Amazon Web Services SOA-C02 AWS Certified SysOps Administrator - Associate (SOA-C02) Exam Practice Test

Increasing the size of the 1 GiB EBS volumes will increase the IOPS capacity of the volumes, which will improve the I/O performance of the EBS volumes. This option does not require any changes to the instance types or EBS volume types, so it can be done quickly without the need for lengthy acceptance tests to validate that the company's applications will function properly.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/requesting-ebs-volume-modifications.html

A CloudFormation stack in the DELETE_FAILED state typically indicates that some resources could not be deleted. One common reason is that S3 buckets in the stack still contain objects.

Steps:

Identify the Failed Resources:

Open the AWS CloudFormation console.

Select the stack in the DELETE_FAILED state.

Check the "Events" tab to identify the resource(s) that caused the failure.

Delete S3 Objects:

Open the Amazon S3 console.

Navigate to the bucket(s) listed in the CloudFormation events.

Delete all objects in the bucket. You can use the S3 console, AWS CLI, or an S3 batch operation to delete the objects.

Retry Stack Deletion:

After clearing the S3 bucket(s), go back to the CloudFormation console.

Select the stack and choose "Delete" to retry the deletion process.

References:

Deleting a Stack

Troubleshooting AWS CloudFormation

To resolve the issue where mobile users are being served the desktop version of the website, you need to forward the User-Agent header from CloudFront to your origin (ALB). This allows the origin to detect the type of device and serve the appropriate content.

Login to AWS Management Console:

Open the CloudFront console at Amazon CloudFront Console.

Select the Distribution:

Choose the CloudFront distribution you want to modify.

Update Cache Behavior Settings:

Go to the Behaviors tab.

Select the default behavior (or any specific behavior that you want to update) and choose Edit.

Forward Headers:

Under Cache Key and Origin Requests, choose Origin Request Policy.

Select Create Policy and include the User-Agent header in the policy.

Save the policy and apply it to the cache behavior.

This configuration ensures that the User-Agent header is forwarded to the origin, enabling it to serve different content based on the device type.

References:

Configuring CloudFront to Forward Headers

Creating CloudFront Cache Behaviors

AWS Compute Optimizer provides recommendations for optimizing the performance and cost of your AWS resources, including Lambda functions.

Steps:

Enable AWS Compute Optimizer:

Open the AWS Compute Optimizer console.

Choose "Get started".

Enable Compute Optimizer for your account.

View Lambda Function Recommendations:

After enabling Compute Optimizer, allow some time for data collection and analysis.

Navigate to the "Lambda Function Recommendations" section in the Compute Optimizer console.

Review the recommendations for your Lambda functions, which may include adjustments to memory size or other configurations to improve performance and reduce costs.

Export Recommendations:

In the Compute Optimizer console, you can export the recommendations to a CSV file for further analysis and action.

References:

AWS Compute Optimizer

Optimizing Lambda Function Configurations

Increasing the IOPS for the gp3 EBS volume will address the high VolumeQueueLength by allowing more read/write operations, directly improving performance for I/O-intensive tasks. ElastiCache and enhanced networking do not directly affect EBS performance for this issue.

The most operationally efficient way to monitor state changes in EC2 instances and notify the operations team is by using Amazon EventBridge. EventBridge can be configured with a rule that listens for state change events from EC2 instances. These events can then be directed to an Amazon Simple Notification Service (Amazon SNS) topic, which will distribute the notification to the relevant parties. This solution does not require deploying additional scripts or functions, thereby enhancing operational efficiency. Option B is correct. For more details, see the Amazon EventBridge documentation Amazon EventBridge.

Enable Amazon S3 Transfer Acceleration Amazon S3 Transfer Acceleration can provide fast and secure transfers over long distances between your client and Amazon S3. Transfer Acceleration uses Amazon CloudFront's globally distributed edge locations. https://aws.amazon.com/premiumsupport/knowledge-center/s3-upload-large-files/

The most operationally efficient solution to ensure that administrator passwords for Amazon RDS DB instances are changed at least annually is to use AWS Secrets Manager with automatic rotation.

AWS Secrets Manager:

AWS Secrets Manager helps you protect access to your applications, services, and IT resources without the upfront cost and complexity of managing your own hardware security infrastructure.

Secrets Manager enables you to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Configure Automatic Rotation:

Store the database credentials in AWS Secrets Manager.

Configure the secret to rotate automatically every 365 days.

AWS Secrets Manager provides built-in integration for rotating credentials for supported databases, including Amazon RDS.

Steps to Configure:

Open the Secrets Manager console.

Create a new secret and provide the necessary database credentials.

Enable automatic rotation and set the rotation interval to 365 days.

Secrets Manager will handle the rotation process, updating the credentials in the database and ensuring they are securely stored.

References:

AWS Secrets Manager

Rotating Your AWS Secrets Manager Secrets

Objective:

Resolve the HTTP 403 (Access Denied) error for the public S3 static website.

Root Cause:

By default, S3 buckets are private, and public access is blocked due to the Block Public Access settings.

Additionally, a bucket policy is needed to allow public access to the objects.

