Amazon Web Services SOA-C02 AWS Certified SysOps Administrator - Associate (SOA-C02) Exam Practice Test

Here are the steps to configure an Amazon S3 bucket to serve a static error page in the event of a failure at the primary site:

Log in to the AWS Management Console and navigate to the S3 service in the us-east-2 Region.

Find the existing S3 bucket named lab-751906329398-26023898.com and click on it.

In the "Properties" tab, click on "Static website hosting" and select "Use this bucket to host a website".

In "Index Document" field, enter the name of the object that you want to use as the index document, in this case, "index.html"

In the "Permissions" tab, click on "Block Public Access", and make sure that "Block all public access" is turned OFF.

Click on "Bucket Policy" and add the following policy to allow public read access:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "PublicReadGetObject",

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::lab-751906329398-26023898.com/*"

}

]

}

Now navigate to the Amazon Route 53 service, and find the existing hosted zone named lab-751906329398-26023898.com.

Click on the "A record" and update the routing policy to "Primary - Failover" and add the existing ALB as the primary record.

Click on "Create Record" button and create a new secondary failover alias record for the domain lab-751906329398-26023898.com that routes traffic to the existing S3 bucket.

Now, when the primary site (ALB) goes down, traffic will be automatically routed to the S3 bucket serving the static error page.

Note:

You can use CloudWatch to monitor the health of your ALB.

You can use Amazon S3 to host a static website.

You can use Amazon Route 53 for routing traffic to different resources based on health checks.

You can refer to the AWS documentation for more information on how to configure and use these services:

https://aws.amazon.com/s3/

https://aws.amazon.com/route53/

https://aws.amazon.com/cloudwatch/

Graphical user interface, application, Teams Description automatically generated

Here are the steps to update an existing AWS CloudFormation stack:

Log in to the AWS Management Console and navigate to the CloudFormation service in the us-east-2 Region.

Find the existing stack named 1700182 and click on it.

Click on the "Update" button.

Choose "Replace current template" and upload the updated CloudFormation template from the Amazon S3 bucket named "cloudformation-bucket"

In the "Parameter" section, update the EC2 instance type to us-east-t2.nano and add the IP address range 192.168.100.0/30 for SSH access.

Replace the instance profile IAM role with IamRoleB.

In the "Capabilities" section, check the checkbox for "IAM Resources"

Choose the role CFServiceR01e and click on "Update Stack"

Wait for the stack to be updated.

Once the update is complete, navigate to the stack and click on the "Stack options" button, and select "Prevent updates to prevent accidental deletion"

To get the value of the Prodlnstanceld , navigate to the "Outputs" tab in the CloudFormation stack and find the key "Prodlnstanceld". The value corresponding to it is the value that you need to enter in the text box below.

Note:

You can use AWS CloudFormation to update an existing stack.

You can use the AWS CloudFormation service role to deploy updates.

You can refer to the AWS CloudFormation documentation for more information on how to update and manage stacks: https://aws.amazon.com/cloudformation/

Here are the steps to configure Amazon EventBridge to meet the above requirements:

Log in to the AWS Management Console by using the AWS Management Console shortcut from the VM desktop. Make sure that you are logged in to the desired AWS account.

Go to the EventBridge service in the us-east-2 Region.

In the EventBridge service, navigate to the "Event buses" page.

Click on the "Create event bus" button.

Give a name to your event bus, and select "default" as the event source type.

Navigate to "Rules" page and create a new rule named "RunFunction"

In the "Event pattern" section, select "Schedule" as the event source and set the schedule to run every 15 minutes.

In the "Actions" section, select "Send to Lambda" and choose the existing AWS Lambda function named "LogEventFunction"

Create another rule named "SpotWarning"

In the "Event pattern" section, select "EC2" as the event source, and filter the events on "EC2 Spot Instance interruption"

In the "Actions" section, select "Send to SNS topic" and create a new standard Amazon SNS topic named "TopicEvents"

In the "Input Transformer" section, set the Input Path to {“instance” : “$.detail.instance-id”} and Input template to “The EC2 Spot Instance has been interrupted on account.

Now all Amazon EC2 events in the default event bus will be replayable for past 90 days.

Note:

You can use the AWS Management Console, AWS CLI, or SDKs to create and manage EventBridge resources.

You can use CloudTrail event history to replay events from the past 90 days.

You can refer to the AWS EventBridge documentation for more information on how to configure and use the service: https://aws.amazon.com/eventbridge/

Amazon FSx for Windows File Server provides a fully managed, highly available, and native Windows file system compatible with the SMB protocol, ideal for Windows workloads requiring shared access.

Multi-AZ File System: Ensures high availability across multiple Availability Zones.

Native Windows Capabilities: Allows instances to map file shares and access files using Windows storage features, offering strong consistency and performance for shared files.

Other options, like Amazon S3 and Amazon EFS, either lack native Windows integration or do not offer the desired consistency and high availability for shared file systems in a Windows environment.

To efficiently find out how often the AWS Lambda function has failed in the last 7 days, use Amazon CloudWatch Logs Insights.

Access CloudWatch Logs Insights:

Navigate to the CloudWatch console.

Select "Logs Insights" from the navigation pane.

To control the production account efficiently, the most operationally efficient solution is to create a service control policy (SCP) and apply it to the production OU. SCPs allow you to manage permissions for AWS Organizations at the organizational unit (OU) or account level.

Service Control Policies (SCPs):

SCPs are a type of policy that can restrict what services and actions can be used in the accounts within an OU.

They are applied at the organizational unit level and provide a way to enforce corporate policies across multiple AWS accounts.

Steps to Implement:

Navigate to the AWS Organizations console.

Create a new SCP that specifies the allowed or denied services and actions.

Apply the SCP to the production OU.

AWS Organizations SCPs

To reduce S3 storage costs while ensuring the images remain highly available and immediately accessible, transitioning the images to S3 Standard-IA after 7 days is the most cost-effective solution.

Understand Storage Classes:

S3 Standard-IA (Infrequent Access) is designed for data that is accessed less frequently but requires rapid access when needed. It offers lower storage costs compared to S3 Standard, but higher retrieval costs.

If EC2 instances in one region (eu-central-1) need to access a database in another (us-east-1), and the database must remain only in us-east-1, the most operationally efficient solution is a VPC peering connection.

From the VPC Peering documentation:

Inter-Region VPC peering enables routing of traffic between VPCs in different AWS Regions using private IP addresses, without VPN or additional hardware.

