Free Amazon Web Services SOA-C02 Practice Exam with Questions & Answers | Set: 4

To monitor usage and quotas across multiple accounts, CloudWatch now supports cross-account observability with delegated administrators.

From CloudWatch cross-account observability:

A delegated administrator can monitor CloudWatch data from linked accounts in a central monitoring account.

Also:

You can use the SERVICE_QUOTA() function in a metric math expression to create alarms on quota utilization.

AWS Compute Optimizer recommends optimal AWS resources for your workloads to reduce costs and improve performance. It provides actionable recommendations to help you choose the right EC2 instances and AWS Lambda configurations.

Access AWS Compute Optimizer:

Open the AWS Compute Optimizer console at AWS Compute Optimizer Console.

Review the recommendations for your EC2 instances and AWS Lambda functions.

Implement Recommendations:

Analyze the recommendations, which might include resizing instances, changing instance types, or modifying Lambda memory settings.

Apply the recommendations to optimize your resources and reduce costs.

AWS Compute Optimizer

Getting Started with AWS Compute Optimizer

The key requirements are:

Minimize application downtime

Minimize risk of failed deployment

From AWS Deployment Strategies:

Blue/Green deployment:Deploys new version alongside the old one, then switches traffic. Allows easy rollback and zero downtime.

Immutable deployment:Deploys a new environment (new EC2 instances) and switches traffic to it, without modifying existing instances.

Both provide safe, low-risk deployments with high availability.

Update AWS Account Name:

The AWS account name can only be changed by the root user of the account.

Steps:

Sign in to the AWS Management Console using the root user credentials.

Navigate to the "My Account" page.

Update the account name field and save the changes.

Updating the AWS Account Name

Using AWS Systems Manager Patch Manager with a maintenance window is a best practice for automating OS patch management across instances in an Auto Scaling group.

Patch Manager: Allows for scheduled patching according to maintenance windows, ensuring minimal impact on application uptime.

RebootOption parameter: Setting this to RebootIfNeeded ensures patches are applied fully when a reboot is required.

AWS-RunPatchBaseline: This document automates the patching process and can be customized based on compliance requirements.

Step-by-Step Explanation:

Understand the Problem:

CloudTrail must be re-enabled immediately if it is disabled.

Analyze the Requirements:

Implement an automatic solution to monitor and re-enable CloudTrail.

Evaluate the Options:

Option A: Add the AWS account to AWS Organizations and enable CloudTrail in the management account.

This provides centralized management but does not ensure automatic re-enabling of CloudTrail.

Option B: Create an AWS Config rule with automatic remediation.

AWS Config can monitor changes and automatically remediate by re-enabling CloudTrail.

Option C: Create an AWS Config rule that invokes a Lambda function.

This requires custom code, which is not preferred.

Option D: Create an EventBridge rule with a Systems Manager Automation document.

This can re-enable CloudTrail but is more complex compared to AWS Config’s built-in remediation.

Select the Best Solution:

Option B: Using AWS Config with automatic remediation ensures CloudTrail is re-enabled without writing custom code.

AWS Config Rules

Automatic Remediation with AWS Config

Creating an AWS Config rule with automatic remediation ensures that CloudTrail is immediately re-enabled if it is disabled.

To stop EC2 instances in a development environment when they are not in use, you can create a CloudWatch alarm based on CPU utilization.

Create CloudWatch Alarm:

Navigate to the CloudWatch console.

Select "Alarms" and click on "Create Alarm".

Choose the EC2 instance metric for CPU utilization.

Set the condition to trigger the alarm when the average CPU utilization is less than 5% for a continuous 30-minute period.

To restrict access to an Amazon S3 bucket to Amazon EC2 instances in a VPC only, and ensure all traffic is over the AWS private network, the SysOps administrator should create a VPC endpoint for the S3 bucket and create an S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.

Create a VPC Endpoint for S3:

Open the VPC console.

Choose "Endpoints" and then "Create Endpoint."

Select the service name "com.amazonaws.[region].s3."

Choose the VPC and the subnets where the EC2 instances reside.

Configure the route tables to include the VPC endpoint.

Create an S3 Bucket Policy:

Open the S3 console and select the bucket.

Go to the "Permissions" tab and edit the bucket policy.

Add a condition to the policy to allow access only from the VPC endpoint.

Example policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": "*",

"Action": "s3:*",

"Resource": [

"arn:aws:s3:::your-bucket-name",

"arn:aws:s3:::your-bucket-name/*"

],

"Condition": {

"StringEquals": {

"aws:sourceVpce": "vpce-12345678"

}

}

}

]

}

Amazon S3 VPC Endpoints

Amazon S3 Bucket Policies

https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-routing.html

When establishing a VPC peering connection between two VPCs, you need to update the route tables of both VPCs to allow traffic to flow between them.

Route Table of VPC A (10.0.0.0/16):

Local Route: This route is automatically created to allow traffic within the VPC.

Destination: 10.0.0.0/16, Target: Local

Peering Connection Route: This route directs traffic destined for VPC B (172.31.0.0/16) through the VPC peering connection.

Destination: 172.31.0.0/16, Target: pcx-12345

Route Table of VPC B (172.31.0.0/16):

Local Route: This route is automatically created to allow traffic within the VPC.

Destination: 172.31.0.0/16, Target: Local

Peering Connection Route: This route directs traffic destined for VPC A (10.0.0.0/16) through the VPC peering connection.

Destination: 10.0.0.0/16, Target: pcx-12345

VPC Peering Routing