.

Capacity Optimized Strategy:

The capacity optimized strategy ensures that Spot Instances are launched from the pools with the highest available capacity at the time of the request.

This approach minimizes the likelihood of interruptions and increases the chances of launching the desired capacity.

Steps to Implement:

In the Auto Scaling group configuration, set the Spot Allocation Strategy to Capacity Optimized.

Define multiple instance types in the launch template to allow flexibility.

AWS References:

Spot Allocation Strategies:Spot Instance Allocation Strategies

Capacity Optimized Details:Capacity Optimized Spot Instances

Why Other Options Are Incorrect:

Option A: Simply launching up to maximum capacity does not address availability concerns.

Option B: The diversified strategy spreads instances across Spot pools but does not prioritize capacity.

Option D: Spot Instance Advisor provides recommendations but is not a direct allocation strategy.

A CloudFormation stack in the DELETE_FAILED state typically indicates that some resources could not be deleted. One common reason is that S3 buckets in the stack still contain objects.

Steps:

Identify the Failed Resources:

Open the AWS CloudFormation console.

Select the stack in the DELETE_FAILED state.

Check the "Events" tab to identify the resource(s) that caused the failure.

Delete S3 Objects:

Open the Amazon S3 console.

Navigate to the bucket(s) listed in the CloudFormation events.

Delete all objects in the bucket. You can use the S3 console, AWS CLI, or an S3 batch operation to delete the objects.

Retry Stack Deletion:

After clearing the S3 bucket(s), go back to the CloudFormation console.

Select the stack and choose "Delete" to retry the deletion process.

Step-by-Step Explanation:

Understand the Problem:

Manage a database password securely and rotate it every 90 days.

Analyze the Requirements:

Ensure secure management and automatic rotation of the database password.

Minimize manual intervention and risk of exposing the password.

Evaluate the Options:

Option A: Use the AWS SecretsManager Secret resource with the GenerateSecretString property.

Secrets Manager can automatically generate a strong password.

The RotationSchedule resource defines a rotation schedule to rotate the password every 90 days.

Option B: Use the AWS SecretsManager Secret resource with the SecretString property.

Requires accepting a password as a CloudFormation parameter and does not automate password generation.

Option C: Use the AWS SSM Parameter resource.

AWS Systems Manager Parameter Store can store secure strings, but it does not support automatic rotation.

Option D: Use the AWS SSM Parameter resource without secure string.

This option does not offer the security of Secrets Manager and does not support automatic rotation.

Select the Best Solution:

Option A: Using AWS Secrets Manager with the GenerateSecretString property and RotationSchedule resource ensures secure management and automatic rotation of the database password.

AWS Secrets Manager

Rotate AWS Secrets Manager Secrets

AWS Secrets Manager provides secure storage, automatic rotation, and seamless integration with applications for accessing secrets.

AWS provides a native integration with Slack via the AWS Support App, which allows:

Real-time updates for AWS Support cases in Slack

Replying to support cases and adding comments from Slack

Case creation and escalation from Slack

From the AWS Support App in Slack Documentation:

You must first authorize the Slack workspace in your AWS account using the AWS Support App setup process.

Then, add the specific Slack channel by specifying the channel ID and required case types (e.g., account, service limit, technical).

❌ Why the other options are incorrect:

A: Slack must authorize the workspace first, not just an AWS account.

C and D: Using SNS + EventBridge + Lambda is not necessary, as AWS provides a native Slack integration with full support case features.

Step-by-Step Explanation:

Understand the Problem:

Minimize potential data loss and recovery time for a MySQL database running on an Amazon EC2 instance.

Analyze the Requirements:

Reduce the risk of data loss.

Ensure quick recovery in the event of a database failure.

Aim for operational efficiency.

Evaluate the Options:

Option A: Create a CloudWatch alarm to invoke a Lambda function that stops and starts the EC2 instance.

This addresses system failures but does not help with minimizing data loss or ensuring database redundancy.

Option B: Create an Amazon RDS for MySQL Multi-AZ DB instance and use a MySQL native backup stored in Amazon S3.

RDS Multi-AZ deployments provide high availability and durability by automatically replicating data to a standby instance in a different Availability Zone.

Using a MySQL native backup stored in Amazon S3 ensures data can be restored efficiently.

Option C: Create an RDS for MySQL Single-AZ DB instance with a read replica.

This provides read scalability but does not ensure high availability or failover capabilities.

Option D: Use Amazon DLM to take hourly snapshots of the EBS volume.

This helps with backups but does not provide immediate failover capabilities or minimize downtime effectively.

Select the Best Solution:

Option B: Using Amazon RDS for MySQL Multi-AZ ensures high availability and automated backups, significantly minimizing data loss and recovery time.

Amazon RDS Multi-AZ Deployments

Backing Up and Restoring an Amazon RDS DB Instance

Using Amazon RDS for MySQL Multi-AZ provides a highly available and durable solution with automated backups, ensuring minimal data loss and quick recovery.

Monitoring EC2 Instances with CloudWatch:

Amazon CloudWatch provides monitoring and alarms for AWS resources.

Alarms can be created for metrics like CPUUtilization, and notifications can be sent to Amazon SNS topics.

Steps to Set Up the Solution:

Create an SNS Topic:

Open the Amazon SNS Console.

Create a topic (e.g., "CPU_Alerts").

Add subscriptions for the development team's email addresses.

Create a CloudWatch Alarm:

Open the CloudWatch Console.

Navigate to the Alarms section and select Create Alarm.

Choose the EC2 CPUUtilization metric and set the alarm conditions:

Metric: Average CPU Utilization

Threshold: 80%

Period: 5 minutes

Link the alarm to the SNS topic for notifications.

