Free and Premium Amazon Web Services SOA-C02 Dumps Questions Answers

To achieve a limited rollout of the new website to 20% of the company's customers using Amazon Route 53, a weighted routing policy is the most appropriate solution.

Weighted Routing Policy:

Weighted routing lets you associate multiple resources with a single domain name and choose how much traffic is routed to each resource.

Configuration:

Open the Route 53 console.

Select the hosted zone and choose "Create Record Set."

Create two records for your domain:

One record for the original resource with a weight of 80.

Another record for the new resource with a weight of 20.

References:

Amazon Route 53 Weighted Routing

RI discounts apply to accounts in an organization's consolidated billing family depending upon whether RI sharing is turned on or off for the accounts. By default, RI sharing for all accounts in an organization is turned on. The management account of an organization can change this setting by turning off RI sharing for an account. The capacity reservation for an RI applies only to the account the RI was purchased on, no matter whether RI sharing is turned on or off.

AWS WAF (Web Application Firewall) is designed to protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF can help mitigate cross-site scripting (XSS) vulnerabilities by allowing users to create rules to filter specific types of HTTP requests.

Create a Web ACL:

Go to the AWS WAF & Shield console.

Click "Create web ACL" and specify a name and the AWS resource to protect (e.g., an Application Load Balancer).

Add Rules to Mitigate XSS:

Within the Web ACL, add a new rule.

Select "Rule builder" and choose a rule type. For mitigating XSS, use "AWS Managed Rules" or create a custom rule.

AWS Managed Rules include a predefined set for XSS that you can enable.

Configure the XSS Rule:

If using a custom rule, configure it to inspect requests and block any that contain XSS patterns.

Use regular expressions or specific patterns to identify malicious scripts.

Deploy the Web ACL:

Once configured, save the Web ACL.

Associate it with your Application Load Balancer or CloudFront distribution to start filtering requests.

Monitor and Adjust:

Monitor the requests being blocked by AWS WAF.

Adjust the rules as necessary to ensure legitimate traffic is not affected and the application remains protected.

References:

AWS WAF Developer Guide

AWS WAF Managed Rules

VPC peering allows two VPCs to communicate with each other securely. By configuring VPC peering between the two VPCs, the SysOps administrator will be able to give the EC2 instance in VPC1 the ability to connect to the database in VPC2. Once the VPC peering is configured, the EC2 instance will be able to communicate with the database using the private IP address of the DB instance in the private subnet.

To identify who is creating the Elastic IP addresses, the following steps should be taken:

Enable CloudTrail Logging:

Ensure AWS CloudTrail is enabled to log all API activities in your AWS account.

When setting up an AWS managed VPN connection and creating a customer gateway resource, if the customer gateway device resides behind a NAT device, you should use the public IP address of the NAT device. This is because the VPN connection from AWS will be established to the public IP address that AWS can reach.

Identify the Public IP Address of the NAT Device:

Determine the public IP address assigned to the NAT device in front of the customer gateway.

Create Customer Gateway Resource:

Navigate to the VPC console in the AWS Management Console.

In the navigation pane, choose "Customer Gateways" and then click "Create Customer Gateway".

Enter a name for the customer gateway.

For the "IP Address", enter the public IP address of the NAT device.

Configure VPN Connection:

Create a VPN connection by navigating to the "VPN Connections" section and clicking "Create VPN Connection".

Select the created customer gateway and complete the VPN setup wizard.

Update Routing and Configuration:

Ensure that the routing configurations on both the AWS side and the on-premises side are updated to route traffic through the VPN connection.

Configure the customer gateway device (behind the NAT) to accept traffic from the NAT device and route it appropriately.

References:

AWS Managed VPN Connections

Customer Gateway Resource

Cookies.html

You can configure each cache behavior to do one of the following: Forward all cookies to your origin – CloudFront includes all cookies sent by the viewer when it forwards requests to the origin. loadbalancing/latest/application/sticky-sessions.html

By default, an Application Load Balancer routes each request independently to a registered target based on the chosen load-balancing algorithm.

AWS WAF (Web Application Firewall) helps protect your web applications from common web exploits and bots. A rate-based rule allows you to control the rate of requests to your application.

Create a Global-Scoped AWS WAF Web ACL:

Navigate to the AWS WAF console.

Create a new Web ACL and choose "Global" for the scope.

Set the default action to "Allow".

Configure a Rate-Based Rule:

Within the Web ACL, add a new rule and select "Rate-based rule".

Define the rate limit (e.g., 2000 requests per 5 minutes).

Set the action to "Block".

Associate Web ACL with CloudFront Distribution:

After creating the Web ACL and rule, go to your CloudFront distribution settings.

In the "General" tab, associate the Web ACL with your CloudFront distribution.

Review and Confirm:

Review the configuration and ensure the Web ACL is correctly associated with the CloudFront distribution.

References:

AWS WAF Rate-Based Rules

Associating AWS WAF with CloudFront

If the MFA device for the root user is lost, you can regain access to the AWS account by using email and phone verification. AWS Support provides a process to recover root account access.

Recover Root Account Access:

Go to the AWS sign-in page and choose Root user.

Enter the root user email address.

On the MFA prompt page, choose Troubleshoot MFA.

Follow the prompts for email and phone verification to verify your identity.

Set Up a New MFA Device:

Once you regain access, navigate to the IAM console at IAM Console.

Go to the Users section and select the root user.

Set up a new MFA device.

Change the Root User Password:

It is recommended to change the root user password after recovering access for security reasons.

References:

Enabling and Managing Virtual MFA Devices (AWS Management Console)

Troubleshooting Multi-Factor Authentication

Since the EC2 instance is attempting to access the internet using HTTP (port 80) but is configured only to allow HTTPS (port 443) traffic, the security group needs adjustment:

Security Group Configuration: The outbound rules of the security group associated with the EC2 instance must allow traffic over HTTP. Add an outbound rule that enables port 80 to destination 0.0.0.0/0. This rule will allow the instance to send HTTP requests to any IP address on the internet.

Test Connectivity: After updating the security group, test the connectivity using the curl command again to ensure the configuration allows internet access via HTTP.

This change is necessary because the existing security group configuration does not permit outbound HTTP traffic, which is essential for accessing websites using HTTP.

