Amazon Web Services SOA-C02 Dumps

To route traffic for a subdomain to a CloudFront distribution using Amazon Route 53, you should create an A record with the CloudFront distribution's domain name as the alias target.

Login to AWS Management Console:

Open the Route 53 console at Amazon Route 53 Console.

Select Hosted Zone:

Select the hosted zone for your domain (example.com).

Create Record Set:

Click on Create record.

For Record name, enter static.

Select A - IPv4 address for the record type.

For Alias, choose Yes.

In the Alias Target field, select the CloudFront distribution's domain name from the dropdown menu.

Save Record Set:

Review the settings and click Create records.

This setup directs traffic for static.example.com to the CloudFront distribution, leveraging the distribution's caching and delivery capabilities.

Routing Traffic to a CloudFront Distribution by Using Your Domain Name

Creating Records in Route 53

To use tags to filter views in the AWS Cost Explorer console, the tags must be activated for cost allocation.

Activate User-Defined Tags for Cost Allocation:

Open the AWS Billing and Cost Management console.

In the navigation pane, choose "Cost Allocation Tags."

Activate the user-defined tags that you want to use for cost allocation.

Activating User-Defined Cost Allocation Tags

The connectivity issues could be due to:

Security Group Ingress Rules:

Ensure that the security group for the RDS database has the correct ingress rules allowing traffic from the web server’s security group or IP address.

Go to the RDS console, select your database instance, and check the security groups.

In the security group settings, verify that the correct port (usually 3306 for MySQL) is open for the web server's IP or security group.

Port Configuration:

Verify that the application is configured to use the correct port that matches the RDS database configuration.

Check the application configuration files to ensure the port number matches the port specified in the RDS instance.

Amazon RDS Security Groups

Troubleshooting RDS Connectivity

One possible cause for the failure of the CloudFormation template to create an EC2 instance in the us-west-2 Region is that the Amazon Machine Image (AMI) ID referenced in the template could not be found in the us-west-2 Region. This could be due to the fact that the AMI is not available in that region, or the credentials used to access the AMI were not configured properly. The other options (resource tags defined in the CloudFormation template are specific to the us-east-I Region, the cfn-init script did not run during resource provisioning in the us-west-2 Region, and the IAM user was not created in the specified Region) are not valid causes for this failure.

Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues.

Objective:

Notify administrators via email whenever a root user sign-in event occurs.

Using Amazon EventBridge and Amazon SNS:

EventBridge: Captures the root user sign-in events from AWS CloudTrail.

SNS: Publishes email notifications to subscribed recipients.

Steps to Implement:

Step 1: Enable CloudTrail for management events if not already enabled.

Step 2: Create an EventBridge rule:

Event pattern:

{

"source": ["aws.signin"],

"detail-type": ["AWS Console Sign In via Root Account"]

}

Step 3: Set the rule target to an SNS topic.

Step 4: Subscribe email addresses to the SNS topic.

AWS References:

EventBridge Rules:Creating EventBridge Rules

SNS Subscriptions:Amazon SNS Subscriptions

Why Other Options Are Incorrect:

Option A: Trusted Advisor does not directly send notifications for root sign-ins.

Option B: Using an EC2 instance and scripts is less efficient and not operationally optimized.

Option C: Sending notifications to SQS introduces unnecessary complexity and delays.

AWS Single Sign-On (AWS SSO) provides a centralized interface to manage SSO access to multiple AWS accounts and business applications. AWS SSO integrates with AWS Organizations and supports SAML 2.0 identity providers, making it an ideal solution for centrally managing user access and permissions across multiple AWS accounts.

AWS Single Sign-On (AWS SSO):

AWS SSO allows you to manage SSO access and user permissions to all of your AWS accounts and applications.

It integrates seamlessly with AWS Organizations.

Integration with SAML 2.0 IdP:

AWS SSO supports integration with third-party SAML 2.0 identity providers.

This allows centralized management of user identities and access.

Steps to Implement:

Enable AWS SSO in your AWS Organizations management account.

Configure AWS SSO to connect with your third-party SAML 2.0 IdP.

Assign user permissions and roles for each AWS account through AWS SSO.

AWS Single Sign-On

Integrating AWS SSO with SAML 2.0 Identity Providers

To allow outbound IPv6 traffic from instances in your VPC to the internet, but prevent inbound traffic from the internet, you should use an egress-only internet gateway.

Egress-Only Internet Gateway:

An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet and prevents the internet from initiating an IPv6 connection with your instances.

Routing Configuration:

Open the Amazon VPC console.

Select the route table associated with your VPC.

Add a route for IPv6 traffic (destination ::/0) to the egress-only internet gateway.

Egress-Only Internet Gateways

Routing for IPv6 Traffic

To achieve maximum cost savings and flexibility for a 24/7 running application across different AWS regions and operating systems, the best approach is to use a Compute Savings Plan. Compute Savings Plans provide the most flexibility by automatically applying to any EC2 instance usage regardless of instance family, size, OS, tenancy, or AWS Region, and also apply to AWS Fargate and AWS Lambda usage.

Understand Compute Savings Plans:

Compute Savings Plans offer significant savings over On-Demand prices, with the flexibility to use the compute option that best suits your needs.

Purchase a Compute Savings Plan:

Login to the AWS Management Console.

Navigate to the Savings Plans section.

Choose Purchase Savings Plan and select Compute Savings Plan.

Define the hourly commitment amount and the term length (one or three years).

Monitor and Optimize Usage:

Ensure that your usage aligns with the Savings Plan to maximize savings.

Use AWS Cost Explorer and Savings Plans Utilization reports to monitor usage.

Savings Plans

Compute Savings Plans

AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation. Using a stack set, the SysOps administrator can manage deployments across different regions and accounts within AWS Organizations efficiently.

Setting up StackSets: First, define your CloudFormation template that describes all the resources that need to be deployed across the regions. Store this template in an S3 bucket accessible by the central administration account.

Service-Managed Permissions: When creating a stack set, select the option for service-managed permissions if you are using AWS Organizations. This allows AWS CloudFormation to automatically set up the necessary permissions in the target accounts.

Deploying the Stack Set: From the central administration account, create the stack set and specify the target accounts and regions. CloudFormation will then ensure that the resources defined in the template are instantiated in each of the specified regions and accounts.

This method simplifies management and ensures consistency of infrastructure across multiple regions and accounts, leveraging the organizational units in AWS Organizations for centralized governance.