Solution Implementation:

Step 1: Turn off Block Public Access:

Navigate to the Permissions tab of the S3 bucket in the AWS Management Console.

Turn off the Block Public Access settings by disabling the following:

Block public access to buckets and objects via ACLs.

Block public access to buckets and objects via bucket policies.

Step 2: Add a Bucket Policy for Public Access:

Add a policy allowing GetObject for public access:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::/*"

}

]

}

Step 3: Test Access:

Confirm that the website is accessible via the public URL.

AWS References:

Block Public Access Settings:S3 Block Public Access

Bucket Policies for Static Websites:Bucket Policy Examples

Why Other Options Are Incorrect:

Option A: Route 53 is not required to resolve the 403 error; the issue is with S3 bucket permissions.

Option C: Editing file permissions alone will not work; bucket permissions must also allow public access.

Option D: PutObject permissions are unnecessary for serving a static website.

To manage incomplete multipart uploads in an Amazon S3 bucket, creating an S3 Lifecycle rule to specifically address these uploads is the most effective method. The rule can be configured to automatically delete expired multipart upload parts, which helps in cleaning up unused data and reducing storage costs. Option A is correct as it directly addresses the requirement to manage incomplete uploads effectively. Reference on setting up S3 Lifecycle policies can be found here Amazon S3 Lifecycle.

"A certificate is eligible for automatic renewal subject to the following considerations: ELIGIBLE if associated with another AWS service, such as Elastic Load Balancing or CloudFront. ELIGIBLE if exported since being issued or last renewed. ELIGIBLE if it is a private certificate issued by calling the ACM RequestCertificate API and then exported or associated with another AWS service. ELIGIBLE if it is a private certificate issued through the management console and then exported or associated with another AWS service." https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html

https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/scaling-redis-cluster-mode-enabled.html As demand on your clusters changes, you might decide to improve performance or reduce costs by changing the number of shards in your Redis (cluster mode enabled) cluster. We recommend using online horizontal scaling to do so, because it allows your cluster to continue serving requests during the scaling process. https://d ocs.aws.amazon.com/AmazonElastiCache/latest/red-ug/redis-cluster-vertical-scaling-scaling-down.html

To fulfill the requirement of sharing the same data across multiple EC2 instances in multiple Availability Zones with scalability, the most appropriate solution is Amazon Elastic File System (EFS).

Deploy Amazon EFS:

Amazon EFS provides a scalable and fully managed NFS file system for use with AWS Cloud services and on-premises resources.

It is designed to grow and shrink automatically as you add and remove files, so your applications have the storage they need, when they need it.

Create Mount Targets:

Go to the EFS console and create a new file system.

Create mount targets in each subnet within your VPC across the multiple Availability Zones.

Attach the EFS file system to your EC2 instances by mounting the EFS file system using the mount target IP addresses or DNS names.

Scalability:

EFS can scale to petabytes without the need to provision storage in advance.

It provides high availability and durability, automatically replicating data across multiple Availability Zones.

References:

Amazon EFS Documentation

Creating EFS File Systems

To implement a caching service while maintaining high availability for an Amazon RDS DB instance, the combination of Amazon ElastiCache for Redis and enabling Multi-AZ for the data store will meet these requirements.

Create an Amazon ElastiCache for Redis Data Store:

Redis is an in-memory data structure store that can be used as a database, cache, and message broker. It provides high availability through its replication feature.

Go to the ElastiCache console.

Choose "Create" and select "Redis."

Configure the Redis cluster with the required parameters.

Enable Multi-AZ for the Data Store:

Multi-AZ deployment provides enhanced availability and durability for Redis. In case of a failure, it automatically fails over to the replica node.

During the creation of the Redis cluster, enable Multi-AZ.

This ensures that there is a standby replica in another Availability Zone, providing high availability.

References:

Amazon ElastiCache for Redis

ElastiCache for Redis Multi-AZ

Step-by-Step Explanation:

Understand the Problem:

A user cannot upload an object to an S3 bucket using a presigned URL, even though the URL is valid and the bucket has no policy applied.

Analyze the Requirements:

Determine the cause of the issue preventing the upload via the presigned URL.

Evaluate the Options:

Option A: The user has not properly configured the AWS CLI.

CLI configuration is not relevant to using a presigned URL.

Option B: The SysOps administrator does not have the necessary permissions.

The administrator's permissions are required to generate a valid presigned URL with sufficient permissions.

Option C: A bucket policy is required.

A bucket policy is not necessary if the presigned URL has the correct permissions.

Option D: The object has already been uploaded.

A presigned URL remains valid until it expires or the specified permissions are revoked.

Select the Best Solution:

Option B: Ensuring that the SysOps administrator has the necessary permissions to upload objects to the S3 bucket is crucial for generating valid presigned URLs.

References:

Amazon S3 Presigned URLs

IAM Policies for Amazon S3

The SysOps administrator must have the necessary permissions to upload objects to the S3 bucket, ensuring that the presigned URL generated allows the user to upload successfully.