For a disaster recovery (DR) plan with a 15-minute RTO and RPO, the most cost-effective steps include:

B: Configuring the Aurora cluster to replicate data to the DR region using the Aurora global database option. This allows continuous replication with typically low replication lag, meeting the 15-minute RPO requirement efficiently.

C: Pre-configuring the DR region with an ALB and an Auto Scaling group using the same configuration as the primary region. This ensures readiness and quick failover, aligning with the 15-minute RTO target.

These steps provide a robust disaster recovery setup that minimizes downtime and data loss while optimizing costs by using built-in AWS functionalities and avoiding over-provisioning. More information can be found in the AWS documentation on Aurora Global Databases Aurora Global Databases and disaster recovery planning AWS Disaster Recovery.

Using a Route 53 Resolver outbound endpoint allows DNS queries for on-premises hosts to be forwarded to the on-premises DNS server over the Direct Connect connection, minimizing maintenance and automating name resolution without the need for manual entry or file management.

The issue where EC2 instances show up as healthy in the Auto Scaling group but unhealthy in the ALB target group is likely due to the target group health check being configured with an incorrect port or path.

Health Checks:

ALB target groups use health checks to determine the health of instances. These health checks are configured with a specific port and path.

If the health check configuration does not match the actual application endpoint on the instances, the instances will fail the health check.

Troubleshooting Steps:

Verify the health check settings for the target group in the ALB. Ensure the port and path are correctly configured to match the application on the EC2 instances.

Adjust the settings if necessary and monitor the health status of the instances in the target group.

CloudWatch Metrics Explorer is a powerful tool for creating dynamic dashboards based on tags. This method is efficient for monitoring Auto Scaling groups:

Use Metrics Explorer: Navigate to the Metrics Explorer in the CloudWatch console and select the CPUUtilization metric. Use the aws:autoscaling:groupName tag to filter the metric, ensuring that it only shows data for EC2 instances within the specified Auto Scaling group.

Create Visualization: Configure the visualization settings as needed and add it to a CloudWatch dashboard.

Monitor Automatically: This setup will automatically update to include metrics from new EC2 instances that join the Auto Scaling group, without any need for manual intervention or scripting.

AWS Documentation Reference:You can learn more about using Metrics Explorer here: Using CloudWatch Metrics Explorer.

Step Scaling Policy:

Step scaling policies allow you to define scaling actions based on different levels of CloudWatch alarms.

Steps:

Go to the AWS Management Console.

Navigate to EC2 Auto Scaling.

Select your Auto Scaling group.

Create or edit a scaling policy and choose "Step scaling."

Define different steps based on CloudWatch alarm thresholds (e.g., CPU usage or request count).

Configure larger adjustments for higher thresholds and smaller adjustments for lower thresholds.

Example Configuration:

For CPU > 80%, increase capacity by 4 instances.

For CPU > 60%, increase capacity by 2 instances.

For CPU > 40%, increase capacity by 1 instance.

To effectively use Amazon CloudFront as a content delivery network for an application using an Application Load Balancer as the origin, several configuration steps need to be correctly implemented:

DNS Configuration: Ensure that the DNS records for the domain serving the content point to the CloudFront distribution's DNS name rather than directly to the ALB. If the DNS still points to the ALB, users' requests will bypass CloudFront, leading directly to the ALB and maintaining the existing load on your web servers.

TTL Settings: The Time to Live (TTL) settings in the CloudFront distribution dictate how long the content is cached in CloudFront edge locations before CloudFront fetches a fresh copy from the origin. If the TTL values are set to 0, it means that CloudFront does not cache the content at all, resulting in each user request being forwarded to the ALB, which does not reduce the load.

AWS Documentation Reference:For more information on DNS and TTL configurations for CloudFront, you can refer to the following AWS documentation:

Configuring DNS

CloudFront TTL Settings.

 Objective:

Publish VPC flow logs to Amazon CloudWatch Logs.

 Root Cause:

VPC flow logs require an IAM role with permissions to create log groups, log streams, and write logs to CloudWatch Logs.

If the logs:CreateLogGroup permission is missing, the flow log cannot create the required log group, and logs will not appear in CloudWatch.

 Solution Implementation:

Step 1: Verify the IAM role attached to the VPC flow logs.

Step 2: Add the following permissions to the IAM policy:

logs:CreateLogGroup

logs:CreateLogStream

logs:PutLogEvents

Step 3: Update the IAM role policy and retry creating flow logs.

 AWS References:

VPC Flow Logs Permissions:Permissions for VPC Flow Logs

 Why Other Options Are Incorrect:

Option B: logs:CreateExportTask is for exporting logs from CloudWatch to S3, not for creating log groups.

Option C: IPv6 addresses do not impact the publishing of flow logs to CloudWatch Logs.

Option D: VPC peering does not block flow log functionality.

To delete the AWS CloudFormation stack without deleting the DynamoDB table, you need to apply a deletion policy to the DynamoDB resource. The Retain deletion policy ensures that the specified resource is not deleted when the stack is deleted. Instead, it is retained.

Steps:

Modify the CloudFormation Template:

Add a deletion policy to the DynamoDB table resource.

json

Copy code

{

"Resources": {

"MyDynamoDBTable": {

"Type": "AWS::DynamoDB::Table",

"DeletionPolicy": "Retain",

}

}

}

The presigned URL expiration is the most common reason for access issues after some time. Additionally, if the SysOps administrator’s access key (used to generate the presigned URL) is invalid, the URL will no longer be usable. Block Public Access or ACL settings are irrelevant to presigned URLs.

Specifying the capacity-optimized allocation strategy for Spot Instances and adding more instance types to the Auto Scaling group is the best action to meet the requirements. Increasing the size of the instances in the Auto Scaling group will not necessarily help with the launch time or reduce interruptions, as the Spot Instances could still be interrupted even with larger instance sizes.

To refer to resources created by the first CloudFormation template in the second template with minimal administrative effort, using the export and import functionality is the most efficient approach.

Exporting Outputs in the First Template:

In the first CloudFormation template, add an Outputs section to export the required values.

Use the Export field to specify the name of the exported value.

Example:

Outputs:

VPCID:

Description: The VPC ID

Value: !Ref MyVPC

Export:

Name: VPCID

Importing Values in the Second Template:

In the second CloudFormation template, use the Fn::ImportValue function to import the exported values from the first template.