To resolve the issue of an AWS Lambda function unable to connect to a database that has been moved to a private subnet, the Lambda function needs to be connected to the same VPC as the database. This is done by configuring the Lambda function with VPC access. This involves specifying the VPC, subnets, and security groups for the Lambda function so that it can communicate with the database using its private endpoint. Option B is correct as it directly addresses the issue without compromising security. AWS documentation on configuring VPC access for Lambda provides guidance on this setup Configuring VPC Access for Lambda.

To enforce tag-based restrictions across multiple accounts in an OU, Service Control Policies (SCPs) are the best tool.

From SCP documentation:

You can deny access to APIs like ec2:RunInstances if a specific tag is not present using a condition such as Null:aws:RequestTag/CostCenter-Project: true.

By attaching the SCP to the application OU, only the accounts within that OU are impacted.

To serve static websites using S3 and Route 53, AWS requires the bucket name to match the custom domain name (e.g., not just a random bucket like example-website-hosting-bucket.

From the Amazon S3 Static Website Hosting Guide:

To use Amazon Route 53 to route domain traffic to an S3 bucket that is configured as a static website, the bucket name must match the name of the domain or subdomain.

This means:

To host you must create an S3 bucket named

Then configure static website hosting on that bucket

In Route 53, you can then create an alias record pointing to the S3 website endpoint

❌ Why the other options are incorrect:

A. ARNs are not valid alias targets in Route 53.

B. ARN changes do not affect Route 53; also, you cannot rename an S3 bucket via ARN changes.

C. Access Points do not support static website hosting. They are for programmatic access via APIs.

To find security groups that are open to the internet on port 3389, using AWS Trusted Advisor is the most straightforward solution.

AWS Trusted Advisor:

AWS Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices.

It includes a security check that identifies security groups with unrestricted access.

Steps to Use Trusted Advisor:

Open the AWS Trusted Advisor console.

In the "Security" category, look for the check that identifies security groups with unrestricted access.

Review the report to find security groups that allow unrestricted access on port 3389 (RDP).

AWS Trusted Advisor

AWS Trusted Advisor Best Practices

For high-performance computing (HPC) applications that require minimized network latency and maximized network throughput, the best strategy is to use a cluster placement group. Here’s why:

Cluster Placement Group:

Instances in a cluster placement group are placed within a single Availability Zone, which allows them to communicate using high-bandwidth, low-latency connections.

This is ideal for HPC workloads that require high network throughput and low latency.

To rotate an AWS KMS customer master key (CMK) with imported key material every 6 months, follow these steps:

Create a New CMK with New Imported Material:

Generate new key material according to your security policies.

Create a new CMK in AWS KMS and import the new key material into this CMK.

When working with AWS CloudFormation, understanding how the stack behaves during a failure is crucial for troubleshooting. By default, if a stack creation fails, CloudFormation will roll back any resources it created, leaving no trace of what went wrong. This default behavior makes debugging more difficult because the resources that may have caused the failure are deleted.

To change this behavior, AWS CloudFormation provides the --on-failure parameter when creating a stack using the AWS CLI or SDKs. The purpose of this parameter is to control what happens if stack creation fails.

From the AWS CloudFormation User Guide:

--on-failure

Required: No

Type: String

Valid values: DO_NOTHING | ROLLBACK | DELETE

Default: ROLLBACK

DO_NOTHING – If stack creation fails, do nothing. The stack remains in the CREATE_FAILED state. You can then investigate and take corrective action.

ROLLBACK – If stack creation fails, roll back all created resources.

DELETE – If stack creation fails, delete all created resources (i.e., behave as if the stack was never attempted).

✅ Why B is correct:

OnFailure=DO_NOTHING tells CloudFormation to retain all successfully created resources even if stack creation fails. This allows a SysOps administrator to inspect the created resources, review logs, or fix the template before attempting to resume or recreate the stack.

❌ Why the other options are incorrect:

A. DisableRollback = FalseThis is default behavior, meaning rollback will occur (i.e., resources will be deleted). This does not help preserve resources after failure.

C. Rollback trigger of DO_NOTHINGThere is no such rollback trigger value called DO_NOTHING. Rollback triggers are for monitoring CloudWatch alarms during stack updates or creations and do not influence what happens when a creation fails unless a trigger fires.

D. OnFailure = ROLLBACKThis is the default, and it removes all resources when the stack creation fails, which is the opposite of the requirement.

Conclusion:

To preserve resources that were successfully created during a failed CloudFormation stack creation, the correct and verified approach is:

Set OnFailure=DO_NOTHING during stack creation.

This enables post-mortem debugging by retaining the resources for inspection.

To use the static website as a backup to the web application and ensure automated failover, the SysOps administrator should set up failover routing policies in Amazon Route 53.

Failover Routing Policies:

Route 53 failover routing allows you to route traffic to a primary resource when it is healthy and automatically failover to a secondary resource when the primary becomes unhealthy.

Steps to Implement:

Primary Failover Record: Create a primary failover routing policy record and set the value to the ALB. Associate this record with a Route 53 health check that monitors the ALB.

Secondary Failover Record: Create a secondary failover routing policy record and set the value to the static website.

Amazon Route 53 Failover Routing

To stop EC2 instances in a development environment when they are not in use, you can create a CloudWatch alarm based on CPU utilization.

Create CloudWatch Alarm:

Navigate to the CloudWatch console.

Select "Alarms" and click on "Create Alarm".

Choose the EC2 instance metric for CPU utilization.

Set the condition to trigger the alarm when the average CPU utilization is less than 5% for a continuous 30-minute period.

"You can add tags to resources when you create the resource. You can use the resource's service console or API to add, change, or remove those tags one resource at a time. To add tags to—or edit or delete tags of—multiple resources at once, use Tag Editor. With Tag Editor, you search for the resources that you want to tag, and then manage tags for the resources in your search results."

Objective:

Retain system and application logs for 13 months.

Ensure logs are preserved independently of EC2 instance termination.

Make logs easily accessible during the retention period.

Steps to Implement (Following Option D):

Step 1: Create a CloudWatch Log Group:

Open the CloudWatch console and create a new log group.

Set the retention period to 13 months using the "Expire Events After" feature.

Step 2: Deploy the Unified CloudWatch Agent:

Install the CloudWatch agent on all EC2 instances hosting the workload. The agent provides unified logging capabilities for system and application logs.

Step 3: Configure the Agent to Push Logs:

Configure the agent to push logs (e.g., /var/log/messages, application logs) to the created log group.

Use the agent configuration file to specify log paths, log groups, and retention settings.

Step 4: Attach Necessary IAM Role:

Attach an instance profile with an IAM policy that grants the necessary permissions (logs:PutLogEvents, logs:CreateLogStream) to send logs to CloudWatch.

Step 5: Verify Logging:

Confirm that logs are being sent to the CloudWatch log group and are stored according to the 13-month retention policy.

