Free Amazon Web Services SOA-C02 Practice Exam with Questions & Answers

To control the production account efficiently, the most operationally efficient solution is to create a service control policy (SCP) and apply it to the production OU. SCPs allow you to manage permissions for AWS Organizations at the organizational unit (OU) or account level.

Service Control Policies (SCPs):

SCPs are a type of policy that can restrict what services and actions can be used in the accounts within an OU.

They are applied at the organizational unit level and provide a way to enforce corporate policies across multiple AWS accounts.

Steps to Implement:

Navigate to the AWS Organizations console.

Create a new SCP that specifies the allowed or denied services and actions.

Apply the SCP to the production OU.

AWS Organizations SCPs

To investigate AWS Secrets Manager password rotation and troubleshoot the authentication failure of an application running on Amazon EC2 instances, you should check the AWS Lambda function logs responsible for the password rotation.

Understand Secrets Manager Password Rotation:

AWS Secrets Manager can automatically rotate secrets according to a specified rotation schedule using an AWS Lambda function.

Modifying the DB instance to a Multi-AZ deployment is the recommended solution for failover and high availability in RDS. Multi-AZ RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone, allowing automatic failover in case of an instance or Availability Zone failure.

Multi-AZ Deployment: Provides resilience with automatic failover and minimizes application downtime.

No Application Changes Needed: Multi-AZ is managed by AWS, so the failover is transparent to the application.

Read replicas and Auto Scaling groups do not provide automatic failover for write operations, and RDS Proxy only improves connection management rather than high availability.

To record all S3 API activity, the SysOps administrator should create an AWS CloudTrail trail to log data events for all S3 objects. This solution provides comprehensive logging of all API activities at the object level within S3 buckets.

AWS CloudTrail:

CloudTrail allows you to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

It records all API calls for Amazon S3 objects, providing a detailed history of changes made to S3 resources.

Configuration Steps:

Go to the CloudTrail console and create a new trail.

Enable data events and specify the S3 buckets to monitor.

CloudTrail will then record S3 object-level API operations such as GetObject, DeleteObject, and PutObject.

AWS Single Sign-On (AWS SSO) provides a centralized interface to manage SSO access to multiple AWS accounts and business applications. AWS SSO integrates with AWS Organizations and supports SAML 2.0 identity providers, making it an ideal solution for centrally managing user access and permissions across multiple AWS accounts.

AWS Single Sign-On (AWS SSO):

AWS SSO allows you to manage SSO access and user permissions to all of your AWS accounts and applications.

It integrates seamlessly with AWS Organizations.

Integration with SAML 2.0 IdP:

AWS SSO supports integration with third-party SAML 2.0 identity providers.

This allows centralized management of user identities and access.

Steps to Implement:

Enable AWS SSO in your AWS Organizations management account.

Configure AWS SSO to connect with your third-party SAML 2.0 IdP.

Assign user permissions and roles for each AWS account through AWS SSO.

AWS Single Sign-On

Integrating AWS SSO with SAML 2.0 Identity Providers

When users report that old content is still appearing on the website after modifying files in an S3 bucket used by CloudFront, creating a CloudFront invalidation is the best solution.

CloudFront Invalidation:

Invalidation is the process of removing objects from the CloudFront cache before they expire.

This ensures that the updated content is served to the users.

Creating an Invalidation:

Open the CloudFront console.

Select the distribution and go to the "Invalidations" tab.

Create a new invalidation and specify the paths of the updated files.

Invalidating Files in Amazon CloudFront

https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-bucket-encryption.html

You can set the default encryption behavior on an Amazon S3 bucket so that all objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or AWS Key Management Service (AWS KMS) customer master keys (CMKs).

https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/

How to Prevent Uploads of Unencrypted Objects to Amazon S3#

By using an S3 bucket policy, you can enforce the encryption requirement when users upload objects, instead of assigning a restrictive IAM policy to all users.

Objective:

Retain system and application logs for 13 months.

Ensure logs are preserved independently of EC2 instance termination.

Make logs easily accessible during the retention period.

Steps to Implement (Following Option D):

Step 1: Create a CloudWatch Log Group:

Open the CloudWatch console and create a new log group.

Set the retention period to 13 months using the "Expire Events After" feature.

Step 2: Deploy the Unified CloudWatch Agent:

Install the CloudWatch agent on all EC2 instances hosting the workload. The agent provides unified logging capabilities for system and application logs.

Step 3: Configure the Agent to Push Logs:

Configure the agent to push logs (e.g., /var/log/messages, application logs) to the created log group.

Use the agent configuration file to specify log paths, log groups, and retention settings.

Step 4: Attach Necessary IAM Role:

Attach an instance profile with an IAM policy that grants the necessary permissions (logs:PutLogEvents, logs:CreateLogStream) to send logs to CloudWatch.

Step 5: Verify Logging:

Confirm that logs are being sent to the CloudWatch log group and are stored according to the 13-month retention policy.

AWS References:

Unified CloudWatch Agent:Install and Configure CloudWatch Agent

CloudWatch Log Retention:Setting Log Retention in CloudWatch

IAM Permissions for CloudWatch Logs:IAM Policies for CloudWatch Logs

Why Other Options Are Incorrect:

Option A and C: Suggest using Amazon S3 for log storage, which is valid but requires external mechanisms (e.g., scripts) for log transfer and lacks native querying tools.

Option B: Does not mention using the unified CloudWatch agent, which is required to efficiently push logs from EC2 instances to CloudWatch Logs.

This solution is operationally efficient and leverages AWS services to provide notifications when the Lambda function is not invoked, indicating that the file did not arrive.

Steps:

Create a CloudWatch Alarm:

Open the Amazon CloudWatch console.

In the navigation pane, choose "Alarms" and then "Create Alarm".

Select Lambda Metrics:

Choose "Select metric" and then navigate to "AWS Lambda" metrics.

Select the Lambda function that processes the S3 files.

Choose the "Invocations" metric.

Configure the Alarm:

Set the period to 1 hour.

Define the threshold condition to trigger when the Invocations metric is zero.

Under "Additional configuration", configure the alarm to treat missing data as "breaching".

Set Alarm Actions:

Configure the alarm action to send a notification to an Amazon SNS topic.

Create an SNS topic if one does not exist, and subscribe the application team to this topic.

Testing and Verification:

Ensure that the alarm triggers correctly by simulating a missing file scenario and confirming that the notification is sent to the SNS topic.

This approach uses CloudWatch to monitor the invocation frequency of the Lambda function, ensuring that the application team is notified whenever the expected file does not arrive within the specified timeframe.

Installing the CloudWatch agent enables log monitoring, and a CloudWatch metric filter allows alerting on specific errors. Using EventBridge to trigger a Systems Manager Automation runbook automates the restart of the web server, creating an efficient and automated solution.