Example:

Resources:

MySubnet:

Type: AWS::EC2::Subnet

Properties:

VpcId: !ImportValue VPCID

Efficiency and Best Practices:

This method ensures a clean separation of resources and allows easy reference to outputs from other stacks.

It simplifies the management and deployment process by leveraging CloudFormation's built-in export and import mechanisms.

References:

AWS CloudFormation Exporting Stack Output Values

AWS CloudFormation Importing Values

To restrict EC2 resource deployment in a specific region and restrict root credentials usage:

Create Service Control Policies (SCPs):

Use AWS Organizations to create SCPs that restrict actions for all member accounts.

Create an SCP to deny the creation of EC2 instances in the ap-southeast-2 region.

Create an SCP to deny the use of root credentials in member accounts.

Step-by-Step Explanation:

Understand the Problem:

Ensure all users in the organization have read-level access to a specific S3 bucket.

The data should not be accessible outside the organization.

Analyze the Requirements:

Grant read access to users within the organization.

Prevent access from outside the organization.

Evaluate the Options:

Option A: Specify "*" as the principal and PrincipalOrgId as a condition.

This grants access to all AWS principals but restricts it to those within the specified organization using the PrincipalOrgId condition.

Option B: Specify all account numbers as the principal.

This is impractical for a large organization and requires constant updates if accounts are added or removed.

Option C: Specify PrincipalOrgId as the principal.

The PrincipalOrgId condition must be used within a policy, not as a principal.

Option D: Specify the organization's management account as the principal.

This grants access only to the management account, not to all users within the organization.

Select the Best Solution:

Option A: Using "*" as the principal with the PrincipalOrgId condition ensures all users within the organization have the required access while preventing external access.

References:

Amazon S3 Bucket Policies

AWS Organizations Policy Examples

Using "*" as the principal with the PrincipalOrgId condition efficiently grants read access to the S3 bucket for all users within the organization.

The default behavior of AWS CloudFormation when the creation of a resource fails is to roll back the stack and delete the stack.

Stack Creation Failure:

If any resource within the stack fails to create, CloudFormation rolls back the stack by deleting all the resources that were successfully created up to the point of failure.

This ensures that no partially created resources are left in the user's account.

Review the Events:

Open the CloudFormation console.

Select the stack and review the "Events" tab to identify the cause of the failure.

References:

AWS CloudFormation Stack Rollback

Troubleshooting AWS CloudFormation

To provision AWS accounts for each team with a defined baseline and governance guardrails in a scalable and efficient way, using AWS Control Tower is the best solution.

AWS Control Tower:

AWS Control Tower provides a straightforward way to set up and govern a secure, multi-account AWS environment based on best practices.

It uses Account Factory, a feature that automates the creation of new AWS accounts with predefined configurations.

Creating Accounts with Control Tower:

Navigate to the AWS Control Tower console.

Use Account Factory to create a new account.

Customize the account template to include the necessary configurations, such as organizational units (OUs), guardrails, and baselines.

Advantages:

Ensures consistent security and compliance across all accounts.

Automates account creation and configuration, saving time and reducing errors.

References:

AWS Control Tower

Setting Up Account Factory

Using AWS Systems Manager Distributor and State Manager is an automated and scalable solution for managing software installation across EC2 instances.

Systems Manager Distributor: Allows packaging and distributing the auditing software across multiple Regions.

State Manager Association: Automates software installation on both existing and new instances, ensuring consistent deployment across all managed instances.

Manually connecting to instances or using Lambda is not scalable or efficient for this type of ongoing software management.

Storing the credentials in AWS Secrets Manager and configuring automatic rotation with a rotation interval of 30 days is the most efficient way to meet the requirements with the least operational overhead. AWS Secrets Manager automatically rotates the credentials at the specified interval, so there is no need for an additional AWS Lambda function or manual rotation. Additionally, Secrets Manager is integrated with Amazon RDS, so the credentials can be easily used with the RDS database.

To efficiently manage and automate the creation and termination of development environments:

AWS CloudFormation Templates:

Provide a standardized CloudFormation template for developers to create identical development environments.

Amazon FSx for Windows File Server provides a fully managed, highly available, and native Windows file system compatible with the SMB protocol, ideal for Windows workloads requiring shared access.

Multi-AZ File System: Ensures high availability across multiple Availability Zones.

Native Windows Capabilities: Allows instances to map file shares and access files using Windows storage features, offering strong consistency and performance for shared files.

Other options, like Amazon S3 and Amazon EFS, either lack native Windows integration or do not offer the desired consistency and high availability for shared file systems in a Windows environment.

To allow the TTL (Time to Live) of individual pages to vary while adhering to the maximum and minimum TTL settings configured for the Amazon CloudFront distribution, setting cache behaviors directly at the origin is most effective:

Use Cache-Control Headers: By configuring the Cache-Control: max-age directive in the HTTP headers of the objects served from the origin, you can specify how long an object should be cached by CloudFront before it is considered stale.

Integration with CloudFront: When CloudFront receives a request for an object, it checks the cache-control header to determine the TTL for that specific object. This allows individual objects to have their own TTL settings, as long as they are within the globally set minimum and maximum TTL values for the distribution.

Operational Efficiency: This method does not require any additional AWS services or modifications to the distribution settings. It leverages HTTP standard practices, ensuring compatibility and ease of management.

Implementing the TTL management through cache-control headers at the origin provides precise control over caching behavior, aligning with varying content freshness requirements without complex configurations.

Step-by-Step Explanation:

Understand the Problem:

The security team is concerned about the increasing number of IAM policies.

The task is to report on the current number of IAM policies and compare them to the service limits.

Analyze the Requirements:

The solution should help in checking the usage of IAM policies against the service limits.

Evaluate the Options:

Option A: AWS Trusted Advisor

AWS Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices.

It includes a service limits check that alerts you when you are approaching the limits of your AWS service usage, including IAM policies.

Option B: Amazon Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It does not report on IAM policy usage.

Option C: AWS Config

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. While useful for compliance, it does not provide a comparison against service limits.

Option D: AWS Organizations

AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. It does not provide insights into IAM policy limits.

Select the Best Solution:

Option A: AWS Trusted Advisor is the correct answer because it includes a service limits check that can report on the current number of IAM policies in use and compare them to the service limits.