AWS References:

Unified CloudWatch Agent:Install and Configure CloudWatch Agent

CloudWatch Log Retention:Setting Log Retention in CloudWatch

IAM Permissions for CloudWatch Logs:IAM Policies for CloudWatch Logs

Why Other Options Are Incorrect:

Option A and C: Suggest using Amazon S3 for log storage, which is valid but requires external mechanisms (e.g., scripts) for log transfer and lacks native querying tools.

Option B: Does not mention using the unified CloudWatch agent, which is required to efficiently push logs from EC2 instances to CloudWatch Logs.

Access to Amazon DynamoDB requires credentials. Those credentials must have permissions to access AWS resources, such as an Amazon DynamoDB table or an Amazon Elastic Compute Cloud (Amazon EC2) instance. The following sections provide details on how you can use AWS Identity and Access Management (IAM) and DynamoDB to help secure access to your resources.

To automate the execution of a Python script every night efficiently:

Convert Python Script to Lambda:

Create an AWS Lambda function and upload the Python script.

Ensure the function has the necessary IAM permissions to perform the required maintenance tasks.

Step-by-Step Explanation:

Understand the Problem:

An EC2 instance needs to be reachable from the internet.

Analyze the Requirements:

Ensure proper routing for internet connectivity.

Evaluate the Options:

Option A: A route for 0.0.0.0/0 that points to a NAT gateway.

NAT gateways allow instances in private subnets to access the internet, not the other way around.

Option B: A route for 0.0.0.0/0 that points to an egress-only internet gateway.

Egress-only gateways are for IPv6 traffic and do not provide inbound internet access.

Option C: A route for 0.0.0.0/0 that points to an internet gateway.

Internet gateways provide both inbound and outbound internet access.

Option D: A route for 0.0.0.0/0 that points to an elastic network interface.

Elastic network interfaces do not provide internet routing.

Select the Best Solution:

Option C: Adding a route to the internet gateway ensures the EC2 instance is reachable from the internet.

Amazon VPC Internet Gateway

Configuring a route to the internet gateway ensures proper internet connectivity for the EC2 instance.

For improving upload performance globally for an Amazon S3 bucket, enabling S3 Transfer Acceleration is the best solution. This service optimizes file transfers to S3 using Amazon CloudFront's globally distributed edge locations. After enabling this feature, uploads to the S3 bucket are first routed to an AWS edge location and then transferred to S3 over an optimized network path. Option C is correct, and the developers should use the provided accelerate endpoint in their API calls. For more details, consult the AWS documentation on S3 Transfer Acceleration Amazon S3 Transfer Acceleration.

A mount target provides an IP address for an NFSv4 endpoint at which you can mount an Amazon EFS file system. You mount your file system using its Domain Name Service (DNS) name, which resolves to the IP address of the EFS mount target in the same Availability Zone as your EC2 instance. You can create one mount target in each Availability Zone in an AWS Region. If there are multiple subnets in an Availability Zone in your VPC, you create a mount target in one of the subnets. Then all EC2 instances in that Availability Zone share that mount target.

To determine the service costs incurred by each developer, follow these steps:

Activate the createdBy Tag:

Tagging resources with a createdBy tag helps identify which user created the resource. This tag should be applied consistently across all resources created by the developers.

Amazon Elastic File System (EFS) provides a scalable and highly available file storage solution for use with Amazon EC2 instances. To achieve high availability and durability:

EFS Standard Storage Class: Stores data redundantly across multiple Availability Zones, ensuring data durability and availability.

Mount Targets: For optimal performance and availability, create a mount target in each Availability Zone. EC2 instances should connect to the mount target in their respective Availability Zone.

By configuring EFS in this manner, the company ensures that all EC2 instances, regardless of their Availability Zone, have reliable and efficient access to shared data.

To improve the performance of an Amazon Elastic File System (EFS) when users report slower file retrieval times, configuring the file system for Provisioned Throughput is an effective solution.

Login to AWS Management Console:

Open the Amazon EFS console at Amazon EFS Console.

Select the File System:

In the EFS console, select the file system that you want to modify.

Modify Throughput Settings:

Choose File system policy and then Manage file system policy.

Under Throughput mode, select Provisioned Throughput.

Specify the desired throughput in MiB/s based on your application's needs.

Apply Changes:

Save the changes to apply the new throughput settings to the file system.

Amazon EFS Performance

Managing Throughput Modes

To monitor usage and quotas across multiple accounts, CloudWatch now supports cross-account observability with delegated administrators.

From CloudWatch cross-account observability:

A delegated administrator can monitor CloudWatch data from linked accounts in a central monitoring account.

Also:

You can use the SERVICE_QUOTA() function in a metric math expression to create alarms on quota utilization.

The requirement to share the same underlying files among EC2 instances with data consistency is best met by using Amazon Elastic File System (EFS), which supports concurrent access from multiple EC2 instances. A new launch template version should include user data scripts that mount the EFS file system on each instance launched by the Auto Scaling group. Older instances can be cycled out to ensure all instances use the new configuration. Option A is correct and provides the necessary solution while ensuring data consistency and availability. For implementation guidance, refer to the AWS documentation on integrating EFS with EC2 Amazon EFS Integration with EC2.

To ensure all objects in the S3 bucket are encrypted, including future objects, the following steps should be taken:

Enable Default Server-Side Encryption:

Edit the properties of the S3 bucket to enable default server-side encryption. This ensures that all new objects written to the bucket are encrypted by default.

Navigate to the S3 console, select the bucket, go to the "Properties" tab, and under "Default encryption", select the encryption method (SSE-S3, SSE-KMS, etc.).

To ensure that the CloudFormation stack fails and rolls back if the process stalls, you should add a CreationPolicy with a timeout set to 4 hours to the CloudFormation template.

CreationPolicy:

The CreationPolicy attribute enables you to specify how long CloudFormation should wait for a resource to be created or updated.

You can use this to ensure that the instance completes its software installation process within a specified period.

Adding CreationPolicy to the Template:

Add the CreationPolicy attribute to the EC2 resource in the CloudFormation template.

Set the Timeout to 4 hours (PT4H).

Example:

Resources:

MyInstance:

Type: 'AWS::EC2::Instance'

Properties:

InstanceType: t2.micro

ImageId: ami-0abcdef1234567890

CreationPolicy:

ResourceSignal:

Count: 1

Timeout: PT4H

Ensuring Rollback:

If the instance does not signal success within the specified timeout, CloudFormation will mark the stack as failed and roll back the changes.

AWS CloudFormation CreationPolicy

Using Creation Policies with CloudFormation

Using a CloudWatch alarm with an EventBridge rule provides an automated, direct way to reboot the EC2 instance without extra components like SES or Lambda. This is a straightforward approach with low operational overhead.

