Last Attempt SAA-C03 Questions

Amazon CloudWatch Container Insightsis designed for monitoring containerized environments like EKS. It provides native support for collecting and visualizing metrics and logs in a centralized location through CloudWatch dashboards, offering the most operationally efficient solution.

Option A:Using the CloudWatch agent provides basic metrics but lacks the specific insights required for containerized applications.

Option B:Kinesis Data Streams and Firehose add unnecessary complexity for this use case.

Option C:CloudTrail is for auditing API activity and is not designed for application metrics and log aggregation.

AWS Documentation References:

Amazon CloudWatch Container Insights

AWS PrivateLinkis the most suitable solution for providing fine-grained access control while allowing multiple VPCs, potentially across multiple accounts, to access the new application. This approach offers the following advantages:

Fine-grained control: Endpoint policies can restrict access to specific services or principals.

No need for route table updates: Unlike VPC peering or transit gateways, AWS PrivateLink does not require complex route table management.

Scalable architecture: PrivateLink scales to support traffic from multiple VPCs.

Secure connectivity: Ensures private connectivity over the AWS network, without exposing resources to the internet.

Why Other Options Are Not Ideal:

Option A:

VPC peering is not scalable when connecting multiple VPCs or accounts.

Route table management becomes complex as the number of VPCs increases.Not scalable.

Option B:

While transit gateways provide scalable VPC connectivity, they are not ideal for fine-grained access control.

Transit gateways allow connectivity but do not inherently restrict access to specific applications.Not ideal for fine-grained access control.

Option D:

Exposing the application through an ALB over the internet is not secure and does not align with the requirement to use private network resources.Security risk.

AWS References:

AWS PrivateLink:AWS Documentation - PrivateLink

AWS Networking Services Comparison:AWS Whitepaper - Networking Services

This solution allows for secure and least-privilege access with minimal operational overhead.

IAM Identity Center: AWS IAM Identity Center (formerly AWS SSO) enables you to centrally manage access to multiple AWS accounts and applications. By using IAM Identity Center, you can assign permission sets that define what users or groups can access, ensuring that only necessary permissions are granted.

Permission Sets: Permission sets in IAM Identity Center allow you to define granular access controls for specific services, such as Amazon RDS and S3. You can tailor these permissions to meet the needs of different teams, adhering to the principle of least privilege.

Group Management: By assigning users to groups and associating those groups with specific permission sets, you reduce the complexity and overhead of managing individual IAM roles and policies. This method also simplifies compliance and audit processes.

Why Not Other Options?:

Option A (IAM roles): While IAM roles can provide least-privilege access, managing multiple roles and policies across teams increases operational overhead compared to using IAM Identity Center.

Option C (Individual IAM users): Managing individual IAM users and roles can be cumbersome and does not scale well compared to group-based management in IAM Identity Center.

Option D (AWS Organizations with cross-account roles): Creating separate accounts and cross-account roles adds unnecessary complexity and overhead for this use case, where IAM Identity Center provides a more straightforward solution.

AWS References:

AWS IAM Identity Center- Overview and best practices for using IAM Identity Center.

Managing Access Permissions Using IAM Identity Center- Guide on creating and managing permission sets for secure access.

Comprehensive and Detailed Step-by-Step Explanation:

To meet the requirements of copying only relevant data as soon as possible and receiving notifications upon completion, the following steps are recommended:

Generate a Manifest File (Option A):

Action:Modify the on-premises data generation process to create a manifest file at the end of each data generation cycle. This manifest should list the names of the objects that need to be copied to Amazon S3.

Implementation:Develop a custom script that runs after data generation. This script compiles the list of relevant data files into a manifest file and uploads it to a designated S3 bucket.

Justification:Using a manifest allows AWS DataSync to transfer only the specified files, reducing unnecessary data transfer and associated costs.

docs.aws.amazon.com

Automate DataSync Task Execution (Option D):

Action:Set up an S3 Event Notification to trigger an AWS Lambda function whenever a new manifest file is uploaded to the S3 bucket.

Implementation:Configure the Lambda function to invoke the DataSync task by calling the StartTaskExecution API action, specifying the manifest file. This ensures that only the files listed in the manifest are copied from on-premises storage to Amazon S3.

Justification:This automation ensures timely data transfer as soon as relevant data is available, minimizing delays and manual intervention.

docs.aws.amazon.com

Set Up Completion Notifications (Option E):

Action:Create an Amazon SNS topic to handle notifications. Then, establish an Amazon EventBridge rule that monitors the DataSync task execution status and sends an email notification to the SNS topic when the status changes to SUCCESS or ERROR.

Implementation:Configure EventBridge to capture state changes of the DataSync task. When a task completes successfully or encounters an error, EventBridge triggers a notification to the SNS topic, which then sends an email to the subscribed recipients.

Justification:This setup provides immediate feedback on the data transfer process, allowing the analytics team to act promptly based on the success or failure of the data copy operation.

docs.aws.amazon.com