Pass the Amazon Web Services AWS Certified Associate SOA-C02 Questions and answers with ExamsMirror

To allow the Lambda function to access both the new RDS database in a private subnet and the internet, the Lambda function needs to be reconfigured for VPC access with a NAT gateway setup.

Reconfigure Lambda for VPC Access:

Attach the Lambda function to the private subnets where the RDS instance is located.

Add NAT gateways to the public subnets to allow outbound internet access from the private subnets.

NAT Gateway:

NAT gateways allow instances in private subnets to connect to the internet or other AWS services, but they prevent the internet from initiating connections with those instances.

Steps to Implement:

Create NAT gateways in the public subnets.

Update the route tables of the private subnets to route internet-bound traffic through the NAT gateways.

Ensure the Lambda function has the necessary IAM role permissions to access the VPC and RDS.

Configuring a Lambda Function to Access Resources in a VPC

NAT Gateways

Problem Analysis:

Users experience consistent forced logouts, indicating session data is not maintained properly.

Causes may include issues with session persistence between CloudFront, ALB, and the backend servers.

Action: Configure Cookie Forwarding in CloudFront:

CloudFront must forward cookies to maintain session state. Without forwarding cookies, session-specific data cannot reach the backend.

Update the Cache Behavior Settings in CloudFront:

Go to the CloudFront distribution settings.

In Cache Behaviors, select Forward Cookies.

Specify the relevant cookies required by the application.

Action: Enable Group-Level Stickiness in ALB:

Group-level stickiness ensures that a user's session consistently maps to the same backend server, preventing session disruption.

Steps:

Open the ALB Console.

Navigate to the Listener Rules.

Enable Group-Level Stickiness for the target groups under the listener rule settings.

Why Other Options Are Incorrect:

A: Changing to the least outstanding requests algorithm will not address session stickiness issues.

C: Forwarding headers does not resolve session-specific problems caused by cookies not being forwarded.

E: Weighted target groups manage traffic distribution but do not address session persistence.

The problem requires modifying the inbound SSH rule to restrict access to a list of trusted IPs instead of deleting it entirely. AWS Config rules can be configured with automatic remediation actions using either Systems Manager Automation runbooks or Lambda functions. However, AWS Systems Manager Automation runbooks are often more appropriate for managing infrastructure changes like security group modifications because they are reusable, parameterized, and easier to audit.

Create a Systems Manager Automation runbook: This runbook will contain steps to add or modify the existing security group rule, allowing SSH access only from the specified IP addresses.

Update the AWS Config rule: Modify the Config rule to call this new runbook for its automatic remediation. This will prevent deletion of the SSH rule and instead update it based on the IP list.

When running CloudWatch Synthetics canaries in a private VPC, they require access to:

CloudWatch API (for canary configuration and control) – via interface endpoint

Amazon S3 (to store canary artifacts and logs) – via gateway endpoint

VPC DNS for name resolution – both DNS resolution and hostnames must be enabled

From CloudWatch Synthetics VPC setup documentation:

If your VPC has no internet access, you must configure VPC endpoints and VPC DNS settings for canaries to run successfully.

To prevent Amazon RDS for PostgreSQL Multi-AZ DB instances from running low on disk space, enabling storage auto-scaling is the most straightforward solution. This feature automatically adjusts the storage capacity of the DB instance when it approaches its limit, thus preventing the database from running out of space and triggering CloudWatch alarms. Option C is the least intrusive and most effective solution as it only requires a modification to the existing CloudFormation template to enable auto-scaling on storage. For reference, see AWS documentation on managing RDS storage automatically Managing RDS Storage Automatically.

To centrally store traffic logs for a website delivered through Amazon CloudFront and ensure all data is encrypted at rest, using an S3 bucket with default server-side encryption is the optimal solution.

Create an S3 Bucket:

Open the Amazon S3 console at Amazon S3 Console.

Create a new S3 bucket for storing the logs.

Enable Default Encryption:

Select the S3 bucket, navigate to Properties, and enable Default encryption.

Choose AES-256 for server-side encryption.

Configure CloudFront Logging:

Open the Amazon CloudFront console at Amazon CloudFront Console.

Select the CloudFront distribution and navigate to Edit.

In the logging section, enable logging and specify the S3 bucket created for log storage.

This setup ensures that all logs are encrypted at rest using AES-256 and stored centrally in an S3 bucket.

Amazon CloudFront Access Logs

Amazon S3 Default Encryption

To record all S3 API activity, the SysOps administrator should create an AWS CloudTrail trail to log data events for all S3 objects. This solution provides comprehensive logging of all API activities at the object level within S3 buckets.

AWS CloudTrail:

CloudTrail allows you to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

It records all API calls for Amazon S3 objects, providing a detailed history of changes made to S3 resources.

Configuration Steps:

Go to the CloudTrail console and create a new trail.

Enable data events and specify the S3 buckets to monitor.

CloudTrail will then record S3 object-level API operations such as GetObject, DeleteObject, and PutObject.

To centrally store traffic logs for the website and ensure all data is encrypted at rest, using an Amazon S3 bucket with default server-side encryption is the best solution.

Create an Amazon S3 Bucket with Server-Side Encryption:

Open the S3 console and create a new bucket.

In the bucket properties, enable default server-side encryption using AES-256.

Configure CloudFront to Use the S3 Bucket as a Log Destination:

Open the CloudFront console.

Select the CloudFront distribution and configure the logging settings.

Specify the S3 bucket as the log destination.

Server-Side Encryption:

Ensure that the S3 bucket is configured to use server-side encryption with AES-256 by default, ensuring that all logs stored are encrypted at rest.

Amazon S3 Server-Side Encryption

CloudFront Access Logs

Aurora supports Auto Scaling of Aurora Replicas based on metrics like CPU utilization, which helps scale read capacity in read-heavy workloads.

From Aurora Auto Scaling documentation:

Aurora Auto Scaling automatically adds or removes Aurora Replicas based on CloudWatch metrics, such as CPU utilization.

Given that 95% of the workload is read, this is an ideal use case.

You can only use the Intrinsic Ref function to reference a resource that is being created at the same time as the current CloudFormation template. The question states that the CloudWatch dashboard was previously created using the AWS Management Console, so there is no ID to reference the existing CloudWatch dashboard in the CloudFormation template. You would need to export the existing CloudWatch dashboard as JSON, then use the DashboardBody property in the CloudFormation template to replicate it upon each deployment (https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/CloudWatch-Dashboard-Body-Structure.html)