Also:

You must manually update security group rules to allow traffic from the peered VPC.

So:

Create the VPC peering

Add the private IP range of the remote EC2 instances to the inbound rules of the database’s security group

To ensure that all users within the AWS Organization have read-level access to a specific Amazon S3 bucket, while preventing access outside the organization, you can specify a wildcard principal ("Principal": "*") and use the PrincipalOrgId condition key in the bucket policy.

Specify the Principal:

Use "Principal": "*". This means that any principal can access the bucket, but the actual access will be controlled by the condition.

Add Condition with PrincipalOrgId:

Add a condition to restrict access based on the PrincipalOrgId. This condition ensures that only the principals from the specified AWS Organization can access the bucket.

Example bucket policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::bucket-name/*",

"Condition": {

"StringEquals": {

"aws:PrincipalOrgID": "o-exampleorgid"

}

}

}

]

}

If AWS Lambda function logs are not appearing in Amazon CloudWatch, it is typically due to insufficient permissions:

IAM Role Permissions: The execution role assigned to the Lambda function must have the necessary permissions to interact with CloudWatch Logs. This includes actions like logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents.

Check and Update Role: Verify that the IAM role used by the Lambda function includes a policy granting these permissions. If not, update the role to include these permissions.

Log Group and Stream: With the appropriate permissions, the Lambda function will be able to create or use a log group and stream in CloudWatch Logs and publish log messages accordingly.

Ensuring the Lambda function has the correct permissions is essential for diagnostics and monitoring, allowing log data to be captured and reviewed in CloudWatch Logs.

NAT Gateway resides in public subnet, and traffic should be routed from private subnet to NAT Gateway: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html

Since the EC2 instance is attempting to access the internet using HTTP (port 80) but is configured only to allow HTTPS (port 443) traffic, the security group needs adjustment:

Security Group Configuration: The outbound rules of the security group associated with the EC2 instance must allow traffic over HTTP. Add an outbound rule that enables port 80 to destination 0.0.0.0/0. This rule will allow the instance to send HTTP requests to any IP address on the internet.

Test Connectivity: After updating the security group, test the connectivity using the curl command again to ensure the configuration allows internet access via HTTP.

This change is necessary because the existing security group configuration does not permit outbound HTTP traffic, which is essential for accessing websites using HTTP.

Enabling Instance Scale-In Protection:

Instance scale-in protection prevents Auto Scaling from terminating specific instances.

Steps:

Go to the AWS Management Console.

Navigate to EC2 and select "Auto Scaling Groups."

Select your Auto Scaling group.

Go to the "Instance management" tab.

Select the instances you want to protect and click "Actions."

Choose "Enable scale-in protection."

This ensures that instances are not terminated during troubleshooting.

Instance Scale-In Protection

To restrict EC2 resource deployment in a specific region and restrict root credentials usage:

Create Service Control Policies (SCPs):

Use AWS Organizations to create SCPs that restrict actions for all member accounts.

Create an SCP to deny the creation of EC2 instances in the ap-southeast-2 region.

Create an SCP to deny the use of root credentials in member accounts.

Objective:

Provision Spot Instances with the highest availability while using a wide range of instance types.

Capacity Optimized Strategy:

The capacity optimized strategy ensures that Spot Instances are launched from the pools with the highest available capacity at the time of the request.

This approach minimizes the likelihood of interruptions and increases the chances of launching the desired capacity.

Steps to Implement:

In the Auto Scaling group configuration, set the Spot Allocation Strategy to Capacity Optimized.

Define multiple instance types in the launch template to allow flexibility.

AWS References:

Spot Allocation Strategies:Spot Instance Allocation Strategies

Capacity Optimized Details:Capacity Optimized Spot Instances

Why Other Options Are Incorrect:

Option A: Simply launching up to maximum capacity does not address availability concerns.

Option B: The diversified strategy spreads instances across Spot pools but does not prioritize capacity.

Option D: Spot Instance Advisor provides recommendations but is not a direct allocation strategy.

To meet the requirement of consistent performance of 10,000 IOPS with the least cost, the SysOps administrator should use a General Purpose SSD (gp3) Amazon EBS volume:

General Purpose SSD (gp3) EBS Volume:

The gp3 volume type can be provisioned with the required IOPS without the need for additional capacity, making it a cost-effective solution compared to Provisioned IOPS SSD (io1) volumes.

The most efficient way to enable DNS resolution between the VPC and the on-premises environment is by configuring a Route 53 Resolver outbound endpoint.

Route 53 Resolver Outbound Endpoint: This enables the VPC to forward DNS queries to the on-premises DNS server, which can resolve internal hostnames.

Minimal Maintenance: This solution is scalable and requires minimal ongoing maintenance compared to manual entries or creating and managing a large number of DNS entries manually.

To review the VPC configuration of developer AWS accounts securely, the best practice is to use cross-account IAM roles with read-only access.

Create an IAM Policy with Read-Only Access:

Navigate to the IAM console in each developer account.

Create a new policy with read-only access to VPC resources. For example:

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"ec2:DescribeVpcs",

"ec2:DescribeSubnets",

"ec2:DescribeRouteTables",

"ec2:DescribeSecurityGroups",

"ec2:DescribeNetworkAcls"

],

"Resource": "*"

}

]

}

Save the policy.

Create a Cross-Account IAM Role:

In the IAM console, choose "Roles" and then "Create role".

Select "Another AWS account" and enter the AWS account ID of the security administrator's account.

Attach the read-only policy created in step 1 to the role.

Save the role and note the role ARN.

Assume the Role from the Security Administrator's Account:

In the security administrator's account, navigate to the IAM console.

Use the "Switch Role" option to assume the cross-account role created in the developer account using the role ARN.

The security administrator can now access the VPC configuration of the developer accounts with read-only permissions.

Cross-Account Access

Creating and Managing IAM Policies

The reason is that it uses the Amazon CloudWatch billing alarm which is a built-in service specifically designed to monitor and alert on cost usage of your AWS account, which makes it a more suitable solution for this use case. The alarm can be configured to detect when costs reach 75% of the threshold and when it is triggered, it can publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. The email distribution list can be subscribed to the topic, so that they will receive the alerts when costs reach 75% of the threshold.

AWS Budgets allows you to track and manage your costs, but it doesn't specifically focus on data transfer costs between regions, and it might not provide as much granularity as CloudWatch Alarms.

