Free Practice Questions for Amazon Web Services SOA-C02 Exam

Using the interface endpoint, applications in your on-premises data center can easily query S3 buckets over AWS Direct Connect or Site-to-Site VPN. https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/

When using Amazon Route 53 to manage DNS records for a website hosted behind an Application Load Balancer (ALB), an ALIAS record should be used for the apex domain (e.g., example.com). ALIAS records are designed to map domain names to AWS resources like ALBs, CloudFront distributions, and S3 buckets, providing efficient DNS resolution.

Login to AWS Management Console:

Open the Route 53 console at Amazon Route 53 Console.

Select Hosted Zone:

Select the hosted zone for your domain.

Create Record Set:

Click on Create record.

In the Record name field, leave it blank to indicate the apex domain.

Select ALIAS as the record type.

Choose the Alias Target to be your Application Load Balancer from the dropdown menu.

Save Record Set:

Review the settings and click Create records.

Choosing Between Alias and Non-Alias Records

Routing Traffic to an ELB Load Balancer

To automate the execution of a Python script every night efficiently:

Convert Python Script to Lambda:

Create an AWS Lambda function and upload the Python script.

Ensure the function has the necessary IAM permissions to perform the required maintenance tasks.

 Create an SNS Topic and Subscription:

Amazon SNS allows you to send notifications to multiple endpoints.

Steps:

Go to the AWS Management Console.

Navigate to SNS and create a new topic.

Create a subscription for the topic using the email protocol.

Enter the architecture team's email address as the subscriber.

Amazon SNS

 Create an EventBridge Rule:

Amazon EventBridge can monitor events and trigger actions.

Steps:

Go to the AWS Management Console.

Navigate to EventBridge.

Create a new rule that reacts to EC2 instance launch events.

Specify the SNS topic as the rule's target.

To address the performance issues of a CPU-heavy application running on a t2.large EC2 instance, the best course of action is to upgrade to a compute-optimized instance. Compute-optimized instances provide a higher ratio of CPU resources compared to memory, making them ideal for applications that require high CPU performance.

Upgrade to a Compute-Optimized Instance:

Identify a suitable compute-optimized instance type, such as the c5.large, which offers better CPU performance compared to the t2.large.

Stop the current EC2 instance and change the instance type to the chosen compute-optimized instance.

To provide both incoming and outgoing connectivity to the internet for EC2 instances, you need to ensure that the instances are in a subnet that has a route to an internet gateway. Here are the required steps:

Create an Internet Gateway:

Open the Amazon VPC console at Amazon VPC Console.

In the navigation pane, choose Internet Gateways.

Choose Create Internet Gateway.

Enter a name for the internet gateway and choose Create.

Attach the internet gateway to your VPC by selecting the created internet gateway, then choosing Actions, and Attach to VPC.

Modify Route Table:

In the Amazon VPC console, go to the Route Tables section.

Select the route table associated with the subnet where your EC2 instances are located.

Choose Edit routes and add a new route:

Destination: 0.0.0.0/0

Target: Select the internet gateway you created.

These steps ensure that the instances can send and receive traffic to and from the internet.

Creating and Attaching an Internet Gateway

Route Tables

This is the most operationally efficient solution that meets the requirements, as it will allow the company to monitor the number of times that the web server returns an HTTP 404 response in real-time. The other solutions (creating a CloudWatch Logs subscription filter, an AWS Lambda function, or a script) will require additional steps and resources to monitor the number of times that the web server returns an HTTP 404 response.

A metric filter allows you to search for specific terms, phrases, or values in your log events, and then to create a metric based on the number of occurrences of those search terms. This allows you to create a CloudWatch Metric that can be used to create alarms and dashboards, which can be used to monitor the number of HTTP 404 responses returned by the web server.

AWS WAF (Web Application Firewall) is designed to protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF can help mitigate cross-site scripting (XSS) vulnerabilities by allowing users to create rules to filter specific types of HTTP requests.

