Free Practice Questions for Amazon Web Services SOA-C02 Exam

Here are the steps to configure an Amazon S3 bucket to serve a static error page in the event of a failure at the primary site:

Log in to the AWS Management Console and navigate to the S3 service in the us-east-2 Region.

Find the existing S3 bucket named lab-751906329398-26023898.com and click on it.

In the "Properties" tab, click on "Static website hosting" and select "Use this bucket to host a website".

In "Index Document" field, enter the name of the object that you want to use as the index document, in this case, "index.html"

In the "Permissions" tab, click on "Block Public Access", and make sure that "Block all public access" is turned OFF.

Click on "Bucket Policy" and add the following policy to allow public read access:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "PublicReadGetObject",

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::lab-751906329398-26023898.com/*"

}

]

}

Now navigate to the Amazon Route 53 service, and find the existing hosted zone named lab-751906329398-26023898.com.

Click on the "A record" and update the routing policy to "Primary - Failover" and add the existing ALB as the primary record.

Click on "Create Record" button and create a new secondary failover alias record for the domain lab-751906329398-26023898.com that routes traffic to the existing S3 bucket.

Now, when the primary site (ALB) goes down, traffic will be automatically routed to the S3 bucket serving the static error page.

Note:

You can use CloudWatch to monitor the health of your ALB.

You can use Amazon S3 to host a static website.

You can use Amazon Route 53 for routing traffic to different resources based on health checks.

You can refer to the AWS documentation for more information on how to configure and use these services:

https://aws.amazon.com/s3/

https://aws.amazon.com/route53/

https://aws.amazon.com/cloudwatch/

Graphical user interface, application, Teams Description automatically generated

Here are the steps to configure Amazon EventBridge to meet the above requirements:

Log in to the AWS Management Console by using the AWS Management Console shortcut from the VM desktop. Make sure that you are logged in to the desired AWS account.

Go to the EventBridge service in the us-east-2 Region.

In the EventBridge service, navigate to the "Event buses" page.

Click on the "Create event bus" button.

Give a name to your event bus, and select "default" as the event source type.

Navigate to "Rules" page and create a new rule named "RunFunction"

In the "Event pattern" section, select "Schedule" as the event source and set the schedule to run every 15 minutes.

In the "Actions" section, select "Send to Lambda" and choose the existing AWS Lambda function named "LogEventFunction"

Create another rule named "SpotWarning"

In the "Event pattern" section, select "EC2" as the event source, and filter the events on "EC2 Spot Instance interruption"

In the "Actions" section, select "Send to SNS topic" and create a new standard Amazon SNS topic named "TopicEvents"

In the "Input Transformer" section, set the Input Path to {“instance” : “$.detail.instance-id”} and Input template to “The EC2 Spot Instance has been interrupted on account.

Now all Amazon EC2 events in the default event bus will be replayable for past 90 days.

Note:

You can use the AWS Management Console, AWS CLI, or SDKs to create and manage EventBridge resources.

You can use CloudTrail event history to replay events from the past 90 days.

You can refer to the AWS EventBridge documentation for more information on how to configure and use the service: https://aws.amazon.com/eventbridge/

The rejected traffic in the flow logs is due to the network ACL associated with the subnet not allowing outbound traffic for the ephemeral port range.

Network ACLs:

Network ACLs act as a firewall for controlling traffic in and out of one or more subnets.

By default, NACLs allow all inbound and outbound traffic, but custom NACLs require specific rules to allow traffic.

Ephemeral Ports:

Ephemeral ports are temporary ports used for client-side communication. The default range is 1024-65535.

Ensure that the network ACL allows outbound traffic on these ports.

Steps to Resolve:

Check the network ACL rules for the associated subnet.

Add outbound rules to allow traffic from the ephemeral port range (1024-65535).

Amazon VPC Network ACLs

The most likely reason for the unexpected placement of EC2 instances is that one Availability Zone did not have sufficient capacity for the requested EC2 instance type.