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html

To ensure all EC2 instances have the required tags and terminate any noncompliant instances, AWS Config can be used to check the compliance, and AWS Systems Manager Automation can be invoked to take action on noncompliant instances.

Create AWS Config Rule:

Open the AWS Config console at AWS Config Console.

Create a new rule to check for the required tags on EC2 instances. Use the managed rule required-tags.

Create AWS Systems Manager Automation Document:

Open the AWS Systems Manager console at AWS Systems Manager Console.

Create an Automation document to terminate noncompliant instances.

Link AWS Config Rule to Automation:

In the AWS Config console, configure the rule to invoke the Systems Manager Automation document if an instance is found to be noncompliant.

AWS Config Rules

AWS Systems Manager Automation

AWS Config Managed Rules

Monitoring EC2 Instances with CloudWatch:

Amazon CloudWatch provides monitoring and alarms for AWS resources.

Alarms can be created for metrics like CPUUtilization, and notifications can be sent to Amazon SNS topics.

Steps to Set Up the Solution:

Create an SNS Topic:

Open the Amazon SNS Console.

Create a topic (e.g., "CPU_Alerts").

Add subscriptions for the development team's email addresses.

Create a CloudWatch Alarm:

Open the CloudWatch Console.

Navigate to the Alarms section and select Create Alarm.

Choose the EC2 CPUUtilization metric and set the alarm conditions:

Metric: Average CPU Utilization

Threshold: 80%

Period: 5 minutes

Link the alarm to the SNS topic for notifications.

Test the Alarm:

Simulate high CPU utilization to verify that alerts are sent to the subscribed email addresses.

Why Other Options Are Incorrect:

A and B: Using Amazon SES directly for alerts is not a standard practice for operational efficiency or integration with CloudWatch.

C: Using "sum" instead of "average" for CPU utilization is not appropriate for real-time monitoring, as it aggregates data over a large interval.

To meet the requirement of using only IPv6 for all EC2 instances while allowing outbound internet access and preventing inbound internet access, an egress-only internet gateway is the correct solution. An egress-only internet gateway allows outbound communication over IPv6 and blocks inbound communication, ensuring that the instances can access the internet but are not directly accessible from the internet.

Create an Egress-Only Internet Gateway:

Open the Amazon VPC console at Amazon VPC Console.

In the navigation pane, choose Egress-only internet gateways.

Choose Create egress-only internet gateway, and then attach it to your VPC.

Create a Custom Route Table:

In the VPC console, navigate to Route Tables.

Create a new route table or select an existing one.

Add a route with the destination set to ::/0 (which represents all IPv6 addresses) and the target set to the egress-only internet gateway.

Attach the Route Table to IPv6-Only Subnets:

Associate the route table with the IPv6-only subnets in your VPC.

This configuration ensures that your IPv6-only EC2 instances can access the internet while being protected from inbound internet traffic.

Egress-Only Internet Gateways

IPv6 Addresses

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/custom-tags.html "User-defined tags are tags that you define, create, and apply to resources. After you have created and applied the user-defined tags, you can activate by using the Billing and Cost Management console for cost allocation tracking. "

To meet this requirement, the SysOps administrator should activate the company-defined tags as user-defined cost allocation tags. This will ensure that the tags appear on the billing report and that the resources can be tracked with the specific tags. The other options (activating the tags as AWS generated cost allocation tags, creating a new cost category and selecting the account billing dimension, and creating a new AWS Cost and Usage Report and including the resource IDs) will not meet the requirements and are not the correct solutions for this issue.

To allow the TTL (Time to Live) of individual pages to vary while adhering to the maximum and minimum TTL settings configured for the Amazon CloudFront distribution, setting cache behaviors directly at the origin is most effective:

Use Cache-Control Headers: By configuring the Cache-Control: max-age directive in the HTTP headers of the objects served from the origin, you can specify how long an object should be cached by CloudFront before it is considered stale.

Integration with CloudFront: When CloudFront receives a request for an object, it checks the cache-control header to determine the TTL for that specific object. This allows individual objects to have their own TTL settings, as long as they are within the globally set minimum and maximum TTL values for the distribution.

Operational Efficiency: This method does not require any additional AWS services or modifications to the distribution settings. It leverages HTTP standard practices, ensuring compatibility and ease of management.

Implementing the TTL management through cache-control headers at the origin provides precise control over caching behavior, aligning with varying content freshness requirements without complex configurations.

To address the issue of an errant process consuming an entire processor and running at 100%, the SysOps administrator can automate the restarting of the instance using Amazon CloudWatch and AWS Systems Manager.

Enable Detailed Monitoring:

Ensure that detailed monitoring is enabled on the EC2 instance. Detailed monitoring provides data in 1-minute periods, which is crucial for detecting the 2-minute threshold accurately.

The issue of "request timed out" when pinging the public IP address of the EC2 instance could be due to the Network ACL (NACL) inbound rules.

Check NACL Inbound Rules:

Network ACLs act at the subnet level and can explicitly allow or deny traffic to or from a subnet.

Ensure that the NACL associated with the subnet containing the EC2 instance has inbound rules that allow ICMP traffic (which is used for ping).

Example rule to allow inbound ICMP traffic:

Rule Number: 100

Type: ICMP

Protocol: 1

Port Range: N/A (ICMP doesn't use ports)

Source: 0.0.0.0/0 (or specific IP range)

Allow/Deny: ALLOW

For the issue of "too many connections" on a MySQL database, using RDS Proxy offers a streamlined solution:

RDS Proxy Setup: RDS Proxy sits between your application and the database. It pools and efficiently manages database connections, which reduces the number of direct connections to the database.

Connection Management: By handling connection pooling, RDS Proxy can help mitigate issues related to connection overhead and limits, such as the "too many connections" error, by allowing the database to serve more requests from a smaller and more stable number of connections.

Minimal Code Changes: Integrating RDS Proxy requires changes only to the database connection settings in the application's configuration files to point to the RDS Proxy endpoint instead of directly to the database. This minimizes the amount of code change needed and leverages RDS Proxy to handle connection scaling and management more efficiently.

This approach enhances database performance and scalability by efficiently managing connections without the need for significant application changes or database resizing.

Step-by-Step Explanation:

Understand the Problem:

Minimize potential data loss and recovery time for a MySQL database running on an Amazon EC2 instance.

Analyze the Requirements:

Reduce the risk of data loss.

