Free Amazon Web Services SOA-C02 Practice Exam with Questions & Answers | Set: 2

To achieve a limited rollout of the new website to 20% of the company's customers using Amazon Route 53, a weighted routing policy is the most appropriate solution.

Weighted Routing Policy:

Weighted routing lets you associate multiple resources with a single domain name and choose how much traffic is routed to each resource.

Configuration:

Open the Route 53 console.

Select the hosted zone and choose "Create Record Set."

Create two records for your domain:

One record for the original resource with a weight of 80.

Another record for the new resource with a weight of 20.

Amazon Route 53 Weighted Routing

To define a custom health check for EC2 instances behind an Application Load Balancer (ALB), follow these steps:

Configure Health Checks on ALB:

In the AWS Management Console, navigate to the EC2 dashboard, then to Load Balancers.

Select your ALB and go to the "Health Checks" tab.

Set the HealthCheckPath to the specific path that your application uses to determine if an instance is healthy. This could be a specific URL or endpoint on your application.

AWS WAF (Web Application Firewall) is designed to protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF can help mitigate cross-site scripting (XSS) vulnerabilities by allowing users to create rules to filter specific types of HTTP requests.

Create a Web ACL:

Go to the AWS WAF & Shield console.

Click "Create web ACL" and specify a name and the AWS resource to protect (e.g., an Application Load Balancer).

Add Rules to Mitigate XSS:

Within the Web ACL, add a new rule.

Select "Rule builder" and choose a rule type. For mitigating XSS, use "AWS Managed Rules" or create a custom rule.

AWS Managed Rules include a predefined set for XSS that you can enable.

Configure the XSS Rule:

If using a custom rule, configure it to inspect requests and block any that contain XSS patterns.

Use regular expressions or specific patterns to identify malicious scripts.

Deploy the Web ACL:

Once configured, save the Web ACL.

Associate it with your Application Load Balancer or CloudFront distribution to start filtering requests.

Monitor and Adjust:

Monitor the requests being blocked by AWS WAF.

Adjust the rules as necessary to ensure legitimate traffic is not affected and the application remains protected.

AWS WAF Developer Guide

AWS WAF Managed Rules

Enable deletion protection for the DynamoDB tables:

Deletion protection is a feature that prevents accidental deletion of DynamoDB tables. When enabled, it requires an additional step to disable this protection before the table can be deleted.

Steps:

Go to the AWS Management Console.

Navigate to DynamoDB.

Select the table you want to protect.

Choose the "Overview" tab.

Under "Deletion protection," click "Enable deletion protection."

AWS DynamoDB Deletion Protection

Enable point-in-time recovery (PITR) for the DynamoDB tables:

PITR provides continuous backups of your DynamoDB tables. You can restore the table to any point in time within the last 35 days.

Steps:

Go to the AWS Management Console.

Navigate to DynamoDB.

Select the table you want to enable PITR for.

Choose the "Backups" tab.

Click on "Enable Point-in-Time Recovery."

If a table is accidentally deleted, you can restore it using PITR.

Go to the DynamoDB console.

Select "Backups" from the navigation pane.

Find the table backup and choose "Restore."

Step-by-Step Explanation:

Understand the Problem:

Ensure all users in the organization have read-level access to a specific S3 bucket.

The data should not be accessible outside the organization.

Analyze the Requirements:

Grant read access to users within the organization.

Prevent access from outside the organization.

Evaluate the Options:

Option A: Specify "*" as the principal and PrincipalOrgId as a condition.

This grants access to all AWS principals but restricts it to those within the specified organization using the PrincipalOrgId condition.

Option B: Specify all account numbers as the principal.

This is impractical for a large organization and requires constant updates if accounts are added or removed.

Option C: Specify PrincipalOrgId as the principal.

The PrincipalOrgId condition must be used within a policy, not as a principal.

Option D: Specify the organization's management account as the principal.

This grants access only to the management account, not to all users within the organization.

Select the Best Solution:

Option A: Using "*" as the principal with the PrincipalOrgId condition ensures all users within the organization have the required access while preventing external access.

Amazon S3 Bucket Policies

AWS Organizations Policy Examples

Using "*" as the principal with the PrincipalOrgId condition efficiently grants read access to the S3 bucket for all users within the organization.

The most operationally efficient and secure method to share an object from a private Amazon S3 bucket with users who do not have an AWS account is by generating a presigned URL. This URL grants temporary access to the object and can be limited by time, ensuring that users can only access the S3 object during a specified window. This does not require managing network configurations or sharing credentials, making it a secure and simple solution. Option D is therefore the correct answer. Reference to this method can be found in the AWS S3 documentation on presigned URLs Amazon S3 Presigned URLs.

Enabling Instance Scale-In Protection:

Instance scale-in protection prevents Auto Scaling from terminating specific instances.

Steps:

Go to the AWS Management Console.

Navigate to EC2 and select "Auto Scaling Groups."

Select your Auto Scaling group.

Go to the "Instance management" tab.

Select the instances you want to protect and click "Actions."

Choose "Enable scale-in protection."

This ensures that instances are not terminated during troubleshooting.

Instance Scale-In Protection

The default behavior of AWS CloudFormation when the creation of a resource fails is to roll back the stack and delete the stack.

Stack Creation Failure:

If any resource within the stack fails to create, CloudFormation rolls back the stack by deleting all the resources that were successfully created up to the point of failure.

This ensures that no partially created resources are left in the user's account.

Review the Events:

Open the CloudFormation console.

Select the stack and review the "Events" tab to identify the cause of the failure.

AWS CloudFormation Stack Rollback

Troubleshooting AWS CloudFormation

Based on the attached policy, the following actions are allowed for the IAM user:

Allow Amazon RDS DescribeDBInstances Action:

The policy allows rds:Describe* actions on all resources without any condition, so the user can describe RDS instances in any region.

Example action:

rds:DescribeDBInstances

AWS CloudFormation StackSets Overview:

StackSets allows for deployment of CloudFormation stacks across multiple AWS accounts and Regions.

A stack instance in the "OUTDATED" status indicates that the stack template or parameters differ between the StackSet and the stack instance.

Why the Stack Instance Fails:

The "OUTDATED" status occurs when the stack operation (creation or update) was not successfully completed in a specific Region.

In this case, the most likely reason is that the stack has not yet been deployed in the specified Region.

Steps to Resolve:

Check the deployment status in the CloudFormation StackSets Console.

Identify the Region where the stack is in the "OUTDATED" status.

Retry the stack deployment for that Region by running a stack set update or stack instance operation.

Why Other Options Are Incorrect:

A: Local template changes do not impact CloudFormation unless submitted to AWS. This is unrelated to StackSets.

B: While creating a global resource might fail, it would result in an error status (e.g., "FAILED"), not "OUTDATED."

D: Using an old API version would cause errors in the API request, not affect the stack instance status.