Free Amazon Web Services SOA-C02 Practice Exam with Questions & Answers | Set: 5

When EC2 instances in a VPC cannot resolve on-premises DNS names like mssql.example.com, it is usually because the default DHCP options set provided by AWS does not allow forwarding DNS queries outside of the VPC.

To resolve this, you must:

Create a Route 53 Resolver outbound endpoint in your VPC.

Define a forwarding rule for the example.com domain, specifying the on-premises DNS server as the target.

Associate the forwarding rule with the VPC where the EC2 instance resides.

This setup enables DNS queries for example.com to be forwarded from AWS to the on-premises DNS servers, thereby enabling name resolution for hybrid environments.

Exact Reference from AWS Documentation:

AWS Route 53 Resolver enables hybrid cloud DNS resolution. An outbound endpoint forwards DNS queries from the VPC to on-premises DNS servers via defined rules.

[Source: Amazon Route 53 Resolver Documentation – Forwarding outbound queries]

Step-by-Step Explanation:

Understand the Problem:

Enforce a policy that requires all AWS resources to be tagged according to company policy.

Continuously identify non-compliant resources.

Analyze the Requirements:

Implement a solution to monitor and enforce resource tagging compliance.

Evaluate the Options:

Option A: AWS CloudTrail.

Provides logging and monitoring of API calls but does not enforce tagging policies.

Option B: Amazon Inspector.

Primarily used for security assessments, not resource tagging compliance.

Option C: AWS Config.

Monitors and evaluates the configurations of AWS resources.

Can enforce compliance by using AWS Config rules to check resource tags.

Option D: AWS Systems Manager.

Provides operational insights and management but is not specifically designed for compliance enforcement.

Select the Best Solution:

Option C: AWS Config is designed for compliance and configuration monitoring, making it the ideal service for enforcing and identifying non-compliant resource tags.

AWS Config

Managing Resource Tag Compliance with AWS Config

AWS Config provides the necessary tools to enforce and monitor resource tagging compliance, ensuring all resources adhere to the set policy.

You are correct that an A record typically points to an IP address. However, in the case of an Application Load Balancer (ALB), you cannot use an A record with an IP address because the IP addresses of an ALB can change over time. Instead, you can use an alias record to point to the DNS name of the ALB. An alias record is a Route 53 extension to DNS that allows you to route traffic to selected AWS resources, such as an ALB, by using a friendly DNS name, such as example.com, instead of the resource’s IP address or DNS name.

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html

The issue of "request timed out" when pinging the public IP address of the EC2 instance could be due to the Network ACL (NACL) inbound rules.

Check NACL Inbound Rules:

Network ACLs act at the subnet level and can explicitly allow or deny traffic to or from a subnet.

Ensure that the NACL associated with the subnet containing the EC2 instance has inbound rules that allow ICMP traffic (which is used for ping).

Example rule to allow inbound ICMP traffic:

Rule Number: 100

Type: ICMP

Protocol: 1

Port Range: N/A (ICMP doesn't use ports)

Source: 0.0.0.0/0 (or specific IP range)

Allow/Deny: ALLOW

In cross-account Amazon S3 replication, by default, the source account retains ownership of the replicated objects in the destination bucket. This ownership can lead to access issues, such as "Access Denied" errors, when users in the destination account attempt to access these objects.

To resolve this, the replication configuration must be modified to change the ownership of the replicated objects to the destination account. This is achieved by enabling the AccessControlTranslation setting in the replication configuration, which instructs Amazon S3 to change the ownership of the replicated objects to the destination bucket owner.

Additionally, the destination bucket policy must grant the source account the necessary permissions to perform this ownership change. Specifically, the policy should allow the s3:ObjectOwnerOverrideToBucketOwner action for the source account.

By configuring the replication settings to change object ownership and updating the destination bucket policy accordingly, the destination account gains full control over the replicated objects, eliminating access issues.

To deliver digital content to authorized users through CloudFront while restricting unauthorized access, you can use an origin access identity (OAI) with signed URLs.

Store Content in S3 with Public Access Blocked:

Ensure the S3 bucket has public access blocked.

Navigate to the S3 console, select the bucket, and configure the "Block Public Access" settings.

The most likely reason for the unexpected placement of EC2 instances is that one Availability Zone did not have sufficient capacity for the requested EC2 instance type.

Capacity Constraints:

AWS manages EC2 instance placement based on available capacity in the Availability Zones.

If a particular Availability Zone does not have enough capacity for the instance type you requested, AWS will place instances in other Availability Zones with sufficient capacity.

Auto Scaling Group Configuration:

Even if the Auto Scaling group is configured to use all three Availability Zones, instances might not be evenly distributed if one zone lacks the required capacity.

This can result in instances being placed in the remaining zones with available capacity.

Monitoring and Mitigation:

Monitor the capacity limits and instance distribution using CloudWatch and the Auto Scaling group's activity history.

Consider using smaller instance types or different instance families to avoid capacity issues in specific zones.

Amazon EC2 Auto Scaling

Troubleshooting Amazon EC2 Capacity Issues

geolocation "Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. For example, you might want all queries from Europe to be routed to an ELB load balancer in the Frankfurt region."

Could be confused with geoproximity - "Geoproximity routing lets Amazon Route 53 route traffic to your resources based on the geographic location of your users and your resources. You can also optionally choose to route more traffic or less to a given resource by specifying a value, known as a bias. A bias expands or shrinks the size of the geographic region from which traffic is routed to a resource" the use case is not needed as per question.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html

To meet the requirements of the workload, a company should store the data in an Amazon S3 Glacier vault and configure a vault lock policy for write-once, read-many (WORM) access. This will ensure that the data is stored securely and cannot be edited in the future. The other solutions (storing the data in an Amazon Elastic Block Store (Amazon EBS) volume and configuring AWS Key Management Service (AWS KMS) encryption, storing the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA) and configuring server-side encryption, or storing the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA) and configuring multi-factor authentication (MFA)) will not meet the requirements, as they do not provide a way to protect the audit logs from future edits.

https://docs.aws.amazon.com/zh_tw/AmazonS3/latest/userguide/object-lock.html