Ensure quick recovery in the event of a database failure.

Aim for operational efficiency.

Evaluate the Options:

Option A: Create a CloudWatch alarm to invoke a Lambda function that stops and starts the EC2 instance.

This addresses system failures but does not help with minimizing data loss or ensuring database redundancy.

Option B: Create an Amazon RDS for MySQL Multi-AZ DB instance and use a MySQL native backup stored in Amazon S3.

RDS Multi-AZ deployments provide high availability and durability by automatically replicating data to a standby instance in a different Availability Zone.

Using a MySQL native backup stored in Amazon S3 ensures data can be restored efficiently.

Option C: Create an RDS for MySQL Single-AZ DB instance with a read replica.

This provides read scalability but does not ensure high availability or failover capabilities.

Option D: Use Amazon DLM to take hourly snapshots of the EBS volume.

This helps with backups but does not provide immediate failover capabilities or minimize downtime effectively.

Select the Best Solution:

Option B: Using Amazon RDS for MySQL Multi-AZ ensures high availability and automated backups, significantly minimizing data loss and recovery time.

Amazon RDS Multi-AZ Deployments

Backing Up and Restoring an Amazon RDS DB Instance

Using Amazon RDS for MySQL Multi-AZ provides a highly available and durable solution with automated backups, ensuring minimal data loss and quick recovery.

Amazon RDS does not support enabling encryption for an existing unencrypted DB instance directly. However, you can achieve encryption by following these steps:

Take a Snapshot of the RDS Instance:

Open the Amazon RDS console at Amazon RDS Console.

Select the DB instance, then choose Actions and Take snapshot.

Enter a name for the snapshot and take the snapshot.

Copy and Encrypt the Snapshot:

After the snapshot is complete, select the snapshot, choose Actions, and then Copy snapshot.

In the copy snapshot dialog, select the Enable encryption checkbox and choose a customer-managed CMK (Customer Master Key) or the default AWS managed key.

Restore the Encrypted Snapshot to a New RDS Instance:

Once the snapshot copy is complete, select the copied (encrypted) snapshot.

Choose Actions and Restore snapshot.

Provide the required details to launch a new DB instance from the encrypted snapshot.

Update Connections:

Update your application or endpoints to point to the new encrypted RDS instance.

Encrypting Amazon RDS Resources

Copying an Amazon RDS DB Snapshot

To set up notifications for when combined billing exceeds a certain threshold for all AWS accounts within an organization, follow these steps:

Enable Billing Alerts:

In the payer account, go to the Billing and Cost Management console.

Under "Billing preferences", enable the "Receive Billing Alerts" option.

Set Up a Billing Alarm in CloudWatch:

Navigate to the CloudWatch console.

Create a new billing alarm, specifying the threshold for the combined billing amount.

Set the alarm to publish a notification to an SNS topic when the threshold is breached.

Publish SNS Message:

Create an SNS topic to receive the billing alarm notifications.

Configure the billing alarm to send notifications to the SNS topic.

Setting Up a CloudWatch Billing Alarm

AWS Billing and Cost Management User Guide

In this scenario, the issue is that the EC2 instances are marked healthy by status checks, but the website is still intermittently failing, returning HTTP 500 errors.

This indicates that the OS-level checks are passing, but the application is not behaving properly. To resolve this, the Auto Scaling group must use ALB (ELB) health checks which verify application-level health, not just EC2 status.

From the Auto Scaling User Guide:

By default, an Auto Scaling group uses EC2 instance status checks to determine the health state of an instance. You can optionally configure the Auto Scaling group to use Elastic Load Balancing health checks in combination with EC2 status checks.

These health checks allow Auto Scaling to detect application failures and replace unhealthy instances automatically.

❌ Why the other options are incorrect:

A. Network Load Balancer is for TCP-level traffic and does not solve HTTP 500 errors.

C. Sticky sessions are used for session persistence and don’t solve server errors.

D. Installing CloudWatch agents and rebooting is reactive and not an automated health check replacement system.

Increasing the amount of memory for the Lambda function will help to improve the performance of the function. This is because the Lambda function is CPU-intensive and increasing the memory will give it access to more CPU resources and help it run faster. The other options (activating hyperthreading in the CPU launch options for the Lambda function, turning off the AWS managed encryption, and loading the required code into a custom layer) will not help to improve the performance of the Lambda function and are not the correct solutions for this issue.

https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-common.html#configuration-memory-console

"Network Load Balancer is optimized to handle sudden and volatile traffic patterns while using a single static IP address per Availability Zone." https://aws.amazon.com/elasticloadbalancing/network-load-balancer/

For an application that must scale to millions of requests per second and requires a single static IP address for each Availability Zone, a Network Load Balancer (NLB) is the most suitable option. NLBs are designed for high-performance, low-latency networking, and they support static IP addresses for each Availability Zone, making it ideal for volatile traffic patterns. Option D is the correct choice. AWS provides extensive documentation on NLB capabilities and configurations that suit these requirements AWS Network Load Balancer.

The company wants to:

Distribute traffic across two AWS Regions

Minimize response time

From the Route 53 Routing Policies Documentation:

Latency-based routing allows you to route traffic to the AWS Region that provides the lowest latency for the user.

Ideal for applications deployed in multiple AWS Regions.

This matches the scenario exactly.

To receive email notifications when IAM CreateUser API calls are made, you need to create an EventBridge rule that captures these events from CloudTrail and then routes them to an SNS topic that has an email subscription.

Enable CloudTrail:

Ensure AWS CloudTrail is enabled in your account to log API activity. Go to AWS CloudTrail Console and enable it if not already enabled.

Create SNS Topic:

Open the Amazon SNS console at Amazon SNS Console.

Create a new topic and name it (e.g., IAMCreateUserNotifications).

Create an email subscription for the topic by entering your email address and confirming the subscription via the email received.

Create EventBridge Rule:

Open the Amazon EventBridge console at Amazon EventBridge Console.

Create a new rule and provide a name and description.

For the Event source, select AWS events or EventBridge Schema.

In Event pattern, select AWS services and choose CloudTrail as the service.

Specify the event type as AWS API Call via CloudTrail.

In the Event source dropdown, select IAM and in the API operation, enter CreateUser.

Add Target:

Add a target and select SNS topic.

Choose the SNS topic you created earlier (IAMCreateUserNotifications).

Configure Permissions:

Ensure that the EventBridge rule has permission to publish to the SNS topic.