References:

AWS Trusted Advisor Documentation

IAM Service Limits

AWS Trusted Advisor is the appropriate tool for monitoring IAM policy usage and comparing it against service limits, providing the necessary insights to manage and optimize IAM policies effectively.

To deliver digital content to authorized users through CloudFront while restricting unauthorized access, you can use an origin access identity (OAI) with signed URLs.

Store Content in S3 with Public Access Blocked:

Ensure the S3 bucket has public access blocked.

Navigate to the S3 console, select the bucket, and configure the "Block Public Access" settings.

When an EC2 instance stops responding and the system status checks are failing, the recommended first step is to stop and then start the instance. This action will cause the instance to be moved to a new host, potentially resolving the underlying hardware issue.

Stop and Start the Instance:

In the AWS Management Console, navigate to the EC2 dashboard and stop the affected instance.

After the instance has stopped, start it again to launch it on a new host.

Objective:

Resolve the HTTP 403 (Access Denied) error for the public S3 static website.

Root Cause:

By default, S3 buckets are private, and public access is blocked due to the Block Public Access settings.

Additionally, a bucket policy is needed to allow public access to the objects.

Solution Implementation:

Step 1: Turn off Block Public Access:

Navigate to the Permissions tab of the S3 bucket in the AWS Management Console.

Turn off the Block Public Access settings by disabling the following:

Block public access to buckets and objects via ACLs.

Block public access to buckets and objects via bucket policies.

Step 2: Add a Bucket Policy for Public Access:

Add a policy allowing GetObject for public access:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::/*"

}

]

}

Step 3: Test Access:

Confirm that the website is accessible via the public URL.

AWS References:

Block Public Access Settings:S3 Block Public Access

Bucket Policies for Static Websites:Bucket Policy Examples

Why Other Options Are Incorrect:

Option A: Route 53 is not required to resolve the 403 error; the issue is with S3 bucket permissions.

Option C: Editing file permissions alone will not work; bucket permissions must also allow public access.

Option D: PutObject permissions are unnecessary for serving a static website.

Update AWS Account Name:

The AWS account name can only be changed by the root user of the account.

Steps:

Sign in to the AWS Management Console using the root user credentials.

Navigate to the "My Account" page.

Update the account name field and save the changes.

Cluster Placement Group:

Cluster placement groups are used to ensure low-latency networking between EC2 instances. They place instances physically close to each other within the same Availability Zone.

Steps:

Go to the AWS Management Console.

Navigate to EC2 and select "Placement Groups."

Create a new cluster placement group.

Back up the existing EC2 instance to an AMI.

Launch new EC2 instances from the AMI into the cluster placement group.

Ensure all instances are in the same Availability Zone.

The rejected traffic in the flow logs is due to the network ACL associated with the subnet not allowing outbound traffic for the ephemeral port range.

Network ACLs:

Network ACLs act as a firewall for controlling traffic in and out of one or more subnets.

By default, NACLs allow all inbound and outbound traffic, but custom NACLs require specific rules to allow traffic.

Ephemeral Ports:

Ephemeral ports are temporary ports used for client-side communication. The default range is 1024-65535.

Ensure that the network ACL allows outbound traffic on these ports.

Steps to Resolve:

Check the network ACL rules for the associated subnet.

Add outbound rules to allow traffic from the ephemeral port range (1024-65535).

References:

Amazon VPC Network ACLs

The most operationally efficient solution is to use the organization ARN to share the AMI across all accounts within AWS Organizations.

AMI Sharing with Organization ARN: AWS allows you to share AMIs with an entire AWS Organization by specifying the organization’s ARN, simplifying access management for multiple accounts.

Efficient Management: This approach eliminates the need to share AMIs individually with each account or make them public, and it avoids the complexity of using snapshots.

Making the AMI public is not secure, and using AWS Marketplace or snapshots does not provide the operational efficiency required.

Reuse templates to replicate stacks in multiple environments After you have your stacks and resources set up, you can reuse your templates to replicate your infrastructure in multiple environments. For example, you can create environments for development, testing, and production so that you can test changes before implementing them into production. To make templates reusable, use the parameters, mappings, and conditions sections so that you can customize your stacks when you create them. For example, for your development environments, you can specify a lower-cost instance type compared to your production environment, but all other configurations and settings remain the same. SCloudFormation/latest/UserGuide/best-practices.html#reuse

To prevent accounts from leaving an AWS Organization, an SCP that denies the LeaveOrganization action should be applied to the root organizational unit (OU).

Service Control Policy (SCP): By denying LeaveOrganization, member accounts are restricted from leaving the organization.

Root OU Application: Applying this policy at the root level ensures that no account in the organization can bypass it.

The RemoveAccountFromOrganization action pertains to removing an account by the organization’s management account rather than preventing member accounts from leaving. AWS Config’s account-part-of-organizations rule does not enforce this restriction but only monitors it.

Understand the Problem:

A user attempts to deploy a CloudFormation template to create an S3 bucket but the stack creation fails.

The user authenticates using Active Directory credentials.

Analyze the Requirements:

Identify permissions required for successful CloudFormation stack creation.

Evaluate the Options:

Option A: The user's IAM policy does not allow the cloudformation:CreateStack action.

Without this permission, the user cannot create CloudFormation stacks.

Option B: The user's IAM policy does not allow the cloudformation:CreateStackSet action.

StackSet is used for managing stacks across multiple accounts and regions, not relevant for a single stack creation.

Option C: The user's IAM policy does not allow the s3:CreateBucket action.

This permission is required to create an S3 bucket as part of the stack.

Option D: The user's IAM policy explicitly denies the s3:ListBucket action.

This permission is not required for bucket creation but for listing existing buckets.

Option E: The user's IAM policy explicitly denies the s3:PutObject action.

This permission is required to put objects in a bucket, not to create the bucket.

Select the Best Solution:

Option A and C: The user must have permissions for cloudformation:CreateStack and s3:CreateBucket to successfully create the stack and the S3 bucket.

References:

AWS CloudFormation Permissions

IAM Policies and Permissions

Ensuring the user has the required permissions for cloudformation:CreateStack and s3:CreateBucket is crucial for successful stack creation.

To ensure high availability and that instances are placed on distinct underlying hardware, a spread placement group should be used. Spread placement groups place instances on distinct hardware, reducing the risk of simultaneous failures.

