SOA-C02 Exam Dumps - Amazon Web Services AWS Certified Associate Questions and Answers

Amazon Route 53's failover routing policy allows you to route traffic to a primary resource unless it is unavailable, in which case Route 53 can fail over to a secondary resource.

Steps:

Open Route 53 Console:

Open the Amazon Route 53 console.

Create Alias Records:

In your hosted zone, create two alias records.

One alias record should point to the ALB in the primary region and the other to the ALB in the secondary region.

Set Failover Routing Policy:

For the alias record pointing to the primary ALB, set the routing policy to "Failover" and designate it as the primary.

For the alias record pointing to the secondary ALB, set the routing policy to "Failover" and designate it as the secondary.

Enable Health Checks:

Ensure that "Evaluate Target Health" is set to "Yes" for both alias records. This ensures that Route 53 will check the health of the ALBs before routing traffic.

Configure Health Checks for ALBs:

Ensure that each ALB has appropriate health checks configured to accurately report the health of the instances.

Objective:

Ensure the mem_used_percent metric from the EC2 instance is available in Amazon CloudWatch.

Root Cause:

The unified CloudWatch agent requires IAM permissions to publish custom metrics to CloudWatch.

If an IAM instance profile is not attached or is missing necessary permissions, the metric will not appear in CloudWatch.

Solution Implementation:

Step 1: Create an IAM role with the required permissions:

Use the AmazonCloudWatchAgentServerPolicy managed policy, which grants permissions for the CloudWatch agent to send metrics.

Step 2: Create an IAM instance profile for the role.

Step 3: Attach the instance profile to the EC2 instance.

Step 4: Restart the unified CloudWatch agent on the EC2 instance to apply the changes:

bash

Copy code

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a stop

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a start

AWS References:

Unified CloudWatch Agent Configuration:CloudWatch Agent Permissions

Why Other Options Are Incorrect:

Option A: Enabling detailed monitoring only collects predefined metrics; it does not affect custom metrics like mem_used_percent.

Option C: The subnet (public or private) does not affect the collection of metrics by the CloudWatch agent.

Option D: Using IAM user credentials is not a best practice for EC2 instances; instance profiles are the recommended method.

Enabling the organizational view in AWS Health will allow the SysOps administrator to consolidate the alerts from each account’s Personal Health Dashboard. It will also provide the administrator with a single view of all the accounts in the organization, allowing them to easily monitor the health of all the accounts in the organization.

To identify changes made by the compromised access key, the SysOps administrator should search the AWS CloudTrail event history:

AWS CloudTrail:

CloudTrail logs all API calls made in an AWS account, which includes events initiated by access keys. This makes it the ideal service to investigate changes made using the compromised access key.

Because the instance is:

In an isolated subnet (no internet or VPN access)

And you're not using Systems Manager

The best option is to use EC2 Instance Connect Endpoint, which allows SSH access to EC2 instances in private subnets without NAT or VPN.

From EC2 Instance Connect Endpoint documentation:

EC2 Instance Connect Endpoint enables secure connectivity to EC2 instances in private subnets without needing a public IP, bastion host, or VPN.

https://aws.amazon.com/blogs/security/how-to-enable-secure-access-to-kibana-using-aws-single-sign-on/

https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html

To enable troubleshooting of EC2 instances marked as unhealthy before they are terminated by the Auto Scaling group, you can use lifecycle hooks:

Add a Lifecycle Hook: Configure a lifecycle hook in the Auto Scaling group. This hook will hold the instance in a "wait" state either when it launches or terminates (in this case, when it's about to be terminated due to health check failure).

Integration with Amazon EventBridge (CloudWatch Events): Set up the lifecycle hook to send an event to EventBridge (formerly CloudWatch Events) when an instance is in the termination lifecycle state.

Invoke Lambda Function: Configure EventBridge to trigger an AWS Lambda function when it receives the termination lifecycle event from the Auto Scaling group. This Lambda function can then perform necessary diagnostics, logging, or data capture activities on the instance before it's terminated.

This configuration allows the SysOps administrator to perform necessary investigations on why instances were marked unhealthy before they are automatically replaced, offering a chance to diagnose and potentially correct underlying issues.

AWS Secrets Manager allows you to store, manage, and automatically rotate database credentials. This service is designed to be used for such requirements efficiently.

Store Database Credentials in AWS Secrets Manager:

Open the AWS Secrets Manager console at AWS Secrets Manager Console.

Choose Store a new secret.

Select Credentials for RDS database and provide the database connection details and credentials.

Choose Next to configure the secret.

Configure Rotation:

Enable automatic rotation for the secret.

Set the rotation interval to 365 days.

Select or create a Lambda function that will be used to rotate the secret. AWS Secrets Manager provides a template for this function which can be customized if necessary.

Apply and Monitor:

Apply the changes and ensure that your application retrieves credentials from AWS Secrets Manager.

Monitor the rotation activity in Secrets Manager to ensure that the credentials are being rotated as expected.

AWS Secrets Manager

Rotating Your AWS Secrets Manager Secrets

The most operationally efficient solution is to use the organization ARN to share the AMI across all accounts within AWS Organizations.

AMI Sharing with Organization ARN: AWS allows you to share AMIs with an entire AWS Organization by specifying the organization’s ARN, simplifying access management for multiple accounts.

Efficient Management: This approach eliminates the need to share AMIs individually with each account or make them public, and it avoids the complexity of using snapshots.

Making the AMI public is not secure, and using AWS Marketplace or snapshots does not provide the operational efficiency required.

Modifying the DB instance to a Multi-AZ deployment is the recommended solution for failover and high availability in RDS. Multi-AZ RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone, allowing automatic failover in case of an instance or Availability Zone failure.

Multi-AZ Deployment: Provides resilience with automatic failover and minimizes application downtime.

No Application Changes Needed: Multi-AZ is managed by AWS, so the failover is transparent to the application.

Read replicas and Auto Scaling groups do not provide automatic failover for write operations, and RDS Proxy only improves connection management rather than high availability.