This configuration will trigger an email notification whenever an IAM CreateUser API call is made, keeping you informed of new user creations.

Creating an EventBridge Rule That Triggers on an Event

Setting Up a CloudWatch Event to Trigger SNS

Creating CloudTrail Event Rules

You might want to use Transfer Acceleration on a bucket for various reasons: ->Your customers upload to a centralized bucket from all over the world. ->You transfer gigabytes to terabytes of data on a regular basis across continents. ->You can't use all of your available bandwidth over the internet when uploading to Amazon S3." https://docs.aws.amazon.com/AmazonS3/latest/userguide/transfer-acceleration.html

To receive an email notification based on a metric threshold, use:

A CloudWatch alarm monitoring FreeStorageCapacity

A CloudWatch alarm action that publishes to an SNS topic

From the CloudWatch Alarm and SNS Documentation:

You can create an alarm on a metric (e.g., FreeStorageCapacity) and configure the alarm action to send a notification to an Amazon SNS topic, which triggers an email notification to all subscribed endpoints.

To make an internal web application highly available, you should configure the Amazon EC2 Auto Scaling group to launch instances in multiple Availability Zones within the same AWS Region. This ensures that the application remains available even if one Availability Zone becomes unavailable.

Login to AWS Management Console:

Open the Amazon EC2 console at Amazon EC2 Console.

Update Auto Scaling Group:

In the navigation pane, choose Auto Scaling Groups.

Select the Auto Scaling group that you want to modify.

Choose Edit.

Add Multiple Availability Zones:

In the Availability Zones and subnets section, select at least one additional Availability Zone.

Ensure that the selected subnets belong to different Availability Zones.

Save Changes:

Save the configuration changes to update the Auto Scaling group.

Distributing Instances Across Multiple Availability Zones

Auto Scaling Groups

To restrict resource creation in unapproved regions across multiple AWS accounts efficiently, combining SCPs and Control Tower settings is effective:

SCP for Regional Restrictions: Create and apply an SCP that explicitly denies access to AWS services in unapproved regions. This policy will enforce region-based restrictions at the organizational unit or account level.

Control Tower Regional Governance: Adjust the settings in AWS Control Tower's landing zone to include governance for approved regions. This helps in maintaining a standard configuration that aligns with organizational policies regarding AWS regions.

AWS Documentation Reference:

For more information, check the AWS documentation on SCPs and AWS Control Tower:

Service Control Policies

AWS Control Tower.

Aurora Auto Scaling:

Aurora Auto Scaling adjusts the number of Aurora Replicas in response to changes in connectivity or workload.

Steps:

Go to the AWS Management Console.

Navigate to RDS and select the Aurora cluster.

Under "Actions," choose "Add Aurora Replica" to initially add replicas if needed.

Go to the "Auto Scaling" section and create an auto scaling policy.

Set the target value for the DatabaseConnections metric to 195.

Define the minimum and maximum number of replicas.

Save the configuration.

This ensures that the Aurora cluster scales automatically when the number of connections approaches the threshold, improving read performance.

Aurora Auto Scaling

AWS provides a native integration with Slack via the AWS Support App, which allows:

Real-time updates for AWS Support cases in Slack

Replying to support cases and adding comments from Slack

Case creation and escalation from Slack

From the AWS Support App in Slack Documentation:

You must first authorize the Slack workspace in your AWS account using the AWS Support App setup process.

Then, add the specific Slack channel by specifying the channel ID and required case types (e.g., account, service limit, technical).

❌ Why the other options are incorrect:

A: Slack must authorize the workspace first, not just an AWS account.

C and D: Using SNS + EventBridge + Lambda is not necessary, as AWS provides a native Slack integration with full support case features.

The most likely reason for the unexpected placement of EC2 instances is that one Availability Zone did not have sufficient capacity for the requested EC2 instance type.

Capacity Constraints:

AWS manages EC2 instance placement based on available capacity in the Availability Zones.

If a particular Availability Zone does not have enough capacity for the instance type you requested, AWS will place instances in other Availability Zones with sufficient capacity.

Auto Scaling Group Configuration:

Even if the Auto Scaling group is configured to use all three Availability Zones, instances might not be evenly distributed if one zone lacks the required capacity.

This can result in instances being placed in the remaining zones with available capacity.

Monitoring and Mitigation:

Monitor the capacity limits and instance distribution using CloudWatch and the Auto Scaling group's activity history.

Consider using smaller instance types or different instance families to avoid capacity issues in specific zones.

Amazon EC2 Auto Scaling

Troubleshooting Amazon EC2 Capacity Issues

The most likely reason for being unable to authenticate an AWS CLI call to an AWS service is the absence of an access key. AWS CLI requires an access key and secret key to authenticate requests.

Access Key and Secret Key:

AWS uses access keys to identify and authenticate the identity of the requester.

Ensure that the AWS CLI is configured with a valid access key and secret key.

Check AWS CLI Configuration:

Use the aws configure command to set up the AWS CLI with the necessary credentials.

Verify that the ~/.aws/credentials file contains the correct access key and secret key.

AWS CLI Configuration

Managing Access Keys

C: Ensures logs are ingested into CloudWatch from EC2 via the CloudWatch agent.

E: Allows creation of metric filters and alarms based on log patterns (e.g., "rejected web requests").

From CloudWatch Logs & Alarms documentation:

You can extract metric data from log events using metric filters and then create CloudWatch alarms based on these filters.

This is the most efficient and least operational overhead solution.

To reduce costs effectively for jobs that are flexible in their scheduling and have a clear, predictable runtime:

Spot Instances with Defined Duration (Spot Blocks): Spot Instances offer significant discounts compared to On-Demand pricing. For workloads like the described jobs that have a predictable duration (slightly less than 2 hours), requesting Spot Instances with a defined duration (also known as Spot Blocks) is ideal. This option allows you to request Spot Instances guaranteed to not be terminated by AWS due to price changes for the duration specified.

Cost Efficiency: This method ensures that the instances will run for the duration required to complete the jobs without interruption, unless AWS experiences an exceptional shortage of capacity. The cost savings compared to On-Demand Instances can be substantial, especially for regular, predictable workloads.

Risk Mitigation: Although Spot Instances can be interrupted, using them with a defined duration reduces the risk of interruptions within the set time frame, making them suitable for jobs that can tolerate a restart in rare cases of interruption after the block time expires.