To quickly remediate resources and bring them back into compliance with patch standards, AWS Systems Manager is the appropriate service to use.

Use AWS Systems Manager:

Leverage Systems Manager Patch Manager to automate the process of patching managed instances.

Use Systems Manager State Manager to ensure that resources remain in compliance with the desired configurations.

When you enable log file integrity validation, CloudTrail creates a hash for every log file that it delivers. Every hour, CloudTrail also creates and delivers a file that references the log files for the last hour and contains a hash of each. This file is called a digest file. CloudTrail signs each digest file using the private key of a public and private key pair. After delivery, you can use the public key to validate the digest file. CloudTrail uses different key pairs for each AWS region

To manage scaling of EC2 instances in response to variable SQS message loads effectively:

Monitor SQS Queue Size: Utilize Amazon CloudWatch to monitor the number of visible messages in the SQS queue. This metric gives an indication of the workload that needs to be processed by the worker instances.

Metric Math Expression: Create a CloudWatch metric math expression that calculates the approximate number of messages visible per instance. This provides a more precise scaling metric, ensuring that each instance in the Auto Scaling group has a manageable load.

Target Tracking Scaling Policy: Implement a target tracking scaling policy based on this metric math expression. Configure the Auto Scaling group to automatically adjust its size to maintain a target value for the average number of SQS messages per instance. This approach ensures that the EC2 instances scale up during high traffic periods and scale down when the message load decreases.

This solution optimizes resource utilization and cost while maintaining performance by ensuring that the worker processes are neither overwhelmed nor idle.

The company wants to:

Distribute traffic across two AWS Regions

Minimize response time

From the Route 53 Routing Policies Documentation:

Latency-based routing allows you to route traffic to the AWS Region that provides the lowest latency for the user.

Ideal for applications deployed in multiple AWS Regions.

This matches the scenario exactly.

To view the cost details of each project in an AWS account using Cost Explorer, you need to activate cost allocation tags and tag the resources with a project identifier.

Activate Cost Allocation Tags:

Navigate to the AWS Billing and Cost Management console.

In the navigation pane, choose "Cost allocation tags".

Select the tags you want to activate (e.g., "Project") and click "Activate".

Tag Resources with Project Identifier:

Go to the AWS Management Console for each service where resources are deployed (e.g., EC2, S3, RDS).

For each resource, add a tag with the key "Project" and a value that identifies the project (e.g., "ProjectA").

Ensure that all relevant resources are tagged appropriately.

View Cost Allocation in Cost Explorer:

Navigate to the Cost Explorer console.

Use the "Group by" option to group costs by the "Project" tag.

Review the cost details for each project based on the tags applied to the resources.

Using Cost Allocation Tags

Analyzing Your Costs with Cost Explorer

This solution provides a central logging solution and automated alerting based on application error logs.

From CloudWatch Logs and Metric Filters documentation:

Use CloudWatch Agent to send logs to CloudWatch Logs. Then, create a metric filter for error patterns and configure an alarm to notify via SNS.

This is fully automated, scalable, and operationally efficient.

To maintain full capacity during new deployments in AWS Elastic Beanstalk, you can use the "Immutable" or "Rolling with additional batch" deployment policies.

Immutable Deployment:

This policy ensures that a new set of instances is launched with the new version of the application. The new instances are only promoted to serve traffic if the deployment succeeds. This ensures zero downtime and maintains full capacity during deployment.

Rolling with Additional Batch:

This policy launches a new batch of instances to handle the traffic while the old instances are being updated. This maintains the full capacity during the deployment process, ensuring that the application remains fully operational.

How to Configure Deployment Policies:

Open Elastic Beanstalk Console:

Navigate to the AWS Elastic Beanstalk console at AWS Elastic Beanstalk Console.

Update Environment Configuration:

Select the environment you want to configure.

Go to Configuration and then Rolling updates and deployments.

Choose either Immutable or Rolling with additional batch as the deployment policy.

AWS Elastic Beanstalk Deployment Policies

Managing and Configuring Environments

"The limit for a backtrack window is 72 hours.....Backtracking is only available for DB clusters that were created with the Backtrack feature enabled....Backtracking "rewinds" the DB cluster to the time you specify. Backtracking is not a replacement for backing up your DB cluster so that you can restore it to a point in time....You can backtrack a DB cluster quickly. Restoring a DB cluster to a point in time launches a new DB cluster and restores it from backup data or a DB cluster snapshot, which can take hours."

To automate the creation and management of IAM roles for multiple AWS accounts in an AWS Organization, using AWS CloudFormation StackSets is the most operationally efficient solution.

AWS CloudFormation StackSets:

AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple AWS accounts and regions with a single operation.

Using StackSets with AWS Organizations:

Create a CloudFormation template that defines the necessary IAM roles.

Use StackSets to deploy the template across multiple AWS accounts in your organization.

AWS CloudFormation StackSets

Creating IAM Roles with CloudFormation

To reduce S3 storage costs while ensuring the images remain highly available and immediately accessible, transitioning the images to S3 Standard-IA after 7 days is the most cost-effective solution.

Understand Storage Classes:

S3 Standard-IA (Infrequent Access) is designed for data that is accessed less frequently but requires rapid access when needed. It offers lower storage costs compared to S3 Standard, but higher retrieval costs.

Evictions in Redis occur when memory is full and new data overwrites older data. To reduce evictions and retain more data:

Increase node size (memory capacity) or

Add more nodes (sharding)

From ElastiCache Redis eviction documentation:

High eviction count suggests memory pressure. To reduce evictions, consider increasing node size.

To view a list of security groups that are open to the internet on port 3389, the most appropriate tool is AWS Trusted Advisor.

AWS Trusted Advisor:

AWS Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices.

It includes a security check that identifies security groups with unrestricted access.

Using Trusted Advisor:

Go to the AWS Trusted Advisor console.

In the "Security" category, look for the check that identifies security groups with unrestricted access.

Review the report to find security groups that allow unrestricted access on port 3389 (RDP).

AWS Trusted Advisor

AWS Trusted Advisor Best Practices

To effectively monitor website availability from an end-user perspective and receive notifications when uptime falls below a specified threshold, Amazon CloudWatch Synthetics provides a robust solution. Specifically, the heartbeat monitoring canary is designed to:

Simulate user interactions by regularly accessing the website's URL.

Measure availability and latency, providing insights into the user experience.

Publish metrics, such as SuccessPercent, which indicates the percentage of successful canary runs.