Create Spread Placement Group:

Open the EC2 console at Amazon EC2 Console.

Navigate to Placement Groups in the sidebar.

Click Create placement group and select Spread for the strategy.

Launch Instances:

When launching new instances, select the placement group you created.

Ensure the instances are in the same AWS Region but spread across distinct hardware.

Verify Placement:

After launching, verify that the instances are in the spread placement group by checking the instance details in the console.

References:

Placement Groups

Creating a Spread Placement Group

Understand the Problem:

The requirement is to delete the CloudFormation stack without deleting the DynamoDB table.

Analyze the Requirements:

Ensure the DynamoDB table is preserved when the CloudFormation stack is deleted.

Evaluate the Options:

Option A: Add a Retain deletion policy to the DynamoDB resource.

The Retain policy ensures that the DynamoDB table is not deleted when the stack is deleted.

Option B: Add a Snapshot deletion policy to the DynamoDB resource.

Snapshot policy is not applicable to DynamoDB tables and would not retain the table itself.

Option C: Enable termination protection on the CloudFormation stack.

Prevents stack deletion entirely but does not specifically protect the DynamoDB table.

Option D: Update the IAM policy with a Deny statement for dynamodb:DeleteTable.

Prevents deletion of the table but is not a CloudFormation stack-specific solution.

Select the Best Solution:

Option A: Adding a Retain deletion policy to the DynamoDB resource in the CloudFormation stack ensures the table is preserved when the stack is deleted.

References:

AWS CloudFormation Deletion Policy

Using the Retain deletion policy ensures that the DynamoDB table is not deleted when the CloudFormation stack is deleted, preserving critical data.

Amazon CloudWatch Synthetics allows you to create canaries that monitor your endpoints and APIs. Canaries are scripts that run on a schedule to check your application’s availability and performance, and can detect issues before your customers do.

Create a CloudWatch Synthetics Canary:

Open the Amazon CloudWatch console at Amazon CloudWatch Console.

Navigate to Synthetics and choose Create Canary.

Use the CloudWatch Synthetics Recorder plugin to generate the script for the canary run.

Configure the Canary:

Define the schedule for the canary to run (e.g., every minute).

Specify the endpoint URL of the website.

Configure the canary to check for specific errors or issues based on your requirements.

Create Alarms:

Set up CloudWatch alarms to notify you when the canary detects issues. You can configure the alarm to send notifications via Amazon SNS.

References:

Creating and Managing Canaries

CloudWatch Synthetics

FIFO queues don't support per-message delays, only per-queue delays. If your application sets the same value of the DelaySeconds parameter on each message, you must modify your application to remove the per-message delay and set DelaySeconds on the entire queue instead.

To minimize cost while maintaining immediate retrievability for files stored in Amazon S3, you can use S3 Lifecycle policies to transition objects to different storage classes based on their access patterns. Given that files are frequently accessed in the first 30 days and rarely accessed afterward, transitioning to S3 Standard-IA after 30 days is the most cost-effective solution.

Understand S3 Storage Classes:

S3 Standard: Suitable for frequently accessed data.

S3 Standard-Infrequent Access (S3 Standard-IA): Suitable for data that is less frequently accessed but requires rapid access when needed. It offers lower storage costs compared to S3 Standard but has a retrieval fee.

S3 One Zone-Infrequent Access (S3 One Zone-IA): Similar to S3 Standard-IA but stores data in a single Availability Zone, making it less resilient.

S3 Glacier: Suitable for archival storage where data retrieval time is not critical (minutes to hours).

Requirements and Solution:

Access Pattern: Frequent access in the first 30 days, rare access afterward.

Retrievability: Immediate access required for one year.

Cost Efficiency: Minimize storage costs after the first 30 days.

Implementing Lifecycle Policy:

Lifecycle Policy: Configure a lifecycle policy to transition objects to S3 Standard-IA after 30 days.

Step-by-Step Implementation:

Login to AWS Management Console:

Open the Amazon S3 console at Amazon S3 Console.

Navigate to the Bucket:

Select the bucket where the files are stored.

Configure Lifecycle Policy:

Go to the Management tab.

Choose Lifecycle and then + Add lifecycle rule.

Enter a rule name and scope (e.g., apply to all objects in the bucket or specific prefixes).

Under Lifecycle rule actions, choose Transition current versions of objects between storage classes.

Add a transition:

Days after object creation: 30

Storage class: S3 Standard-IA

Optionally, add expiration actions if objects should be deleted after a certain period.

Review and Save:

Review the configuration and save the lifecycle rule.

References:

Amazon S3 Storage Classes

Lifecycle Configuration Elements

Transitioning Objects Using Amazon S3 Lifecycle

To remediate the InsufficientInstanceCapacity error when scaling the Auto Scaling group, the SysOps administrator can take the following actions:

Change the Instance Type:

Insufficient capacity errors can occur if there is not enough available capacity for the specified instance type in the selected Availability Zone.

Changing to a different instance type might resolve the capacity issue.

To manage user accounts and permissions across multiple AWS accounts and integrate with an on-premises Active Directory, using AD Connector is the most operationally efficient solution. AD Connector serves as a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without storing any directory data in the cloud. This setup allows IAM Identity Center to use the existing corporate credentials, ensuring centralized management and seamless user access control. Option C perfectly meets these requirements by leveraging existing infrastructure with minimal changes. AWS documentation on AD Connector offers guidance AWS Directory Service AD Connector.

 Group EC2 Instances Using Resource Groups:

Resource groups help organize and manage AWS resources based on tags and other criteria.

Steps:

Go to the AWS Management Console.

Navigate to AWS Resource Groups.

Create resource groups for similar EC2 instances based on tags or other criteria.

For member accounts in AWS Organizations to receive notifications about estimated costs exceeding a predetermined amount, billing alerts must be enabled in the management/payer account.

Enable Billing Alerts in the Management Account:

Open the AWS Billing and Cost Management console at AWS Billing Console.

In the navigation pane, choose Billing preferences.

Under Billing preferences, ensure that Receive Billing Alerts is enabled.

Create a Budget and Set Up Notifications:

Open the AWS Budgets console at AWS Budgets Console.

Create a budget and configure it to monitor the estimated costs.

Set up notifications for when the budget thresholds are exceeded and specify the email addresses of the managers in the member accounts.