This strategy combines cost savings with the performance requirements of the jobs, making it an optimal choice for tasks that are not time-critical but need completion within a predictable timeframe.

To implement a highly available solution that provides the functionality to use a minimum of three On-Demand instances and three Spot instances when prices are at a certain threshold, defining an Amazon EC2 Auto Scaling group using a launch template is the most suitable solution. This approach minimizes operational overhead by consolidating configuration and management tasks.

Define a Launch Template:

Use the provided AMI in the launch template.

Configure the instance type, key pair, security groups, and other necessary parameters.

Create an Auto Scaling Group:

Use the launch template for the Auto Scaling group.

Specify a desired capacity of three On-Demand instances.

Configure the Auto Scaling group to use mixed instances policies, which allow you to specify a combination of On-Demand and Spot instances.

Set the maximum price for Spot instances in the launch template to ensure that Spot instances are used only when their prices are below the specified threshold.

Configuration Steps:

Open the EC2 console and navigate to "Launch Templates."

Create a new launch template with the necessary configurations.

Navigate to "Auto Scaling Groups" and create a new Auto Scaling group using the launch template.

Configure the desired capacity, minimum capacity, and maximum capacity.

Under "Advanced Options," specify the mixed instances policy and set the maximum price for Spot instances.

Amazon EC2 Auto Scaling Launch Templates

Auto Scaling Mixed Instances Policies

After increasing the size of an Amazon EBS volume, the operating system must be configured to use the additional space. For a Windows instance, you need to extend the file system using disk management tools.

Open Disk Management:

Connect to your Windows EC2 instance using RDP.

Open the Disk Management tool by right-clicking the Start button and selecting Disk Management.

Extend the Volume:

Locate the EBS volume that was resized.

Right-click on the volume and select Extend Volume.

Follow the Extend Volume Wizard to allocate the newly available space to the file system.

Verify the New Size:

After extending the volume, verify that the file system reflects the increased storage capacity.

Modifying the Size, IOPS, or Throughput of an EBS Volume

Extending a Windows File System After Resizing a Volume

To make the production environment highly available in accordance with company policy:

Database Migration: Move the MariaDB database from a single EC2 instance to Amazon RDS for MariaDB configured for Multi-AZ. This setup ensures high availability of the database with synchronous replication to a standby instance in a different Availability Zone.

Application Scalability: Deploy the application on EC2 instances within an Auto Scaling group. Configure the Auto Scaling group to operate across multiple Availability Zones to ensure that the application remains available even if one zone becomes unavailable.

Load Balancing: Place the EC2 instances behind an Elastic Load Balancer (ELB). The load balancer will distribute incoming application traffic across the multiple, geographically dispersed EC2 instances, further enhancing the availability and fault tolerance of the application.

This solution leverages AWS managed services to increase the reliability and availability of both the application and database layers, adhering to best practices for deploying critical production environments on AWS.

Step-by-Step Explanation:

Understand the Problem:

Enforce a policy that requires all AWS resources to be tagged according to company policy.

Continuously identify non-compliant resources.

Analyze the Requirements:

Implement a solution to monitor and enforce resource tagging compliance.

Evaluate the Options:

Option A: AWS CloudTrail.

Provides logging and monitoring of API calls but does not enforce tagging policies.

Option B: Amazon Inspector.

Primarily used for security assessments, not resource tagging compliance.

Option C: AWS Config.

Monitors and evaluates the configurations of AWS resources.

Can enforce compliance by using AWS Config rules to check resource tags.

Option D: AWS Systems Manager.

Provides operational insights and management but is not specifically designed for compliance enforcement.

Select the Best Solution:

Option C: AWS Config is designed for compliance and configuration monitoring, making it the ideal service for enforcing and identifying non-compliant resource tags.

AWS Config

Managing Resource Tag Compliance with AWS Config

AWS Config provides the necessary tools to enforce and monitor resource tagging compliance, ensuring all resources adhere to the set policy.

geolocation "Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. For example, you might want all queries from Europe to be routed to an ELB load balancer in the Frankfurt region."

Could be confused with geoproximity - "Geoproximity routing lets Amazon Route 53 route traffic to your resources based on the geographic location of your users and your resources. You can also optionally choose to route more traffic or less to a given resource by specifying a value, known as a bias. A bias expands or shrinks the size of the geographic region from which traffic is routed to a resource" the use case is not needed as per question.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html

For a Lambda function in Account A to access an S3 bucket in Account B, the correct IAM roles setup includes:

A: In Account A, create a Lambda execution role that has permissions to assume another role in Account B. In Account B, create a role with permissions to access the S3 bucket and trust the Lambda execution role from Account A to assume it. This configuration allows the Lambda function to assume the cross-account role and access the S3 bucket as needed, maintaining security and proper access control. AWS documentation provides more details on setting up cross-account roles for Lambda access AWS Lambda Permissions.

To fulfill the requirement of sharing the same data across multiple EC2 instances in multiple Availability Zones with scalability, the most appropriate solution is Amazon Elastic File System (EFS).

Deploy Amazon EFS:

Amazon EFS provides a scalable and fully managed NFS file system for use with AWS Cloud services and on-premises resources.

It is designed to grow and shrink automatically as you add and remove files, so your applications have the storage they need, when they need it.

Create Mount Targets:

Go to the EFS console and create a new file system.

Create mount targets in each subnet within your VPC across the multiple Availability Zones.

Attach the EFS file system to your EC2 instances by mounting the EFS file system using the mount target IP addresses or DNS names.

Scalability:

EFS can scale to petabytes without the need to provision storage in advance.

It provides high availability and durability, automatically replicating data across multiple Availability Zones.

Amazon EFS Documentation

Creating EFS File Systems

To reduce the time required for new instances to become available in an Auto Scaling group, pre-installing the necessary software in the AMI used by the Auto Scaling group is the most effective solution.

Use EC2 Image Builder:

Utilize EC2 Image Builder to create a custom AMI that includes all the required software and configurations.

This reduces the setup time during instance launch, as the user data script will no longer need to install the software.

To securely connect to the S3 buckets over a private connection from EC2 instances without incurring additional costs, the SysOps administrator can create a gateway VPC endpoint.

Create a Gateway VPC Endpoint:

Navigate to the VPC console.

Create a gateway VPC endpoint for Amazon S3.

Increasing the IOPS for the gp3 EBS volume will address the high VolumeQueueLength by allowing more read/write operations, directly improving performance for I/O-intensive tasks. ElastiCache and enhanced networking do not directly affect EBS performance for this issue.