By creating a CloudWatch alarm that monitors the SuccessPercent metric and configuring it to trigger an SNS notification when the value drops below 99%, the company can proactively address availability issues.

This approach ensures continuous monitoring that closely mirrors the end-user experience, allowing for timely interventions when problems arise.

To transition the Amazon Elasticsearch Service (Amazon ES) domain to a highly available, production-grade deployment:

Cluster Configuration:

Use a cluster of six data nodes to handle data ingestion and querying.

Distribute these nodes across three Availability Zones (AZs) for high availability and fault tolerance.

Step-by-Step Explanation:

Understand the Problem:

Enforce a policy that requires all AWS resources to be tagged according to company policy.

Continuously identify non-compliant resources.

Analyze the Requirements:

Implement a solution to monitor and enforce resource tagging compliance.

Evaluate the Options:

Option A: AWS CloudTrail.

Provides logging and monitoring of API calls but does not enforce tagging policies.

Option B: Amazon Inspector.

Primarily used for security assessments, not resource tagging compliance.

Option C: AWS Config.

Monitors and evaluates the configurations of AWS resources.

Can enforce compliance by using AWS Config rules to check resource tags.

Option D: AWS Systems Manager.

Provides operational insights and management but is not specifically designed for compliance enforcement.

Select the Best Solution:

Option C: AWS Config is designed for compliance and configuration monitoring, making it the ideal service for enforcing and identifying non-compliant resource tags.

AWS Config

Managing Resource Tag Compliance with AWS Config

AWS Config provides the necessary tools to enforce and monitor resource tagging compliance, ensuring all resources adhere to the set policy.

To improve RDS performance during peak traffic when resources are over-utilized due to read traffic, the SysOps administrator can take the following actions:

Add a Read Replica:

Amazon RDS Read Replicas provide enhanced performance and durability for database instances.

By creating a read replica, you can offload read traffic from the primary database instance to the replica.

This reduces the load on the primary instance and improves overall performance.

Amazon RDS Read Replicas

Modify the Application to Use Amazon ElastiCache for Memcached:

Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory cache in the cloud.

By using ElastiCache for Memcached, you can cache frequently accessed data, reducing the number of read requests to the RDS instance.

This can significantly improve the performance of the database during peak traffic.

The MixedInstancesPolicy feature in Auto Scaling groups allows for the configuration of both On-Demand and Spot Instances within a single Auto Scaling group, balancing cost savings and high availability:

MixedInstancesPolicy: Enables configuration to maintain a minimum of three On-Demand Instances and add Spot Instances when prices drop, without the need to create separate launch templates.

Setting Maximum Spot Price: Ensures that additional Spot Instances are launched only when within the defined budget.

This solution offers the least management overhead, as it combines both On-Demand and Spot instances seamlessly in one configuration.

Amazon CloudWatch Synthetics allows you to create canaries that monitor your endpoints and APIs. Canaries are scripts that run on a schedule to check your application’s availability and performance, and can detect issues before your customers do.

Create a CloudWatch Synthetics Canary:

Open the Amazon CloudWatch console at Amazon CloudWatch Console.

Navigate to Synthetics and choose Create Canary.

Use the CloudWatch Synthetics Recorder plugin to generate the script for the canary run.

Configure the Canary:

Define the schedule for the canary to run (e.g., every minute).

Specify the endpoint URL of the website.

Configure the canary to check for specific errors or issues based on your requirements.

Create Alarms:

Set up CloudWatch alarms to notify you when the canary detects issues. You can configure the alarm to send notifications via Amazon SNS.

Creating and Managing Canaries

CloudWatch Synthetics

The problem requires modifying the inbound SSH rule to restrict access to a list of trusted IPs instead of deleting it entirely. AWS Config rules can be configured with automatic remediation actions using either Systems Manager Automation runbooks or Lambda functions. However, AWS Systems Manager Automation runbooks are often more appropriate for managing infrastructure changes like security group modifications because they are reusable, parameterized, and easier to audit.

Create a Systems Manager Automation runbook: This runbook will contain steps to add or modify the existing security group rule, allowing SSH access only from the specified IP addresses.

Update the AWS Config rule: Modify the Config rule to call this new runbook for its automatic remediation. This will prevent deletion of the SSH rule and instead update it based on the IP list.

To improve application responsiveness and handle high CPU utilization:

Create Auto Scaling Group:

Create an Auto Scaling group (ASG) for the EC2 instances running the application.

Installing the CloudWatch agent enables log monitoring, and a CloudWatch metric filter allows alerting on specific errors. Using EventBridge to trigger a Systems Manager Automation runbook automates the restart of the web server, creating an efficient and automated solution.

The error message indicates that the current quota for the number of EC2 instances allowed in the specified region has been reached. To resolve this issue, a quota increase must be requested.

Request Quota Increase:

Open the Service Quotas console at Service Quotas Console.

Navigate to Amazon EC2 service.

Find the specific quota for the instance type family that you need to increase.

Select the quota and choose Request quota increase.

Provide the necessary details and submit the request.

This action will initiate a request to AWS to increase the limit, allowing you to launch additional instances once the request is approved.

Service Quotas

Requesting a Quota Increase

In this scenario, the issue is that the EC2 instances are marked healthy by status checks, but the website is still intermittently failing, returning HTTP 500 errors.

This indicates that the OS-level checks are passing, but the application is not behaving properly. To resolve this, the Auto Scaling group must use ALB (ELB) health checks which verify application-level health, not just EC2 status.

From the Auto Scaling User Guide:

By default, an Auto Scaling group uses EC2 instance status checks to determine the health state of an instance. You can optionally configure the Auto Scaling group to use Elastic Load Balancing health checks in combination with EC2 status checks.

These health checks allow Auto Scaling to detect application failures and replace unhealthy instances automatically.

❌ Why the other options are incorrect:

A. Network Load Balancer is for TCP-level traffic and does not solve HTTP 500 errors.

C. Sticky sessions are used for session persistence and don’t solve server errors.

D. Installing CloudWatch agents and rebooting is reactive and not an automated health check replacement system.

Using AWS CloudFormation stack sets allows you to manage CloudWatch alarms across multiple accounts efficiently:

Create Stack Set: Use a CloudFormation template that defines the required CloudWatch alarms and configures them to publish alerts to an SNS topic.

Specify SNS Topic: Ensure the SNS topic is located in the logging account and has the necessary permissions set to receive publications from all accounts in the organization.

Deploy Across Organization: Implement the stack set across all accounts, ensuring centralized management and standardized deployment.

AWS Documentation Reference:

Learn more about deploying resources with CloudFormation StackSets: Working with AWS CloudFormation StackSets.