By enabling billing alerts in the management account, you allow member accounts to receive notifications about their estimated costs.

References:

Setting Up Alerts and Notifications

Creating an AWS Budget

To improve the high availability of an application that utilizes Amazon RDS and experiences failure when an Availability Zone becomes unavailable:

Multi-AZ Deployment for RDS: Enable Multi-AZ deployments for your Amazon RDS instance. This setting ensures that RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone.

Automatic Failover: In the event of a primary RDS instance failure, RDS will automatically failover to the standby so that database operations can resume quickly with minimal disruption.

High Availability Configuration: This configuration not only enhances the robustness of the database component but also ensures that the application remains operational even if one Availability Zone is experiencing issues.

Enabling Multi-AZ for RDS is crucial for maintaining high availability and ensuring that the application remains resilient in the face of AZ disruptions.

AWS Compute Optimizer provides recommendations for optimizing the performance and cost of your AWS resources, including Lambda functions.

Steps:

Enable AWS Compute Optimizer:

Open the AWS Compute Optimizer console.

Choose "Get started".

Enable Compute Optimizer for your account.

View Lambda Function Recommendations:

After enabling Compute Optimizer, allow some time for data collection and analysis.

Navigate to the "Lambda Function Recommendations" section in the Compute Optimizer console.

Review the recommendations for your Lambda functions, which may include adjustments to memory size or other configurations to improve performance and reduce costs.

Export Recommendations:

In the Compute Optimizer console, you can export the recommendations to a CSV file for further analysis and action.

References:

AWS Compute Optimizer

Optimizing Lambda Function Configurations

To meet the requirement of consistent performance of 10,000 IOPS with the least cost, the SysOps administrator should use a General Purpose SSD (gp3) Amazon EBS volume:

General Purpose SSD (gp3) EBS Volume:

The gp3 volume type can be provisioned with the required IOPS without the need for additional capacity, making it a cost-effective solution compared to Provisioned IOPS SSD (io1) volumes.

Modifying the DB instance to a Multi-AZ deployment is the recommended solution for failover and high availability in RDS. Multi-AZ RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone, allowing automatic failover in case of an instance or Availability Zone failure.

Multi-AZ Deployment: Provides resilience with automatic failover and minimizes application downtime.

No Application Changes Needed: Multi-AZ is managed by AWS, so the failover is transparent to the application.

Read replicas and Auto Scaling groups do not provide automatic failover for write operations, and RDS Proxy only improves connection management rather than high availability.

To reduce latency in data transfer among EC2 instances, especially in high-performance computing (HPC) applications or applications requiring low network latency, using a placement group is the best approach:

Understanding Placement Groups:

A placement group in Amazon EC2 is a logical grouping of instances within a single Availability Zone. Using placement groups, you can achieve low-latency network performance necessary for tightly coupled node-to-node communication.

Types of Placement Groups:

Cluster Placement Group: Instances are physically located close together in the same Availability Zone to provide low-latency network performance.

Partition Placement Group: Instances are divided into logical segments called partitions, reducing the likelihood of simultaneous failures.

Spread Placement Group: Instances are placed on distinct underlying hardware to reduce correlated failures.

Creating and Using a Placement Group:

You can create a placement group using the AWS Management Console, AWS CLI, or AWS SDKs.

When launching instances, specify the placement group to ensure they are launched within the same group.

aws ec2 create-placement-group --group-name my-placement-group --strategy cluster

aws ec2 run-instances --image-id ami-12345678 --count 4 --instance-type c5.large --placement GroupName=my-placement-group

Relocating Existing Instances:

Stop the instances, modify the placement group settings, and then restart them. Note that not all instance types are supported within placement groups, so check the documentation for compatibility.

References:

Placement Groups

Cluster Instances for Low-Latency

To remotely connect to the EC2 instance, the SysOps administrator must ensure that the security group allows inbound SSH traffic.

Modify the Security Group:

Navigate to the EC2 console.

Select the security group associated with the EC2 instance.

Add an inbound rule to allow SSH traffic (TCP port 22) from the SysOps administrator's IP address.

Example rule:

Type: SSH

Protocol: TCP

Port Range: 22

Source:

Step-by-Step Explanation:

Understand the Problem:

The application read performance degrades when user connections exceed 200.

Need to automatically scale the database based on user demand.

Analyze the Requirements:

Implement auto scaling based on user connections to ensure optimal performance.

Evaluate the Options:

Option A: Migrate to a new Aurora multi-master DB cluster.

Multi-master clusters provide read and write scalability but may require significant changes to the application.

Option B: Modify the DB cluster to serverless mode.

Aurora Serverless provides automatic scaling, but it is more suitable for variable workloads with unpredictable demand.

Option C: Create an auto scaling policy with a target metric of 195 DatabaseConnections.

This directly addresses the need to scale based on user connections.

Auto scaling can add or remove replicas to maintain optimal performance.

Option D: Increase the Aurora Replica instance size.

This may improve performance but does not address scalability for sudden increases in user connections.

Select the Best Solution:

Option C: Creating an auto scaling policy with a target metric of 195 DatabaseConnections ensures the DB cluster scales automatically to handle increased load.

References:

Amazon Aurora Auto Scaling

Scaling Aurora DB Instances

Auto scaling based on DatabaseConnections ensures the Aurora DB cluster maintains optimal performance as user demand fluctuates.

Step-by-Step Explanation:

Understand the Problem:

A user cannot upload an object to an S3 bucket using a presigned URL, even though the URL is valid and the bucket has no policy applied.

Analyze the Requirements:

Determine the cause of the issue preventing the upload via the presigned URL.

Evaluate the Options:

Option A: The user has not properly configured the AWS CLI.

CLI configuration is not relevant to using a presigned URL.

Option B: The SysOps administrator does not have the necessary permissions.

The administrator's permissions are required to generate a valid presigned URL with sufficient permissions.

Option C: A bucket policy is required.

A bucket policy is not necessary if the presigned URL has the correct permissions.

Option D: The object has already been uploaded.

A presigned URL remains valid until it expires or the specified permissions are revoked.

Select the Best Solution:

Option B: Ensuring that the SysOps administrator has the necessary permissions to upload objects to the S3 bucket is crucial for generating valid presigned URLs.