To monitor and automatically respond to security groups allowing SSH access:

AWS Config: This service can be used to detect security groups that allow SSH access publicly (Option B). AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

AWS Systems Manager Automation: This can automatically execute actions like closing the port when a non-compliant security group is detected (Option D). It allows the execution of automated workflows that can respond to Config rule findings, ensuring immediate remediation actions such as closing ports. These two services combined offer a comprehensive solution to monitor, detect, and rectify unwanted security group configurations automatically. AWS documentation on AWS Config AWS Config and on Systems Manager Automation Systems Manager Automation provides additional insights.

Split-tunnel routing allows you to specify that only the traffic destined for your VPC is routed through the VPN tunnel. All other internet traffic is routed through the user’s local network.

Steps:

Open the Client VPN Console:

Sign in to the AWS Management Console.

Open the Amazon VPC console.

Modify the Client VPN Endpoint:

Select the Client VPN endpoint.

Choose "Modify Client VPN endpoint".

Enable the "Split-tunnel" option.

Update Route Table:

Ensure that the route table associated with the Client VPN endpoint routes traffic destined for the VPC IP range to the appropriate target (e.g., VPC subnet).

This configuration ensures that only traffic destined for resources in the VPC is sent over the VPN tunnel, while other traffic uses the user’s local internet connection.

To resolve the issue of an AWS Lambda function unable to connect to a database that has been moved to a private subnet, the Lambda function needs to be connected to the same VPC as the database. This is done by configuring the Lambda function with VPC access. This involves specifying the VPC, subnets, and security groups for the Lambda function so that it can communicate with the database using its private endpoint. Option B is correct as it directly addresses the issue without compromising security. AWS documentation on configuring VPC access for Lambda provides guidance on this setup Configuring VPC Access for Lambda.

To automate the creation and management of IAM roles for multiple AWS accounts in an AWS Organization, using AWS CloudFormation StackSets is the most operationally efficient solution.

AWS CloudFormation StackSets:

AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple AWS accounts and regions with a single operation.

Using StackSets with AWS Organizations:

Create a CloudFormation template that defines the necessary IAM roles.

Use StackSets to deploy the template across multiple AWS accounts in your organization.

AWS CloudFormation StackSets

Creating IAM Roles with CloudFormation

To resolve issues with high disk I/O during the bootstrap process:

Increase EBS Volume IOPS: Higher IOPS allows the EBS volume to handle more input/output operations per second, which is critical for high I/O demands like downloading large Docker images.

Increase EBS Volume Throughput: Boosting throughput allows for faster data transfer rates, which is useful when the workload requires sustained high data throughput during initialization.

Increasing the instance size or changing the instance type is not necessary if the root cause is related specifically to EBS performance. Nitro instances generally provide higher performance and are well-suited for high I/O tasks.

To route traffic for a subdomain to a CloudFront distribution using Amazon Route 53, you should create an A record with the CloudFront distribution's domain name as the alias target.

Login to AWS Management Console:

Open the Route 53 console at Amazon Route 53 Console.

Select Hosted Zone:

Select the hosted zone for your domain (example.com).

Create Record Set:

Click on Create record.

For Record name, enter static.

Select A - IPv4 address for the record type.

For Alias, choose Yes.

In the Alias Target field, select the CloudFront distribution's domain name from the dropdown menu.

Save Record Set:

Review the settings and click Create records.

This setup directs traffic for static.example.com to the CloudFront distribution, leveraging the distribution's caching and delivery capabilities.

Routing Traffic to a CloudFront Distribution by Using Your Domain Name

Creating Records in Route 53

NAT Gateway Setup:

A NAT gateway allows instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances.

Steps:

Go to the AWS Management Console.

Navigate to VPC and select "NAT Gateways."

Create a NAT gateway in the public subnet of each Availability Zone.

Allocate an Elastic IP address to each NAT gateway.

Update the route tables for the private subnets to route internet-bound traffic to the NAT gateways.

Creating a NAT Gateway

Using an AMI with CloudWatch Agent:

The CloudWatch agent can collect memory utilization metrics and send them to CloudWatch.

Steps:

Create or use an existing AMI that includes the CloudWatch agent installed and configured.

Ensure the CloudWatch agent is configured to collect memory metrics.

Use this AMI for instances in the Auto Scaling group.

Collecting Metrics and Logs from Amazon EC2 Instances and On-Premises Servers with the CloudWatch Agent

To design a high-traffic static website that is highly available and provides low latency globally, you can use Amazon S3, CloudFront, and Route 53. This solution leverages the global edge locations of CloudFront to deliver content with low latency.

Create an Amazon S3 Bucket:

Open the S3 console at Amazon S3 Console.

Create a new bucket and upload your website content.

Configure S3 for Static Website Hosting:

Go to the Properties tab of your bucket.

Enable Static website hosting and set the index document (e.g., index.html).

Create a CloudFront Distribution:

Open the CloudFront console at Amazon CloudFront Console.

Create a new distribution and set the S3 bucket as the origin.

Configure distribution settings, including caching behaviors and SSL/TLS settings.

Create Route 53 Alias Record:

Open the Route 53 console at Amazon Route 53 Console.

Select the hosted zone for your domain.

Create a new record set, choose ALIAS as the record type, and point it to the CloudFront distribution.

Amazon S3 Static Website Hosting

Creating a CloudFront Distribution

Routing Traffic to a CloudFront Distribution

Amazon FSx provides a fully managed file system that is optimized for Windows-based workloads and can be used to create file shares that can be accessed both on premises and in the AWS Cloud. The file shares that are created in Amazon FSx are highly available and can be accessed with low latency. Additionally, Amazon FSx supports Windows-based authentication, making it easy to integrate with existing Windows user accounts.

 Objective:

Publish VPC flow logs to Amazon CloudWatch Logs.

 Root Cause:

VPC flow logs require an IAM role with permissions to create log groups, log streams, and write logs to CloudWatch Logs.

If the logs:CreateLogGroup permission is missing, the flow log cannot create the required log group, and logs will not appear in CloudWatch.

 Solution Implementation:

Step 1: Verify the IAM role attached to the VPC flow logs.

Step 2: Add the following permissions to the IAM policy:

logs:CreateLogGroup

logs:CreateLogStream

logs:PutLogEvents

Step 3: Update the IAM role policy and retry creating flow logs.