You can set the default encryption behavior on an Amazon S3 bucket so that all objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or AWS Key Management Service (AWS KMS) customer master keys (CMKs).

How to Prevent Uploads of Unencrypted Objects to Amazon S3#

By using an S3 bucket policy, you can enforce the encryption requirement when users upload objects, instead of assigning a restrictive IAM policy to all users.

Storage Auto Scaling:

Aurora storage auto scaling automatically increases the storage capacity of the database cluster when free storage space is running low.

Steps:

Go to the AWS Management Console.

Navigate to RDS and select your Aurora DB cluster.

Modify the DB cluster configuration to enable storage auto scaling.

Apply the changes.

Aurora Storage Auto Scaling

To address the issue of an errant process consuming an entire processor and running at 100%, the SysOps administrator can automate the restarting of the instance using Amazon CloudWatch and AWS Systems Manager.

Enable Detailed Monitoring:

Ensure that detailed monitoring is enabled on the EC2 instance. Detailed monitoring provides data in 1-minute periods, which is crucial for detecting the 2-minute threshold accurately.

Step-by-Step Explanation:

Understand the Problem:

The threat of ransomware encrypting and holding company data hostage.

Need to protect an Amazon S3 bucket.

Analyze the Requirements:

Ensure that data in the S3 bucket is protected against unauthorized encryption or deletion.

Evaluate the Options:

Option A: Deny Post, Put, and Delete on the bucket.

Denying these actions would prevent any uploads or modifications to the bucket, making it unusable.

Option B: Enable server-side encryption on the bucket.

Server-side encryption protects data at rest but does not prevent the encryption of data by ransomware.

Option C: Enable Amazon S3 versioning on the bucket.

S3 versioning keeps multiple versions of an object in the bucket. If a file is overwritten or encrypted by ransomware, previous versions of the file can still be accessed.

Option D: Enable snapshots on the bucket.

Amazon S3 does not have a snapshot feature; this option is not applicable.

Select the Best Solution:

Option C: Enabling Amazon S3 versioning is the best solution as it allows access to previous versions of objects, providing protection against ransomware encryption by retaining prior, unencrypted versions.

Amazon S3 Versioning

Best Practices for Protecting Data with Amazon S3

Enabling S3 versioning ensures that previous versions of objects are preserved, providing a safeguard against ransomware by allowing recovery of unencrypted versions of data.

Snapshot Deletion Policy:

The Snapshot Deletion Policy ensures that a snapshot is created when an RDS instance is deleted as part of a CloudFormation stack deletion.

Steps:

Update your CloudFormation template to include the DeletionPolicy attribute for the RDS instance resource.

Example template snippet:

Resources:

MyDBInstance:

Type: AWS::RDS::DBInstance

Properties:

# DB instance properties

DeletionPolicy: Snapshot

 This configuration retains a snapshot of the RDS instance data when the stack is deleted.

 Reference: AWS CloudFormation DeletionPolicy

Problem Analysis:

The CloudWatch agent configuration is inconsistent across instances.

A centralized and automated mechanism is needed for consistent configuration management.

Action: Store Configuration in Systems Manager Parameter Store:

Parameter Store allows for secure, centralized storage of configuration files.

Steps:

Open Systems Manager Console.

Navigate to Parameter Store.

Create a parameter with the CloudWatch agent configuration file content.

Action: Use State Manager to Apply Configuration:

Systems Manager State Manager automates repetitive tasks such as ensuring consistent configuration.

Steps:

Open State Manager Console.

Create an association using the AmazonCloudWatch-ManageAgent document.

Configure the document to use Parameter Store as the configuration source.

Use tags (key = "OS", value = "Windows") to target the Windows EC2 instances.

Why Other Options Are Incorrect:

A: Using an S3 bucket for configuration storage lacks integration with Systems Manager for automation.

B: OpsCenter is for managing operational issues, not configuration files.

E: S3 as a configuration source is valid but introduces additional operational complexity compared to Parameter Store.

Cluster Placement Group:

Cluster placement groups are used to ensure low-latency networking between EC2 instances. They place instances physically close to each other within the same Availability Zone.

Steps:

Go to the AWS Management Console.

Navigate to EC2 and select "Placement Groups."

Create a new cluster placement group.

Back up the existing EC2 instance to an AMI.

Launch new EC2 instances from the AMI into the cluster placement group.

Ensure all instances are in the same Availability Zone.

Placement Groups

To centrally store traffic logs for the website and ensure all data is encrypted at rest, using an Amazon S3 bucket with default server-side encryption is the best solution.

Create an Amazon S3 Bucket with Server-Side Encryption:

Open the S3 console and create a new bucket.

In the bucket properties, enable default server-side encryption using AES-256.

Configure CloudFront to Use the S3 Bucket as a Log Destination:

Open the CloudFront console.

Select the CloudFront distribution and configure the logging settings.

Specify the S3 bucket as the log destination.

Server-Side Encryption:

Ensure that the S3 bucket is configured to use server-side encryption with AES-256 by default, ensuring that all logs stored are encrypted at rest.

Amazon S3 Server-Side Encryption

CloudFront Access Logs

When troubleshooting inability to access an EC2 instance from the internet, you should:

A: Verify that the security group rules allow inbound HTTP and HTTPS traffic on ports 80 and 443. Security groups act as a virtual firewall to control the traffic to instances.

D: Check that outbound rules in the network ACL allow traffic for ephemeral ports 1024-65535. This is crucial for return traffic from web requests, which typically use these higher port numbers for responses.

E: Confirm that any software-based firewalls on the instance (such as Windows Firewall or iptables in Linux) are configured to allow inbound traffic on HTTP and HTTPS. These steps will ensure that the web server is correctly configured to receive and respond to web traffic from the internet. AWS provides guidelines on these configurations in their documentation on security groups EC2 Security Groups and network ACLs Network ACLs.

The kubeconfig file is a configuration file used to store cluster authentication information, which is required to make requests to the Amazon EKS cluster API server. The kubeconfig file will need to be configured on the SysOps administrator's machine in order for kubectl to be able to communicate with the cluster API server.

You are correct that an A record typically points to an IP address. However, in the case of an Application Load Balancer (ALB), you cannot use an A record with an IP address because the IP addresses of an ALB can change over time. Instead, you can use an alias record to point to the DNS name of the ALB. An alias record is a Route 53 extension to DNS that allows you to route traffic to selected AWS resources, such as an ALB, by using a friendly DNS name, such as example.com, instead of the resource’s IP address or DNS name.

To manage incomplete multipart uploads in an Amazon S3 bucket, creating an S3 Lifecycle rule to specifically address these uploads is the most effective method. The rule can be configured to automatically delete expired multipart upload parts, which helps in cleaning up unused data and reducing storage costs. Option A is correct as it directly addresses the requirement to manage incomplete uploads effectively. Reference on setting up S3 Lifecycle policies can be found here Amazon S3 Lifecycle.

