Free Amazon Web Services SOA-C02 Practice Exam with Questions & Answers | Set: 6

Objective:

Add custom dimensions to the metrics collected by the Amazon CloudWatch agent.

Using append_dimensions:

The append_dimensions field in the Amazon CloudWatch agent configuration file allows adding custom dimensions to the metrics collected.

Dimensions help categorize and filter metrics in CloudWatch for more granular insights.

Steps to Implement:

Step 1: Edit the Amazon CloudWatch agent configuration file (commonly located at /opt/aws/amazon-cloudwatch-agent/bin/config.json).

Step 2: Add the append_dimensions field under the desired metrics section, specifying the custom dimensions in key-value pairs:

{

"metrics": {

"append_dimensions": {

"InstanceId": "${aws:InstanceId}",

"CustomDimensionKey": "CustomDimensionValue"

}

}

}

Step 3: Restart the CloudWatch agent:

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl \

-a stop

sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl \

-a start

AWS References:

Amazon CloudWatch Agent Configuration:CloudWatch Agent Configuration

Why Other Options Are Incorrect:

Option A: Writing a custom script is unnecessary as the CloudWatch agent natively supports appending dimensions.

Option B: EventBridge rules do not interact with CloudWatch metrics for adding dimensions.

Option C: AWS Lambda functions are not required for this use case.

Steps:

Use CloudWatch Agent to collect disk utilization metrics.

Set a CloudWatch alarm to trigger when disk usage = 100%.

Configure EventBridge to invoke an AWS Lambda function that reboots the instance using the EC2 API (RebootInstances).

This approach is automated, efficient, and minimizes human intervention.

From CloudWatch and EventBridge integration:

CloudWatch alarms can send events to EventBridge, which can trigger Lambda functions or other automation workflows.

 Lambda Function to Rotate IAM Access Keys:

A Lambda function can be used to automate the rotation of IAM access keys based on their age.

Steps:

Write a Lambda function that checks the age of IAM access keys.

The function should rotate keys that are at least 30 days old.

Deploy the Lambda function.

 Amazon EventBridge Rule:

EventBridge can trigger the Lambda function periodically and when a new key is created.

Steps:

Create an EventBridge rule that triggers the Lambda function on a schedule (e.g., daily) and on IAM key creation events.

Rotating Access Keys for IAM Users, Amazon EventBridge

The Kubernetes Horizontal Pod Autoscaler (HPA) automatically scales the number of pods in a deployment, replica set, or stateful set based on observed CPU utilization or other custom metrics.

From Kubernetes documentation:

The HPA automatically scales the number of pods in a deployment depending on CPU usage or other select metrics.

It is commonly used to handle traffic surges with minimal manual intervention.

This is the most efficient and low-maintenance way to scale workloads in Amazon EKS in response to traffic changes.

To restrict EC2 resource deployment in a specific region and restrict root credentials usage:

Create Service Control Policies (SCPs):

Use AWS Organizations to create SCPs that restrict actions for all member accounts.

Create an SCP to deny the creation of EC2 instances in the ap-southeast-2 region.

Create an SCP to deny the use of root credentials in member accounts.

To track instance memory utilization and available disk space using Amazon CloudWatch, the SysOps administrator should install and configure the CloudWatch agent on all instances.

Install and Configure the CloudWatch Agent:

The CloudWatch agent can collect both system-level metrics (e.g., memory utilization, disk space) and application-level metrics and logs.

Install the CloudWatch agent on each EC2 instance and configure it to collect the necessary metrics.

Attach an IAM Role:

The EC2 instances need permissions to write logs and metrics to CloudWatch.

Attach an IAM role with the necessary permissions (e.g., CloudWatchAgentServerPolicy) to each EC2 instance.

Installing the CloudWatch Agent

Create IAM Roles to Use with the CloudWatch Agent

To ensure that the application running on an Amazon EC2 instance can read, write, and delete messages from the SQS queues in the most secure manner, the recommended approach is to use IAM roles for EC2 instances. This approach avoids the need to embed or export long-term AWS credentials, which can be a security risk.

Create an IAM Role for EC2:

Navigate to the IAM console in the AWS Management Console.

Choose "Roles" in the navigation pane, then click "Create role".

Select "AWS service" as the type of trusted entity and choose "EC2" as the use case. Click "Next: Permissions".

Attach the Required Permissions:

On the "Attach permissions policies" page, you can either select an existing policy or create a custom policy.

For a custom policy, click "Create policy" and use the following JSON policy to allow the required SQS actions:

json

Copy code

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"sqs:SendMessage",

"sqs:ReceiveMessage",

"sqs:DeleteMessage"

],

"Resource": "arn:aws:sqs:region:account-id:queue-name"

}

]

}

Replace region, account-id, and queue-name with appropriate values for your SQS queues.

Assign the Role to the EC2 Instance:

After creating the role with the necessary permissions, navigate to the EC2 console.

Select the instance that needs access to the SQS queues.

In the "Actions" menu, choose "Security", then "Modify IAM role".

Attach the newly created IAM role to the instance.

Verify the Permissions:

Ensure that the IAM role is properly attached to the EC2 instance.

Test the application to confirm that it can successfully perform the required actions (read, write, delete) on the SQS queues.

IAM Roles for Amazon EC2

Amazon SQS Policy Examples

To serve static websites using S3 and Route 53, AWS requires the bucket name to match the custom domain name (e.g., www.example.com), not just a random bucket like example-website-hosting-bucket.

From the Amazon S3 Static Website Hosting Guide:

To use Amazon Route 53 to route domain traffic to an S3 bucket that is configured as a static website, the bucket name must match the name of the domain or subdomain.

This means:

To host www.example.com, you must create an S3 bucket named www.example.com

Then configure static website hosting on that bucket

In Route 53, you can then create an alias record pointing to the S3 website endpoint

❌ Why the other options are incorrect:

A. ARNs are not valid alias targets in Route 53.

B. ARN changes do not affect Route 53; also, you cannot rename an S3 bucket via ARN changes.

C. Access Points do not support static website hosting. They are for programmatic access via APIs.

AWS CloudWatch cross-account observability allows a central monitoring account to access logs, metrics, and traces from source accounts.

From the Amazon CloudWatch cross-account observability setup guide:

To set up a new source account, you must:

Deploy the CloudFormation template provided by AWS in the source account to configure resource sharing and access.→ ✅ C

Add the new source account ID to the monitoring account configuration so the monitoring account knows which accounts to observe.→ ✅ E

In the source account, configure what data types (logs, metrics, traces) will be shared with the monitoring account.→ ✅ F

❌ Why the other options are incorrect:

A/B: You do not download the template from the accounts themselves. AWS provides a template, or your organization reuses an existing one.

D: The template must be deployed in the source account, not the monitoring account.

This approach uses CloudWatch for monitoring and Lambda for automation, allowing for quick and efficient quota management:

Setup CloudWatch Alarm: Monitor the usage of EC2 instances against the service quota using CloudWatch.

Lambda Function: Write a Lambda function that triggers a quota increase request via the Service Quotas API when the threshold is met.

Integration: Configure the CloudWatch alarm to trigger this Lambda function when the instance count approaches the service quota.

AWS Documentation Reference:

Information on monitoring with CloudWatch and automating actions with Lambda can be found in these guides: Amazon CloudWatch Alarms, AWS Lambda.