 AWS References:

VPC Flow Logs Permissions:Permissions for VPC Flow Logs

 Why Other Options Are Incorrect:

Option B: logs:CreateExportTask is for exporting logs from CloudWatch to S3, not for creating log groups.

Option C: IPv6 addresses do not impact the publishing of flow logs to CloudWatch Logs.

Option D: VPC peering does not block flow log functionality.

To monitor free space on Amazon EBS volumes attached to Microsoft Windows-based Amazon EC2 instances and receive email alerts before low storage space affects performance, follow these steps:

Install the Amazon CloudWatch Agent:

Download and install the CloudWatch agent on your Windows EC2 instances.

To remotely connect to the EC2 instance, the SysOps administrator must ensure that the security group allows inbound SSH traffic.

Modify the Security Group:

Navigate to the EC2 console.

Select the security group associated with the EC2 instance.

Add an inbound rule to allow SSH traffic (TCP port 22) from the SysOps administrator's IP address.

Example rule:

Type: SSH

Protocol: TCP

Port Range: 22

Source:

Using an RDS read replica will improve the performance and availability of the RDS instance by offloading read queries to the replica. This will also ensure that the reporting job completes in a timely manner and does not affect the performance of other queries that might be running on the RDS instance. Additionally, updating the reporting job to query the reader endpoint will ensure that all read queries are directed to the read replica.

To ensure versioning is enabled on all S3 buckets and automatically remediate non-compliant buckets:

Use AWS Config to evaluate compliance using the managed rule s3-bucket-versioning-enabled.

Then, set an automatic remediation action with the AWS-ConfigureS3BucketVersioning runbook to enable versioning.

From AWS Config documentation:

This managed rule checks whether versioning is enabled for your Amazon S3 buckets. You can use AWS Systems Manager Automation runbooks for automatic remediation.

Enabling the organizational view in AWS Health will allow the SysOps administrator to consolidate the alerts from each account’s Personal Health Dashboard. It will also provide the administrator with a single view of all the accounts in the organization, allowing them to easily monitor the health of all the accounts in the organization.

To share an encrypted Amazon RDS DB instance snapshot across accounts, the least administrative overhead involves directly managing permissions on the AWS KMS key and sharing the snapshot. Here’s how to do it:

Take a Snapshot: Initiate a snapshot of your Amazon RDS DB instance in the production account. This captures the current state of the database.

Modify KMS Key Policy: Adjust the policy of the KMS key used for encryption (identified by the alias 'production-rds-key') to grant the kms:Decrypt permission to the migration account’s root user. This step is crucial as it allows the migration account to use the same encryption key to decrypt the snapshot.

Share the Snapshot: Share the newly created snapshot with the migration account using the RDS console or AWS CLI. The migration account will now be able to see and use this snapshot to create a new RDS instance.

AWS Documentation Reference:

You can refer to the AWS documentation on sharing encrypted snapshots: Sharing Encrypted Snapshots.

To provision AWS accounts for each team with a defined baseline and governance guardrails in a scalable and efficient way, using AWS Control Tower is the best solution.

AWS Control Tower:

AWS Control Tower provides a straightforward way to set up and govern a secure, multi-account AWS environment based on best practices.

It uses Account Factory, a feature that automates the creation of new AWS accounts with predefined configurations.

Creating Accounts with Control Tower:

Navigate to the AWS Control Tower console.

Use Account Factory to create a new account.

Customize the account template to include the necessary configurations, such as organizational units (OUs), guardrails, and baselines.

Advantages:

Ensures consistent security and compliance across all accounts.

Automates account creation and configuration, saving time and reducing errors.

AWS Control Tower

Setting Up Account Factory

To ensure high availability and failover for RDS, converting the instance to a Multi-AZ deployment is the best practice. Multi-AZ configurations provide automated standby in a different Availability Zone, automatically failing over to the standby in case of instance or Availability Zone issues.

Modify DB instance: AWS allows for seamless conversion of an existing Single-AZ RDS instance to a Multi-AZ deployment, making it more resilient to outages without requiring significant application changes.

Failover mechanism: In Multi-AZ, failover is managed automatically by AWS, minimizing application downtime.

The provided IAM policy grants the following permissions:

Describe AWS Load Balancers:

The policy allows actions with the prefix elasticloadbalancing:. This includes actions like DescribeLoadBalancers and other Describe* actions related to Elastic Load Balancing.

AWS WAF (Web Application Firewall) helps protect your web applications from common web exploits and bots. A rate-based rule allows you to control the rate of requests to your application.

Create a Global-Scoped AWS WAF Web ACL:

Navigate to the AWS WAF console.

Create a new Web ACL and choose "Global" for the scope.

Set the default action to "Allow".

Configure a Rate-Based Rule:

Within the Web ACL, add a new rule and select "Rate-based rule".

Define the rate limit (e.g., 2000 requests per 5 minutes).

Set the action to "Block".

Associate Web ACL with CloudFront Distribution:

After creating the Web ACL and rule, go to your CloudFront distribution settings.

In the "General" tab, associate the Web ACL with your CloudFront distribution.

Review and Confirm:

Review the configuration and ensure the Web ACL is correctly associated with the CloudFront distribution.

AWS WAF Rate-Based Rules

Associating AWS WAF with CloudFront

To ensure that the application can scale based on the number of users that connect to the application, the SysOps administrator should create a scaling policy that scales the application based on the ActiveConnectionCount Amazon CloudWatch metric generated from the ELB.

ActiveConnectionCount Metric:

The ActiveConnectionCount metric indicates the number of active connections to the ELB. By monitoring this metric, the application can scale in response to the number of users actively connected.

Steps to Implement:

Go to the Amazon EC2 Auto Scaling console.

Select the Auto Scaling group that manages the EC2 instances for the application.

Create a new scaling policy.

Set the policy to scale based on the ActiveConnectionCount metric from the ELB.

Elastic Load Balancing Metrics and Dimensions

Auto Scaling Policies

Modifying the DB instance to a Multi-AZ deployment is the recommended solution for failover and high availability in RDS. Multi-AZ RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone, allowing automatic failover in case of an instance or Availability Zone failure.

Multi-AZ Deployment: Provides resilience with automatic failover and minimizes application downtime.

No Application Changes Needed: Multi-AZ is managed by AWS, so the failover is transparent to the application.

Read replicas and Auto Scaling groups do not provide automatic failover for write operations, and RDS Proxy only improves connection management rather than high availability.