The key requirements are:

Minimize application downtime

Minimize risk of failed deployment

From AWS Deployment Strategies:

Blue/Green deployment:Deploys new version alongside the old one, then switches traffic. Allows easy rollback and zero downtime.

Immutable deployment:Deploys a new environment (new EC2 instances) and switches traffic to it, without modifying existing instances.

Both provide safe, low-risk deployments with high availability.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function on a daily basis. Configure the function to restore the DB cluster to a point in time and then delete the previous DB cluster. This is the most operationally efficient solution that meets the requirements, as it will allow the company to reset the database on a daily basis without having to manually take and restore snapshots. The other solutions (creating a manual snapshot of the DB cluster, enabling the Backtrack feature, or exporting a manual snapshot of the DB cluster to Amazon S3) will require additional steps and resources to reset the database on a daily basis.

A company hosts an application on an Amazon EC2 instance in a single AWS Region. The application requires support for non-HTTP TCP traffic and HTTP traffic.

The company wants to deliver content with low latency by leveraging the AWS network. The company also wants to implement an Auto Scaling group with an

Elastic Load Balancer.

How should a SysOps administrator meet these requirements?

A. Create an Auto Scaling group with an Application Load Balancer (ALB). Add an Amazon CloudFront distribution with the ALB as the origin.

B. Create an Auto Scaling group with an Application Load Balancer (ALB). Add an accelerator with AWS Global Accelerator with the ALB as an endpoint.

C. Create an Auto Scaling group with a Network Load Balancer (NLB). Add an Amazon CloudFront distribution with the NLB as the origin.

D. Create an Auto Scaling group with a Network Load Balancer (NLB). Add an accelerator with AWS Global Accelerator with the NLB as an endpoint.

Answer: D

AWS Global Accelerator and Amazon CloudFront are separate services that use the AWS global network and its edge locations around the world. CloudFront improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery). Global Accelerator improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions. Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover. Both services integrate with AWS Shield for DDoS protection.

To troubleshoot connectivity issues for an EC2 instance that's not accessible via RDP after moving to a private subnet, VPC flow logs are the most direct and useful tool. VPC flow logs capture information about the IP traffic going to and from network interfaces in your VPC, enabling you to identify whether the traffic to the EC2 instance is being allowed or rejected. Setting up flow logs for the EC2 instance’s network interface will help pinpoint any blocks or drops in traffic that could be causing the timeout error. Option C is the correct action as it directly investigates the traffic flow, which is crucial for resolving connectivity issues. AWS documentation on VPC flow logs provides further details VPC Flow Logs.

This solution is operationally efficient and leverages AWS services to provide notifications when the Lambda function is not invoked, indicating that the file did not arrive.

Steps:

Create a CloudWatch Alarm:

Open the Amazon CloudWatch console.

In the navigation pane, choose "Alarms" and then "Create Alarm".

Select Lambda Metrics:

Choose "Select metric" and then navigate to "AWS Lambda" metrics.

Select the Lambda function that processes the S3 files.

Choose the "Invocations" metric.

Configure the Alarm:

Set the period to 1 hour.

Define the threshold condition to trigger when the Invocations metric is zero.

Under "Additional configuration", configure the alarm to treat missing data as "breaching".

Set Alarm Actions:

Configure the alarm action to send a notification to an Amazon SNS topic.

Create an SNS topic if one does not exist, and subscribe the application team to this topic.

Testing and Verification:

Ensure that the alarm triggers correctly by simulating a missing file scenario and confirming that the notification is sent to the SNS topic.

This approach uses CloudWatch to monitor the invocation frequency of the Lambda function, ensuring that the application team is notified whenever the expected file does not arrive within the specified timeframe.

AWS Secrets Manager is the recommended and native solution for managing secrets such as RDS DB credentials, with built-in support for automatic password rotation.

From Secrets Manager RDS integration documentation:

Secrets Manager supports automatic rotation for Amazon RDS databases. You can configure rotation for the master user credentials using a predefined Lambda rotation function provided by AWS.

This is the least operational effort option:

No custom Lambda code required

Seamlessly integrates with RDS

Fully managed password rotation

When using the RequestCountPerTarget metric for scaling in an Auto Scaling group, the behavior of instance scaling follows specific rules set by Auto Scaling policies and cooldown periods:

Scaling Trigger: The Auto Scaling group triggers a scaling action whenever the RequestCountPerTarget exceeds the predefined limit set in the scaling policy.

Cooldown Period: After launching an EC2 instance due to a scaling action, the Auto Scaling group enters a cooldown period. During this period, despite further breaches of the threshold, no additional instances will be launched. This is designed to give the newly launched instance time to start and begin handling traffic, preventing the Auto Scaling group from launching too many instances too quickly.

This mechanism helps maintain efficient use of resources by adapting to changes in load while avoiding rapid, unnecessary scaling actions.

Step-by-Step Explanation:

Understand the Problem:

A user cannot upload an object to an S3 bucket using a presigned URL, even though the URL is valid and the bucket has no policy applied.

Analyze the Requirements:

Determine the cause of the issue preventing the upload via the presigned URL.

Evaluate the Options:

Option A: The user has not properly configured the AWS CLI.

CLI configuration is not relevant to using a presigned URL.

Option B: The SysOps administrator does not have the necessary permissions.

The administrator's permissions are required to generate a valid presigned URL with sufficient permissions.

Option C: A bucket policy is required.

A bucket policy is not necessary if the presigned URL has the correct permissions.

Option D: The object has already been uploaded.

A presigned URL remains valid until it expires or the specified permissions are revoked.

Select the Best Solution:

Option B: Ensuring that the SysOps administrator has the necessary permissions to upload objects to the S3 bucket is crucial for generating valid presigned URLs.

Amazon S3 Presigned URLs

IAM Policies for Amazon S3

The SysOps administrator must have the necessary permissions to upload objects to the S3 bucket, ensuring that the presigned URL generated allows the user to upload successfully.

Evictions in Amazon ElastiCache for Memcached occur when the cache runs out of available memory and needs to remove existing data to store new data. To reduce evictions, you can either add more nodes to the cluster or increase the size of the individual nodes.

Add an Additional Node:

Open the Amazon ElastiCache console at Amazon ElastiCache Console.

Select your Memcached cluster and choose Modify.

Increase the number of nodes in the cluster to add more memory capacity.

Apply the changes to scale out the cluster.

Increase the Individual Node Size:

Open the Amazon ElastiCache console and select your Memcached cluster.

