SOA-C02 Exam Dumps - Amazon Web Services AWS Certified Associate Questions and Answers

To resolve issues with high disk I/O during the bootstrap process:

Increase EBS Volume IOPS: Higher IOPS allows the EBS volume to handle more input/output operations per second, which is critical for high I/O demands like downloading large Docker images.

Increase EBS Volume Throughput: Boosting throughput allows for faster data transfer rates, which is useful when the workload requires sustained high data throughput during initialization.

Increasing the instance size or changing the instance type is not necessary if the root cause is related specifically to EBS performance. Nitro instances generally provide higher performance and are well-suited for high I/O tasks.

https://d1.awsstatic.com/training-and-certification/docs-sysops-associate/AWS-Certified-SysOps-Administrator-Associate_Sample-Questions_C02.pdf

Evictions in Amazon ElastiCache for Memcached occur when the cache runs out of available memory and needs to remove existing data to store new data. To reduce evictions, you can either add more nodes to the cluster or increase the size of the individual nodes.

Add an Additional Node:

Open the Amazon ElastiCache console at Amazon ElastiCache Console.

Select your Memcached cluster and choose Modify.

Increase the number of nodes in the cluster to add more memory capacity.

Apply the changes to scale out the cluster.

Increase the Individual Node Size:

Open the Amazon ElastiCache console and select your Memcached cluster.

Choose Modify and change the node type to a larger instance size with more memory.

Apply the changes to scale up the cluster.

Both actions will provide additional memory capacity, reducing the likelihood of evictions due to insufficient memory.

Scaling ElastiCache for Memcached

Amazon ElastiCache for Memcached User Guide

AWS Systems Manager Maintenance Windows allow you to define a schedule for performing administrative tasks on your instances. By setting up a maintenance window:

Schedule Reboots:

Define a maintenance window outside business hours.

Register the EC2 instances as targets.

Assign the AWS-RestartEC2Instance Automation document to the task.

This setup ensures that instances are rebooted regularly, mitigating the effects of the memory leak until a permanent fix is implemented.

The most likely reason for being unable to authenticate an AWS CLI call to an AWS service is the absence of an access key. AWS CLI requires an access key and secret key to authenticate requests.

Access Key and Secret Key:

AWS uses access keys to identify and authenticate the identity of the requester.

Ensure that the AWS CLI is configured with a valid access key and secret key.

Check AWS CLI Configuration:

Use the aws configure command to set up the AWS CLI with the necessary credentials.

Verify that the ~/.aws/credentials file contains the correct access key and secret key.

AWS CLI Configuration

Managing Access Keys

To ensure that database credentials are never stored in plaintext and the password is rotated every 30 days, use AWS Secrets Manager:

Store Credentials in Secrets Manager:

Open the AWS Secrets Manager console.

Click on "Store a new secret."

Select "RDS database credentials" and provide the necessary details (username, password, database instance).

Configure the secret's name and details.

Enable Automatic Rotation:

During the secret creation process, enable automatic rotation.

Specify an automatic rotation schedule of 30 days.

Choose the Lambda function that Secrets Manager will use to update the database password automatically.

Update Lambda Functions:

Update each Lambda function to retrieve the database password from Secrets Manager.

Use the AWS SDK in your Lambda code to access Secrets Manager and fetch the secret value.

AWS Secrets Manager

Rotating AWS Secrets Manager Secrets

Retrieve Secrets from AWS Lambda

CloudFront provides built-in viewer device detection headers, including:

CloudFront-Is-Mobile-Viewer

CloudFront-Is-SmartTV-Viewer

CloudFront-Is-Tablet-Viewer

From the CloudFront origin request policies documentation:

You can configure CloudFront to forward these device type headers to the origin so that different content (e.g., lower-resolution images for mobile) can be served and cached separately.

This allows differentiated caching based on the viewer's device type.

Step-by-Step Explanation:

Understand the Problem:

Engineers need to connect to EC2 instances in a private subnet for troubleshooting.

The instances are using Windows or Amazon Linux AMIs.

The team already has an IAM role for authorization.

Analyze the Requirements:

Provide secure and efficient access to the instances without exposing them directly to the internet.

Utilize existing IAM role for access control.

Evaluate the Options:

Option A: Use AWS Systems Manager Session Manager.

Allows secure and auditable SSH or RDP access to EC2 instances without the need for bastion hosts or opening inbound ports.

Add a policy to allow the ssm:StartSession action.

Option B: Use Elastic IP and security group.

Exposes instances to direct access, increasing security risks.

Option C: Use a bastion host.

Requires additional infrastructure and maintenance.

Option D: Use an internet-facing Network Load Balancer.

Exposes instances to direct access via load balancer, not ideal for private subnets.

Select the Best Solution:

Option A: Using AWS Systems Manager Session Manager is the most secure and efficient solution. It eliminates the need for additional infrastructure and avoids exposing instances to the internet.

AWS Systems Manager Session Manager

Controlling Access to Session Manager

AWS Systems Manager Session Manager provides secure and auditable access to EC2 instances in a private subnet using IAM roles.

Increasing DB Instance Size:

Increasing the instance size provides more CPU and memory resources, which can help handle higher loads.

Steps:

Go to the AWS Management Console.

Navigate to RDS and select the DB instance.

Modify the instance to increase its size.

Apply the changes during the next maintenance window or immediately if it is a critical issue.

Monitoring Performance:

After resizing, monitor the instance during the next report run to ensure that it handles the load effectively.

Modifying an Amazon RDS DB Instance

To meet the requirements of the workload, a company should store the data in an Amazon S3 Glacier vault and configure a vault lock policy for write-once, read-many (WORM) access. This will ensure that the data is stored securely and cannot be edited in the future. The other solutions (storing the data in an Amazon Elastic Block Store (Amazon EBS) volume and configuring AWS Key Management Service (AWS KMS) encryption, storing the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA) and configuring server-side encryption, or storing the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA) and configuring multi-factor authentication (MFA)) will not meet the requirements, as they do not provide a way to protect the audit logs from future edits.

https://docs.aws.amazon.com/zh_tw/AmazonS3/latest/userguide/object-lock.html

Amazon S3 Cross-Region Replication (CRR) is a feature that automatically replicates objects across AWS regions. When CRR is configured, certain aspects are replicated by default, and some are not. Here are the details:

Objects in the source S3 bucket for which the bucket owner does not have permissions: CRR does not replicate objects for which the bucket owner does not have permissions.

Objects that are stored in S3 Glacier: Objects in the S3 Glacier storage class are not replicated by CRR.

Objects that existed before replication was configured: Only objects created or modified after the replication configuration will be replicated. Objects that existed before the configuration are not replicated by default.

Object metadata: CRR replicates the object metadata along with the object to ensure that the replica in the destination bucket is as accurate as possible.

Amazon S3 Cross-Region Replication

Replication Configuration Examples