Free Amazon Web Services SOA-C02 Practice Exam with Questions & Answers | Set: 3

CloudWatch alarm actions like EC2 reboot require CloudWatch to assume a service-linked role to interact with EC2 on behalf of the user.

From the Amazon CloudWatch documentation:

When you create an alarm that performs actions such as rebooting an instance, CloudWatch uses a service-linked role named AWSServiceRoleForCloudWatchEvents to execute the action.

To create this role, a user must have the iam:CreateServiceLinkedRole permission.

Several factors can affect the availability of an S3 object through a presigned URL:

Expiration of Presigned URL: A presigned URL is valid only until its specified expiration time. Once expired, it becomes inaccessible.

Invalid Access Key: If the access key of the SysOps administrator who generated the presigned URL is revoked or rotated, the URL will no longer be valid.

Other options like enabling Block Public Access or changing the object ACL to All Users are not necessary for presigned URLs, as these URLs temporarily grant access regardless of public bucket settings.

To allow access using current LDAP credentials while migrating to AWS, the best approach is to federate the LDAP directory with IAM using SAML.

Set Up SAML-Based Federation:

AWS supports identity federation using SAML (Security Assertion Markup Language) 2.0. You need to configure your LDAP directory to federate with AWS IAM via SAML.

https://aws.amazon.com/blogs/compute/using-amazon-rds-proxy-with-aws-lambda/

RDS Proxy acts as an intermediary between your application and an RDS database. RDS Proxy establishes and manages the necessary connection pools to your database so that your application creates fewer database connections. Your Lambda functions interact with RDS Proxy instead of your database instance. It handles the connection pooling necessary for scaling many simultaneous connections created by concurrent Lambda functions. This allows your Lambda applications to reuse existing connections, rather than creating new connections for every function invocation.

Check "Database proxy for Amazon RDS" section in the link to see how RDS proxy help Lambda handle huge connections to RDS MySQL https://aws.amazon.com/blogs/compute/using-amazon-rds-proxy-with-aws-lambda/

To optimize storage costs while maintaining immediate access to objects for one year, the following strategy is recommended:

Initial Storage in S3 Standard:Store the objects in S3 Standard for the first 30 days, as they are frequently accessed during this period.

Transition to S3 Standard-Infrequent Access (S3 Standard-IA):After 30 days, transition the objects to S3 Standard-IA, which is designed for data that is accessed less frequently but requires rapid access when needed. This storage class offers lower storage costs compared to S3 Standard, making it cost-effective for data that is rarely accessed after the initial 30 days.

This approach ensures that the objects remain immediately retrievable for the entire year while optimizing storage costs based on access patterns.

To centrally manage application logs and retain them for no more than 90 days, you can use the Amazon CloudWatch Logs agent to send logs to a CloudWatch log group and configure the log group's retention period.

Update the Launch Template User Data:

Navigate to the EC2 console.

Select the launch template used by the Auto Scaling group.

Edit the launch template to include the following user data script:

#!/bin/bash

yum update -y

yum install -y awslogs

cat < /etc/awslogs/awslogs.conf

[general]

state_file = /var/lib/awslogs/agent-state

[/var/log/messages]

file = /var/log/messages

log_group_name = /my-log-group

log_stream_name = {instance_id}/messages

datetime_format = %b %d %H:%M:%S

[/var/log/secure]

file = /var/log/secure

log_group_name = /my-log-group

log_stream_name = {instance_id}/secure

datetime_format = %b %d %H:%M:%S

EOF

systemctl start awslogsd

systemctl enable awslogsd

Replace /my-log-group with the name of your CloudWatch log group.

Configure the Log Group Retention Period:

Navigate to the CloudWatch console.

In the navigation pane, choose "Logs".

Select the log group created by the CloudWatch Logs agent.

Click on "Actions" and then "Edit retention settings".

Set the retention period to 90 days.

Verify the Configuration:

Ensure that logs from the EC2 instances are being sent to the CloudWatch log group.

Verify that the log group's retention period is correctly set to 90 days.

Amazon CloudWatch Logs Agent

Setting Log Retention in CloudWatch

To configure an Amazon RDS database for high availability, you can use the Multi-AZ deployment option. Multi-AZ deployments provide enhanced availability and durability for RDS instances, making them a suitable choice for production environments. Here’s a step-by-step guide to achieve this:

Login to AWS Management Console:

Open the Amazon RDS console at Amazon RDS Console.

Select the RDS Instance:

In the navigation pane, choose Databases.

Select the database instance that you want to modify.

Modify the Instance:

Choose the Modify button.

In the Availability & durability section, select the option to enable Multi-AZ deployment.

Choose the appropriate instance class and storage settings if needed.

Apply Changes:

Review your settings, and then choose Continue.

Choose Apply immediately if you want the changes to take effect immediately. Otherwise, the changes will be applied during the next maintenance window.

Review and Confirm:

Confirm the changes and the instance will start modifying to a Multi-AZ deployment. This process might take some time, depending on the size of your database.

Modifying an Amazon RDS DB instance

Multi-AZ Deployments

To address the issue of an errant process consuming an entire processor and running at 100%, the SysOps administrator can automate the restarting of the instance using Amazon CloudWatch and AWS Systems Manager.

Enable Detailed Monitoring:

Ensure that detailed monitoring is enabled on the EC2 instance. Detailed monitoring provides data in 1-minute periods, which is crucial for detecting the 2-minute threshold accurately.

For a Lambda function in Account A to access an S3 bucket in Account B, the correct IAM roles setup includes:

A: In Account A, create a Lambda execution role that has permissions to assume another role in Account B. In Account B, create a role with permissions to access the S3 bucket and trust the Lambda execution role from Account A to assume it. This configuration allows the Lambda function to assume the cross-account role and access the S3 bucket as needed, maintaining security and proper access control. AWS documentation provides more details on setting up cross-account roles for Lambda access AWS Lambda Permissions.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html

Syntax The DependsOn attribute can take a single string or list of strings. "DependsOn" : [ String, ... ] Example The following template contains an AWS::EC2::Instance resource with a DependsOn attribute that specifies myDB, an AWS::RDS::DBInstance. When CloudFormation creates this stack, it first creates myDB, then creates Ec2Instance.