References:

Amazon S3 Presigned URLs

IAM Policies for Amazon S3

The SysOps administrator must have the necessary permissions to upload objects to the S3 bucket, ensuring that the presigned URL generated allows the user to upload successfully.

AWS CloudFormation StackSets Overview:

StackSets allows for deployment of CloudFormation stacks across multiple AWS accounts and Regions.

A stack instance in the "OUTDATED" status indicates that the stack template or parameters differ between the StackSet and the stack instance.

Why the Stack Instance Fails:

The "OUTDATED" status occurs when the stack operation (creation or update) was not successfully completed in a specific Region.

In this case, the most likely reason is that the stack has not yet been deployed in the specified Region.

Steps to Resolve:

Check the deployment status in the CloudFormation StackSets Console.

Identify the Region where the stack is in the "OUTDATED" status.

Retry the stack deployment for that Region by running a stack set update or stack instance operation.

Why Other Options Are Incorrect:

A: Local template changes do not impact CloudFormation unless submitted to AWS. This is unrelated to StackSets.

B: While creating a global resource might fail, it would result in an error status (e.g., "FAILED"), not "OUTDATED."

D: Using an old API version would cause errors in the API request, not affect the stack instance status.

References:

AWS CloudFormation StackSets Documentation

Troubleshooting StackSet Issues

Scaling Policies in Auto Scaling:

When multiple scaling policies trigger at the same time, each policy is executed independently.

If both policies are set to add 5 instances when CPU utilization reaches 80%, they will both be executed when the threshold is met.

Therefore, the total number of instances added will be the sum of the instances specified in both policies.

In this case, 5 instances from one policy and 5 instances from the other policy will result in a total of 10 instances being added.

Steps to Configure and Verify Scaling Policies:

Go to the AWS Management Console.

Navigate to EC2 and select "Auto Scaling Groups."

Select your Auto Scaling group and review the scaling policies.

Ensure that both scaling policies are configured to trigger at 80% CPU utilization.

Monitor the Auto Scaling group's activity to verify the addition of instances when the CPU utilization threshold is reached.

You are correct that an A record typically points to an IP address. However, in the case of an Application Load Balancer (ALB), you cannot use an A record with an IP address because the IP addresses of an ALB can change over time. Instead, you can use an alias record to point to the DNS name of the ALB. An alias record is a Route 53 extension to DNS that allows you to route traffic to selected AWS resources, such as an ALB, by using a friendly DNS name, such as example.com, instead of the resource’s IP address or DNS name.

To monitor traffic flows between ECS tasks, you need to use VPC Flow Logs and specify the awsvpc network mode in the task definition.

VPC Flow Logs:

VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC.

Enable VPC Flow Logs on the elastic network interfaces (ENIs) used by the ECS tasks.

awsvpc Network Mode:

The awsvpc network mode gives each task its own ENI, allowing for more granular network monitoring and security controls.

This mode is required to capture detailed traffic flow information for each ECS task.

References:

VPC Flow Logs

Amazon ECS Task Networking

Problem Analysis:

The Cache-Control header (max-age=1 hour) conflicts with the CloudFront Maximum TTL setting (5 minutes).

CloudFront adheres to the lower of the two settings, leading to assets being cached for only 5 minutes.

Understanding Cache Behavior in CloudFront:

CloudFront evaluates headers such as Cache-Control and Expires along with its TTL settings.

The effective cache duration is the minimum value among these settings.

Resolution:

Align the Cache-Control max-age header and CloudFront Maximum TTL settings:

Update the CloudFront behavior to use a consistent value (e.g., set both to 1 hour).

Why Other Options Are Incorrect:

A: The Expires header value is irrelevant as CloudFront primarily considers Cache-Control and TTL settings.

B: The issue is not about expiring cached assets but about the duration of cache retention.

C: Cache invalidation is not required as it addresses purging specific objects from cache.

References:

Amazon CloudFront Caching

Cache Behavior Settings in CloudFront

To receive email notifications when IAM CreateUser API calls are made, you need to create an EventBridge rule that captures these events from CloudTrail and then routes them to an SNS topic that has an email subscription.

Enable CloudTrail:

Ensure AWS CloudTrail is enabled in your account to log API activity. Go to AWS CloudTrail Console and enable it if not already enabled.

Create SNS Topic:

Open the Amazon SNS console at Amazon SNS Console.

Create a new topic and name it (e.g., IAMCreateUserNotifications).

Create an email subscription for the topic by entering your email address and confirming the subscription via the email received.

Create EventBridge Rule:

Open the Amazon EventBridge console at Amazon EventBridge Console.

Create a new rule and provide a name and description.

For the Event source, select AWS events or EventBridge Schema.

In Event pattern, select AWS services and choose CloudTrail as the service.

Specify the event type as AWS API Call via CloudTrail.

In the Event source dropdown, select IAM and in the API operation, enter CreateUser.

Add Target:

Add a target and select SNS topic.

Choose the SNS topic you created earlier (IAMCreateUserNotifications).

Configure Permissions:

Ensure that the EventBridge rule has permission to publish to the SNS topic.

This configuration will trigger an email notification whenever an IAM CreateUser API call is made, keeping you informed of new user creations.

References:

Creating an EventBridge Rule That Triggers on an Event

Setting Up a CloudWatch Event to Trigger SNS

Creating CloudTrail Event Rules

When a portfolio is shared between AWS accounts in AWS Service Catalog, the administrator of the second account can import the shared portfolio and add products from the imported portfolio to their local portfolio. However, they cannot modify the imported portfolio directly.

Import the Shared Portfolio:

In the second AWS account, open the AWS Service Catalog console at AWS Service Catalog Console.

Navigate to Portfolios and choose Import portfolio.

Add Products to a Local Portfolio:

Once the portfolio is imported, the administrator can select products from the imported portfolio and add them to a local portfolio for easier management and deployment.

References:

Sharing Portfolios Across Accounts

AWS Service Catalog Admin Guide

AWS Compute Optimizer recommends optimal AWS resources for your workloads to reduce costs and improve performance. It provides actionable recommendations to help you choose the right EC2 instances and AWS Lambda configurations.

Access AWS Compute Optimizer:

Open the AWS Compute Optimizer console at AWS Compute Optimizer Console.

Review the recommendations for your EC2 instances and AWS Lambda functions.

Implement Recommendations:

Analyze the recommendations, which might include resizing instances, changing instance types, or modifying Lambda memory settings.