Create a Web ACL:

Go to the AWS WAF & Shield console.

Click "Create web ACL" and specify a name and the AWS resource to protect (e.g., an Application Load Balancer).

Add Rules to Mitigate XSS:

Within the Web ACL, add a new rule.

Select "Rule builder" and choose a rule type. For mitigating XSS, use "AWS Managed Rules" or create a custom rule.

AWS Managed Rules include a predefined set for XSS that you can enable.

Configure the XSS Rule:

If using a custom rule, configure it to inspect requests and block any that contain XSS patterns.

Use regular expressions or specific patterns to identify malicious scripts.

Deploy the Web ACL:

Once configured, save the Web ACL.

Associate it with your Application Load Balancer or CloudFront distribution to start filtering requests.

Monitor and Adjust:

Monitor the requests being blocked by AWS WAF.

Adjust the rules as necessary to ensure legitimate traffic is not affected and the application remains protected.

AWS WAF Developer Guide

AWS WAF Managed Rules

When working with AWS CloudFormation, understanding how the stack behaves during a failure is crucial for troubleshooting. By default, if a stack creation fails, CloudFormation will roll back any resources it created, leaving no trace of what went wrong. This default behavior makes debugging more difficult because the resources that may have caused the failure are deleted.

To change this behavior, AWS CloudFormation provides the --on-failure parameter when creating a stack using the AWS CLI or SDKs. The purpose of this parameter is to control what happens if stack creation fails.

From the AWS CloudFormation User Guide:

--on-failure

Required: No

Type: String

Valid values: DO_NOTHING | ROLLBACK | DELETE

Default: ROLLBACK

DO_NOTHING – If stack creation fails, do nothing. The stack remains in the CREATE_FAILED state. You can then investigate and take corrective action.

ROLLBACK – If stack creation fails, roll back all created resources.

DELETE – If stack creation fails, delete all created resources (i.e., behave as if the stack was never attempted).

✅ Why B is correct:

OnFailure=DO_NOTHING tells CloudFormation to retain all successfully created resources even if stack creation fails. This allows a SysOps administrator to inspect the created resources, review logs, or fix the template before attempting to resume or recreate the stack.

❌ Why the other options are incorrect:

A. DisableRollback = FalseThis is default behavior, meaning rollback will occur (i.e., resources will be deleted). This does not help preserve resources after failure.

C. Rollback trigger of DO_NOTHINGThere is no such rollback trigger value called DO_NOTHING. Rollback triggers are for monitoring CloudWatch alarms during stack updates or creations and do not influence what happens when a creation fails unless a trigger fires.

D. OnFailure = ROLLBACKThis is the default, and it removes all resources when the stack creation fails, which is the opposite of the requirement.

Conclusion:

To preserve resources that were successfully created during a failed CloudFormation stack creation, the correct and verified approach is:

Set OnFailure=DO_NOTHING during stack creation.

This enables post-mortem debugging by retaining the resources for inspection.

To reduce costs effectively for jobs that are flexible in their scheduling and have a clear, predictable runtime:

Spot Instances with Defined Duration (Spot Blocks): Spot Instances offer significant discounts compared to On-Demand pricing. For workloads like the described jobs that have a predictable duration (slightly less than 2 hours), requesting Spot Instances with a defined duration (also known as Spot Blocks) is ideal. This option allows you to request Spot Instances guaranteed to not be terminated by AWS due to price changes for the duration specified.

Cost Efficiency: This method ensures that the instances will run for the duration required to complete the jobs without interruption, unless AWS experiences an exceptional shortage of capacity. The cost savings compared to On-Demand Instances can be substantial, especially for regular, predictable workloads.

Risk Mitigation: Although Spot Instances can be interrupted, using them with a defined duration reduces the risk of interruptions within the set time frame, making them suitable for jobs that can tolerate a restart in rare cases of interruption after the block time expires.

This strategy combines cost savings with the performance requirements of the jobs, making it an optimal choice for tasks that are not time-critical but need completion within a predictable timeframe.