SOA-C02 Exam Dumps - Amazon Web Services AWS Certified Associate Questions and Answers

To define a custom health check for EC2 instances behind an Application Load Balancer (ALB), follow these steps:

Configure Health Checks on ALB:

In the AWS Management Console, navigate to the EC2 dashboard, then to Load Balancers.

Select your ALB and go to the "Health Checks" tab.

Set the HealthCheckPath to the specific path that your application uses to determine if an instance is healthy. This could be a specific URL or endpoint on your application.

If users are unable to connect to a specific Ubuntu EC2 instance using AWS Systems Manager Session Manager while other instances are accessible, the issue is likely due to IAM permissions:

Instance Profile Permissions: Ensure that the EC2 instance has the necessary IAM permissions to interact with Systems Manager. The AmazonSSMManagedInstanceCore managed policy includes permissions required for the SSM Agent on the instance to communicate with the AWS Systems Manager service.

Attach Managed Policy: Attach the AmazonSSMManagedInstanceCore policy to the IAM role that is associated with the Ubuntu instance's instance profile. This step is crucial as it authorizes the instance to use Systems Manager services, including Session Manager.

Verify Configuration and Connectivity: After updating the instance profile, verify that users can connect via Session Manager. This solution does not require any changes to network security settings like security groups.

By ensuring that the instance has the appropriate IAM permissions, you resolve issues related to access control and Systems Manager functionality, allowing authorized personnel to connect securely without using SSH or RDP.

AWS Config is the best service to automatically manage and remediate S3 bucket permissions that violate corporate policies against public access. AWS Config continuously monitors and records AWS resource configurations and allows you to create rules that trigger automatic responses when public access configurations are detected. This approach is highly operationally efficient as it automates compliance and enforcement of security policies without manual intervention. Option A is correct. AWS Config can be used to assess, audit, and evaluate the configurations of AWS resources, including S3 buckets. Reference AWS Config.

A CloudFormation stack in the DELETE_FAILED state typically indicates that some resources could not be deleted. One common reason is that S3 buckets in the stack still contain objects.

Steps:

Identify the Failed Resources:

Open the AWS CloudFormation console.

Select the stack in the DELETE_FAILED state.

Check the "Events" tab to identify the resource(s) that caused the failure.

Delete S3 Objects:

Open the Amazon S3 console.

Navigate to the bucket(s) listed in the CloudFormation events.

Delete all objects in the bucket. You can use the S3 console, AWS CLI, or an S3 batch operation to delete the objects.

Retry Stack Deletion:

After clearing the S3 bucket(s), go back to the CloudFormation console.

Select the stack and choose "Delete" to retry the deletion process.

To investigate AWS Secrets Manager password rotation and troubleshoot the authentication failure of an application running on Amazon EC2 instances, you should check the AWS Lambda function logs responsible for the password rotation.

Understand Secrets Manager Password Rotation:

AWS Secrets Manager can automatically rotate secrets according to a specified rotation schedule using an AWS Lambda function.

To effectively monitor website availability from an end-user perspective and receive notifications when uptime falls below a specified threshold, Amazon CloudWatch Synthetics provides a robust solution. Specifically, the heartbeat monitoring canary is designed to:

Simulate user interactions by regularly accessing the website's URL.

Measure availability and latency, providing insights into the user experience.

Publish metrics, such as SuccessPercent, which indicates the percentage of successful canary runs.

By creating a CloudWatch alarm that monitors the SuccessPercent metric and configuring it to trigger an SNS notification when the value drops below 99%, the company can proactively address availability issues.

This approach ensures continuous monitoring that closely mirrors the end-user experience, allowing for timely interventions when problems arise.

Network ACLs (Access Control Lists) are stateless, meaning that return traffic must be explicitly allowed. While the inbound rule allows HTTP traffic on port 80, the absence of an outbound rule permitting return traffic on ephemeral ports (typically 1024-65535) prevents the response from reaching the client.

To resolve this:

Add an Outbound Rule:

Protocol: TCP

Port Range: 1024-65535

Destination: 0.0.0.0/0

Action: Allow

This configuration ensures that the server can send responses back to clients initiating HTTP requests.

Problem Analysis:

The CloudWatch agent configuration is inconsistent across instances.

A centralized and automated mechanism is needed for consistent configuration management.

Action: Store Configuration in Systems Manager Parameter Store:

Parameter Store allows for secure, centralized storage of configuration files.

Steps:

Open Systems Manager Console.

Navigate to Parameter Store.

Create a parameter with the CloudWatch agent configuration file content.

Action: Use State Manager to Apply Configuration:

Systems Manager State Manager automates repetitive tasks such as ensuring consistent configuration.

Steps:

Open State Manager Console.

Create an association using the AmazonCloudWatch-ManageAgent document.

Configure the document to use Parameter Store as the configuration source.

Use tags (key = "OS", value = "Windows") to target the Windows EC2 instances.

Why Other Options Are Incorrect:

A: Using an S3 bucket for configuration storage lacks integration with Systems Manager for automation.

B: OpsCenter is for managing operational issues, not configuration files.

E: S3 as a configuration source is valid but introduces additional operational complexity compared to Parameter Store.

Ref. https://aws.amazon.com/es/blogs/storage/adding-and-removing-object-tags-with-s3-batch-operations/

Amazon S3 Batch Operations is a feature that lets you perform large-scale batch operations on S3 objects. It is the most operationally efficient way to replace a tag on all objects in an S3 bucket.

Create an S3 Batch Operations Job:

Open the Amazon S3 console at Amazon S3 Console.

Navigate to Batch Operations and create a new job.

Specify the Operation:

Choose the operation to replace all object tags.

Provide a manifest that lists the objects in the bucket. You can generate this manifest using an S3 inventory report.

Execute the Job:

Review the job configuration and submit it.

Monitor the job execution to ensure all tags are replaced as specified.

Using S3 Batch Operations automates the process and minimizes manual effort.

Amazon S3 Batch Operations

Tagging Amazon S3 Objects

For high-performance computing (HPC) applications that require minimized network latency and maximized network throughput, the best strategy is to use a cluster placement group. Here’s why:

Cluster Placement Group:

Instances in a cluster placement group are placed within a single Availability Zone, which allows them to communicate using high-bandwidth, low-latency connections.

This is ideal for HPC workloads that require high network throughput and low latency.