Apply the recommendations to optimize your resources and reduce costs.

References:

AWS Compute Optimizer

Getting Started with AWS Compute Optimizer

To monitor free space on Amazon EBS volumes attached to Microsoft Windows-based Amazon EC2 instances and receive email alerts before low storage space affects performance, follow these steps:

Install the Amazon CloudWatch Agent:

Download and install the CloudWatch agent on your Windows EC2 instances.

The reason is that it uses the Amazon CloudWatch billing alarm which is a built-in service specifically designed to monitor and alert on cost usage of your AWS account, which makes it a more suitable solution for this use case. The alarm can be configured to detect when costs reach 75% of the threshold and when it is triggered, it can publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. The email distribution list can be subscribed to the topic, so that they will receive the alerts when costs reach 75% of the threshold.

AWS Budgets allows you to track and manage your costs, but it doesn't specifically focus on data transfer costs between regions, and it might not provide as much granularity as CloudWatch Alarms.

The requirement to share the same underlying files among EC2 instances with data consistency is best met by using Amazon Elastic File System (EFS), which supports concurrent access from multiple EC2 instances. A new launch template version should include user data scripts that mount the EFS file system on each instance launched by the Auto Scaling group. Older instances can be cycled out to ensure all instances use the new configuration. Option A is correct and provides the necessary solution while ensuring data consistency and availability. For implementation guidance, refer to the AWS documentation on integrating EFS with EC2 Amazon EFS Integration with EC2.

Increasing DB Instance Size:

Increasing the instance size provides more CPU and memory resources, which can help handle higher loads.

Steps:

Go to the AWS Management Console.

Navigate to RDS and select the DB instance.

Modify the instance to increase its size.

Apply the changes during the next maintenance window or immediately if it is a critical issue.

Monitoring Performance:

After resizing, monitor the instance during the next report run to ensure that it handles the load effectively.

To support a wide variety of cloud storage workloads, Amazon EFS offers two performance modes, General Purpose mode and Max I/O mode. You choose a file system's performance mode when you create it, and it cannot be changed. If the PercentIOLimit percentage returned was at or near 100 percent for a significant amount of time during the test, your application should use the Max I/O performance mode.

Here are the steps to update an existing AWS CloudFormation stack:

Log in to the AWS Management Console and navigate to the CloudFormation service in the us-east-2 Region.

Find the existing stack named 1700182 and click on it.

Click on the "Update" button.

Choose "Replace current template" and upload the updated CloudFormation template from the Amazon S3 bucket named "cloudformation-bucket"

In the "Parameter" section, update the EC2 instance type to us-east-t2.nano and add the IP address range 192.168.100.0/30 for SSH access.

Replace the instance profile IAM role with IamRoleB.

In the "Capabilities" section, check the checkbox for "IAM Resources"

Choose the role CFServiceR01e and click on "Update Stack"

Wait for the stack to be updated.

Once the update is complete, navigate to the stack and click on the "Stack options" button, and select "Prevent updates to prevent accidental deletion"

To get the value of the Prodlnstanceld , navigate to the "Outputs" tab in the CloudFormation stack and find the key "Prodlnstanceld". The value corresponding to it is the value that you need to enter in the text box below.

Note:

You can use AWS CloudFormation to update an existing stack.

You can use the AWS CloudFormation service role to deploy updates.

You can refer to the AWS CloudFormation documentation for more information on how to update and manage stacks:

Here are the steps to configure Amazon EventBridge to meet the above requirements:

Log in to the AWS Management Console by using the AWS Management Console shortcut from the VM desktop. Make sure that you are logged in to the desired AWS account.

Go to the EventBridge service in the us-east-2 Region.

In the EventBridge service, navigate to the "Event buses" page.

Click on the "Create event bus" button.

Give a name to your event bus, and select "default" as the event source type.

Navigate to "Rules" page and create a new rule named "RunFunction"

In the "Event pattern" section, select "Schedule" as the event source and set the schedule to run every 15 minutes.

In the "Actions" section, select "Send to Lambda" and choose the existing AWS Lambda function named "LogEventFunction"

Create another rule named "SpotWarning"

In the "Event pattern" section, select "EC2" as the event source, and filter the events on "EC2 Spot Instance interruption"

In the "Actions" section, select "Send to SNS topic" and create a new standard Amazon SNS topic named "TopicEvents"

In the "Input Transformer" section, set the Input Path to {“instance” : “$.detail.instance-id”} and Input template to “The EC2 Spot Instance has been interrupted on account.

Now all Amazon EC2 events in the default event bus will be replayable for past 90 days.

Note:

You can use the AWS Management Console, AWS CLI, or SDKs to create and manage EventBridge resources.

You can use CloudTrail event history to replay events from the past 90 days.

You can refer to the AWS EventBridge documentation for more information on how to configure and use the service:

Here are the steps to configure an Amazon S3 bucket to serve a static error page in the event of a failure at the primary site:

Log in to the AWS Management Console and navigate to the S3 service in the us-east-2 Region.

Find the existing S3 bucket named lab-751906329398-26023898.com and click on it.

In the "Properties" tab, click on "Static website hosting" and select "Use this bucket to host a website".

In "Index Document" field, enter the name of the object that you want to use as the index document, in this case, "index.html"

In the "Permissions" tab, click on "Block Public Access", and make sure that "Block all public access" is turned OFF.

Click on "Bucket Policy" and add the following policy to allow public read access:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "PublicReadGetObject",

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::lab-751906329398-26023898.com/*"

}

]

}

Now navigate to the Amazon Route 53 service, and find the existing hosted zone named lab-751906329398-26023898.com.

Click on the "A record" and update the routing policy to "Primary - Failover" and add the existing ALB as the primary record.

Click on "Create Record" button and create a new secondary failover alias record for the domain lab-751906329398-26023898.com that routes traffic to the existing S3 bucket.

Now, when the primary site (ALB) goes down, traffic will be automatically routed to the S3 bucket serving the static error page.

Note:

You can use CloudWatch to monitor the health of your ALB.

You can use Amazon S3 to host a static website.

You can use Amazon Route 53 for routing traffic to different resources based on health checks.

You can refer to the AWS documentation for more information on how to configure and use these services:

Graphical user interface, text, application Description automatically generated

Graphical user interface, application, Teams Description automatically generated