Choose Modify and change the node type to a larger instance size with more memory.

Apply the changes to scale up the cluster.

Both actions will provide additional memory capacity, reducing the likelihood of evictions due to insufficient memory.

Scaling ElastiCache for Memcached

Amazon ElastiCache for Memcached User Guide

CloudTrail Log File Integrity Validation:

AWS CloudTrail provides a feature for log file integrity validation to ensure logs have not been modified or deleted.

Steps to Enable and Validate:

Enable Log File Integrity Validation:

Go to the CloudTrail Console.

Select or create a trail.

In the trail settings, enable Log file validation.

Use the AWS CLI for Validation:

Use the following CLI command:

aws cloudtrail validate-logs --trail-name

This command validates the digest files generated by CloudTrail against the log files.

Why Other Options Are Incorrect:

B: Using the AWS CloudTrail Processing Library is unnecessary for validation.

C: CloudTrail Insights is designed to identify unusual activity, not monitor log modifications.

D: Amazon CloudWatch Logs cannot directly monitor CloudTrail logs for integrity.

To troubleshoot high CPU utilization during load testing without scaling out, the SysOps administrator should suspend the Launch and Terminate process types in the Auto Scaling group.

Suspending Processes:

Suspending the Launch and Terminate processes will temporarily stop the Auto Scaling group from adding or removing instances, allowing for troubleshooting without automatic scaling interruptions.

This ensures that the root cause of the high CPU utilization can be investigated without the Auto Scaling group launching additional instances.

Steps to Suspend Processes:

Go to the Auto Scaling group in the AWS Management Console.

Select the group and choose the "Suspend Processes" option.

Suspend the Launch and Terminate processes.

After troubleshooting, resume the processes to re-enable scaling.

To implement a caching service while maintaining high availability for an Amazon RDS DB instance, the combination of Amazon ElastiCache for Redis and enabling Multi-AZ for the data store will meet these requirements.

Create an Amazon ElastiCache for Redis Data Store:

Redis is an in-memory data structure store that can be used as a database, cache, and message broker. It provides high availability through its replication feature.

Go to the ElastiCache console.

Choose "Create" and select "Redis."

Configure the Redis cluster with the required parameters.

Enable Multi-AZ for the Data Store:

Multi-AZ deployment provides enhanced availability and durability for Redis. In case of a failure, it automatically fails over to the replica node.

During the creation of the Redis cluster, enable Multi-AZ.

This ensures that there is a standby replica in another Availability Zone, providing high availability.

Amazon ElastiCache for Redis

ElastiCache for Redis Multi-AZ

Here are the steps to update an existing AWS CloudFormation stack:

Log in to the AWS Management Console and navigate to the CloudFormation service in the us-east-2 Region.

Find the existing stack named 1700182 and click on it.

Click on the "Update" button.

Choose "Replace current template" and upload the updated CloudFormation template from the Amazon S3 bucket named "cloudformation-bucket"

In the "Parameter" section, update the EC2 instance type to us-east-t2.nano and add the IP address range 192.168.100.0/30 for SSH access.

Replace the instance profile IAM role with IamRoleB.

In the "Capabilities" section, check the checkbox for "IAM Resources"

Choose the role CFServiceR01e and click on "Update Stack"

Wait for the stack to be updated.

Once the update is complete, navigate to the stack and click on the "Stack options" button, and select "Prevent updates to prevent accidental deletion"

To get the value of the Prodlnstanceld , navigate to the "Outputs" tab in the CloudFormation stack and find the key "Prodlnstanceld". The value corresponding to it is the value that you need to enter in the text box below.

Note:

You can use AWS CloudFormation to update an existing stack.

You can use the AWS CloudFormation service role to deploy updates.

You can refer to the AWS CloudFormation documentation for more information on how to update and manage stacks:

Here are the steps to configure Amazon EventBridge to meet the above requirements:

Log in to the AWS Management Console by using the AWS Management Console shortcut from the VM desktop. Make sure that you are logged in to the desired AWS account.

Go to the EventBridge service in the us-east-2 Region.

In the EventBridge service, navigate to the "Event buses" page.

Click on the "Create event bus" button.

Give a name to your event bus, and select "default" as the event source type.

Navigate to "Rules" page and create a new rule named "RunFunction"

In the "Event pattern" section, select "Schedule" as the event source and set the schedule to run every 15 minutes.

In the "Actions" section, select "Send to Lambda" and choose the existing AWS Lambda function named "LogEventFunction"

Create another rule named "SpotWarning"

In the "Event pattern" section, select "EC2" as the event source, and filter the events on "EC2 Spot Instance interruption"

In the "Actions" section, select "Send to SNS topic" and create a new standard Amazon SNS topic named "TopicEvents"

In the "Input Transformer" section, set the Input Path to {“instance” : “$.detail.instance-id”} and Input template to “The EC2 Spot Instance has been interrupted on account.

Now all Amazon EC2 events in the default event bus will be replayable for past 90 days.

Note:

You can use the AWS Management Console, AWS CLI, or SDKs to create and manage EventBridge resources.

You can use CloudTrail event history to replay events from the past 90 days.

You can refer to the AWS EventBridge documentation for more information on how to configure and use the service:

Here are the steps to configure an Amazon S3 bucket to serve a static error page in the event of a failure at the primary site:

Log in to the AWS Management Console and navigate to the S3 service in the us-east-2 Region.

Find the existing S3 bucket named lab-751906329398-26023898.com and click on it.

In the "Properties" tab, click on "Static website hosting" and select "Use this bucket to host a website".

In "Index Document" field, enter the name of the object that you want to use as the index document, in this case, "index.html"

In the "Permissions" tab, click on "Block Public Access", and make sure that "Block all public access" is turned OFF.

Click on "Bucket Policy" and add the following policy to allow public read access:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "PublicReadGetObject",

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::lab-751906329398-26023898.com/*"

}

]

}

Now navigate to the Amazon Route 53 service, and find the existing hosted zone named lab-751906329398-26023898.com.

Click on the "A record" and update the routing policy to "Primary - Failover" and add the existing ALB as the primary record.

Click on "Create Record" button and create a new secondary failover alias record for the domain lab-751906329398-26023898.com that routes traffic to the existing S3 bucket.

Now, when the primary site (ALB) goes down, traffic will be automatically routed to the S3 bucket serving the static error page.

Note:

You can use CloudWatch to monitor the health of your ALB.

You can use Amazon S3 to host a static website.

You can use Amazon Route 53 for routing traffic to different resources based on health checks.

You can refer to the AWS documentation for more information on how to configure and use these services:

Graphical user interface, application, Teams Description automatically generated