Capacity Constraints:

AWS manages EC2 instance placement based on available capacity in the Availability Zones.

If a particular Availability Zone does not have enough capacity for the instance type you requested, AWS will place instances in other Availability Zones with sufficient capacity.

Auto Scaling Group Configuration:

Even if the Auto Scaling group is configured to use all three Availability Zones, instances might not be evenly distributed if one zone lacks the required capacity.

This can result in instances being placed in the remaining zones with available capacity.

Monitoring and Mitigation:

Monitor the capacity limits and instance distribution using CloudWatch and the Auto Scaling group's activity history.

Consider using smaller instance types or different instance families to avoid capacity issues in specific zones.

Amazon EC2 Auto Scaling

Troubleshooting Amazon EC2 Capacity Issues

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html

When using Amazon S3 Object Lock configured in governance mode, deleting objects before their retention period ends requires specific permissions. To bypass these governance restrictions, the administrator must:

C: Assume a role that has the s3:BypassGovernanceRetention permission. This permission allows the role to override the governance mode restrictions.

D: Include the x-amz-bypass-governance-retention:true header in the delete request. This header is necessary to programmatically bypass the governance retention settings when making a delete request via the AWS CLI or SDK. These steps enable the deletion of objects under governance mode retention without waiting for the retention period to expire, addressing the need to remove unintended data uploads effectively. For further details, refer to the AWS documentation on S3 Object Lock Amazon S3 Object Lock.

To address the issue of a fully utilized EBS volume causing application errors, the most efficient solution is to dynamically resize the existing EBS volume and extend the file system. AWS EBS supports Elastic Volumes, allowing you to increase volume size without detaching or stopping the instance.

Steps:

Modify the EBS Volume:

Navigate to the Amazon EC2 console.

Select the EBS volume attached to the instance.

Choose "Modify Volume" and increase the size as needed.

Confirm the modification.

Extend the File System:

Connect to the EC2 instance.

Use the lsblk command to identify the volume and partition.

If necessary, use the growpart command to extend the partition.

Depending on the file system:

For XFS: sudo xfs_growfs -d /mount-point

For ext4: sudo resize2fs /dev/xvda1

This approach minimizes downtime and avoids the need for creating new volumes or stopping the instance.

To prevent the EC2 instances and their data from being deleted when a CloudFormation stack is deleted:

DeletionPolicy Attribute: In the CloudFormation template that defines the EC2 instances, set the DeletionPolicy attribute to Retain for each EC2 instance resource. This setting ensures that when the CloudFormation stack is deleted, the EC2 instances are not terminated.

Impact of the Retain Policy: With this policy, all data on the instance, such as data on its attached EBS volumes, remains intact even after the stack deletion. The resources will remain in your AWS account and will need to be managed or deleted manually thereafter.

This approach is directly supported by AWS CloudFormation and provides a simple and effective way to protect EC2 instances and their data during stack deletions.

AWS Single Sign-On (AWS SSO) provides a centralized interface to manage SSO access to multiple AWS accounts and business applications. AWS SSO integrates with AWS Organizations and supports SAML 2.0 identity providers, making it an ideal solution for centrally managing user access and permissions across multiple AWS accounts.

AWS Single Sign-On (AWS SSO):

AWS SSO allows you to manage SSO access and user permissions to all of your AWS accounts and applications.

It integrates seamlessly with AWS Organizations.

Integration with SAML 2.0 IdP:

AWS SSO supports integration with third-party SAML 2.0 identity providers.

This allows centralized management of user identities and access.

Steps to Implement:

Enable AWS SSO in your AWS Organizations management account.

Configure AWS SSO to connect with your third-party SAML 2.0 IdP.

Assign user permissions and roles for each AWS account through AWS SSO.

AWS Single Sign-On

Integrating AWS SSO with SAML 2.0 Identity Providers