Test the Alarm:

Simulate high CPU utilization to verify that alerts are sent to the subscribed email addresses.

Why Other Options Are Incorrect:

A and B: Using Amazon SES directly for alerts is not a standard practice for operational efficiency or integration with CloudWatch.

C: Using "sum" instead of "average" for CPU utilization is not appropriate for real-time monitoring, as it aggregates data over a large interval.

The problem requires modifying the inbound SSH rule to restrict access to a list of trusted IPs instead of deleting it entirely. AWS Config rules can be configured with automatic remediation actions using either Systems Manager Automation runbooks or Lambda functions. However, AWS Systems Manager Automation runbooks are often more appropriate for managing infrastructure changes like security group modifications because they are reusable, parameterized, and easier to audit.

Create a Systems Manager Automation runbook: This runbook will contain steps to add or modify the existing security group rule, allowing SSH access only from the specified IP addresses.

Update the AWS Config rule: Modify the Config rule to call this new runbook for its automatic remediation. This will prevent deletion of the SSH rule and instead update it based on the IP list.

The Auto Scaling group’s MixedInstancesPolicy allows:

A combination of On-Demand and Spot Instances

Configuration of instance weighting, priorities, and pricing policies

Maintenance of minimum required instance count

From ASG with Mixed Instances documentation:

You can use MixedInstancesPolicy in an Auto Scaling group to launch a mix of On-Demand and Spot Instances, while ensuring availability and cost optimization.

This option enables:

3 On-Demand baseline instances (to meet the minimum requirement)

Bursting with 3 Spot Instances when pricing is favorable

Auto healing and scaling

The most operationally efficient solution is to use the organization ARN to share the AMI across all accounts within AWS Organizations.

AMI Sharing with Organization ARN: AWS allows you to share AMIs with an entire AWS Organization by specifying the organization’s ARN, simplifying access management for multiple accounts.

Efficient Management: This approach eliminates the need to share AMIs individually with each account or make them public, and it avoids the complexity of using snapshots.

Making the AMI public is not secure, and using AWS Marketplace or snapshots does not provide the operational efficiency required.

To generate a monthly report showing all S3 buckets and their compliance with the requirement to block public read access, the SysOps administrator can take the following steps:

Create an AWS Config Aggregator:

Create an AWS Config aggregator in an aggregator account. Use the organization as the source to aggregate AWS Config data across all accounts in the organization.

To send an email notification when an ACM certificate has less than 14 days until expiration, the most operationally efficient solution is to create an Amazon EventBridge rule that directly monitors AWS ACM for certificate expiry details. EventBridge can capture aws.acm events related to certificate expiration and evaluate the DaysToExpiry metric directly. Configure the rule to send notifications to an Amazon SNS topic when DaysToExpiry is less than 14, and subscribe the necessary email addresses to this SNS topic. This approach avoids the need for custom metrics or manual monitoring, providing a streamlined and automatic notification system. Option B is the correct answer as it leverages native integration between ACM, EventBridge, and SNS for minimal operational overhead. More details on EventBridge rules can be found in AWS documentation EventBridge Rules.

To optimize the routing of requests to the application for users in different geographic locations, use Amazon Route 53's latency-based routing:

Latency Routing Policy: Modify the Route 53 DNS settings for app.anycompany.com by changing the routing policy to latency. This policy routes user requests to the server that has the lowest latency relative to the user's location.

Configure Latency Records: Create latency records for each ALB—one for the ALB in us-west-2 and another for the new ALB in ap-southeast-2. Route 53 will automatically direct traffic to the endpoint that provides the lowest latency connection to the user.

Seamless User Experience: By using latency routing, the URL remains the same (app.anycompany.com), but the backend service location varies based on which endpoint is likely to respond the fastest. This setup provides a seamless experience for users, reducing latency without requiring any changes to how they access the application.

This method leverages Route 53's advanced DNS capabilities to ensure optimal performance and user experience by dynamically routing traffic based on geographic latency considerations.

To identify who is creating the Elastic IP addresses, the following steps should be taken:

Enable CloudTrail Logging:

Ensure AWS CloudTrail is enabled to log all API activities in your AWS account.

If you're using AWS Organizations, check the service control policies for any statements that explicitly deny Amazon S3 access. In particular, check the service control policies for statements denying the s3:PutBucketPolicy action.

If EC2 instances in one region (eu-central-1) need to access a database in another (us-east-1), and the database must remain only in us-east-1, the most operationally efficient solution is a VPC peering connection.

From the VPC Peering documentation:

Inter-Region VPC peering enables routing of traffic between VPCs in different AWS Regions using private IP addresses, without VPN or additional hardware.

Also:

You must manually update security group rules to allow traffic from the peered VPC.

So:

Create the VPC peering

Add the private IP range of the remote EC2 instances to the inbound rules of the database’s security group

Increasing the IOPS for the gp3 EBS volume will address the high VolumeQueueLength by allowing more read/write operations, directly improving performance for I/O-intensive tasks. ElastiCache and enhanced networking do not directly affect EBS performance for this issue.

To delete the AWS CloudFormation stack without deleting the DynamoDB table, you need to apply a deletion policy to the DynamoDB resource. The Retain deletion policy ensures that the specified resource is not deleted when the stack is deleted. Instead, it is retained.

Steps:

Modify the CloudFormation Template:

Add a deletion policy to the DynamoDB table resource.

json

Copy code

{

"Resources": {

"MyDynamoDBTable": {

"Type": "AWS::DynamoDB::Table",

"DeletionPolicy": "Retain",

}

}

}