"Scheduled scaling helps you to set up your own scaling schedule according to predictable load changes. For example, let's say that every week the traffic to your web application starts to increase on Wednesday, remains high on Thursday, and starts to decrease on Friday. You can configure a schedule for Amazon EC2 Auto Scaling to increase capacity on Wednesday and decrease capacity on Friday." https://docs.aws.amazon.com/autoscaling/ec2/userguide/schedule_time.html

Weighted routing in Route 53 allows you to direct a percentage of traffic to different resources by configuring specific weights. For this requirement, you can:

Weighted Routing Policy: This is the most suitable approach for gradually rolling out a new version by controlling traffic distribution.

Weight Configuration: Setting a weight of 80 for the original resource and 20 for the new resource ensures that 80% of the traffic continues to go to the existing version, while 20% is directed to the new version.

Other routing policies, such as failover and multivalue answer, are not intended for traffic distribution based on percentage; they serve different use cases.

Amazon RDS does not support enabling encryption for an existing unencrypted DB instance directly. However, you can achieve encryption by following these steps:

Take a Snapshot of the RDS Instance:

Open the Amazon RDS console at Amazon RDS Console.

Select the DB instance, then choose Actions and Take snapshot.

Enter a name for the snapshot and take the snapshot.

Copy and Encrypt the Snapshot:

After the snapshot is complete, select the snapshot, choose Actions, and then Copy snapshot.

In the copy snapshot dialog, select the Enable encryption checkbox and choose a customer-managed CMK (Customer Master Key) or the default AWS managed key.

Restore the Encrypted Snapshot to a New RDS Instance:

Once the snapshot copy is complete, select the copied (encrypted) snapshot.

Choose Actions and Restore snapshot.

Provide the required details to launch a new DB instance from the encrypted snapshot.

Update Connections:

Update your application or endpoints to point to the new encrypted RDS instance.

References:

Encrypting Amazon RDS Resources

Copying an Amazon RDS DB Snapshot

Using an RDS read replica will improve the performance and availability of the RDS instance by offloading read queries to the replica. This will also ensure that the reporting job completes in a timely manner and does not affect the performance of other queries that might be running on the RDS instance. Additionally, updating the reporting job to query the reader endpoint will ensure that all read queries are directed to the read replica.

When setting up an AWS managed VPN connection and creating a customer gateway resource, if the customer gateway device resides behind a NAT device, you should use the public IP address of the NAT device. This is because the VPN connection from AWS will be established to the public IP address that AWS can reach.

Identify the Public IP Address of the NAT Device:

Determine the public IP address assigned to the NAT device in front of the customer gateway.

Create Customer Gateway Resource:

Navigate to the VPC console in the AWS Management Console.

In the navigation pane, choose "Customer Gateways" and then click "Create Customer Gateway".

Enter a name for the customer gateway.

For the "IP Address", enter the public IP address of the NAT device.

Configure VPN Connection:

Create a VPN connection by navigating to the "VPN Connections" section and clicking "Create VPN Connection".

Select the created customer gateway and complete the VPN setup wizard.

Update Routing and Configuration:

Ensure that the routing configurations on both the AWS side and the on-premises side are updated to route traffic through the VPN connection.

Configure the customer gateway device (behind the NAT) to accept traffic from the NAT device and route it appropriately.

References:

AWS Managed VPN Connections

Customer Gateway Resource

Using the interface endpoint, applications in your on-premises data center can easily query S3 buckets over AWS Direct Connect or Site-to-Site VPN. https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/

Dedicated Hosts are physical servers that are dedicated to a single customer, ensuring that the customer’s workloads are not shared with other customers or with other AWS accounts within the company. This will ensure that the company’s security policy is followed and that sensitive workloads are running on hardware that is not shared with other customers or with other AWS accounts within the company.

Objective:

Enforce corporate policy to prevent the creation of EC2 instances in unauthorized AWS Regions.

Using Service Control Policies (SCPs):

SCPs are an AWS Organizations feature that allow centralized control over permissions for all accounts in the organization.

By attaching an SCP to the root level of the organization, you can enforce the restriction across all accounts.

Solution Implementation:

Step 1: Open the AWS Organizations console.

Step 2: Create a new SCP with the following policy:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Deny",

"Action": "ec2:RunInstances",

"Resource": "*",

"Condition": {

"StringNotEquals": {

"aws:RequestedRegion": [

"us-east-1",

"us-west-2"

]

}

}

}

]

}

Replace "us-east-1" and "us-west-2" with the allowed Regions.

Step 3: Attach the SCP to the root level of the organization.

AWS References:

Service Control Policies (SCPs):SCP Best Practices

Restricting EC2 Regions with SCP:SCP Examples

Why Other Options Are Incorrect:

Option A: CloudTrail and EventBridge with Lambda are operationally less efficient and reactive rather than preventative.

Option B: IAM policies applied at the account level require manual configuration for each account, which is less efficient.

Option C: Permissions boundaries are more suited for controlling specific IAM user or role actions, not account-wide restrictions.

Using AWS CloudFormation stack sets allows you to manage CloudWatch alarms across multiple accounts efficiently:

Create Stack Set: Use a CloudFormation template that defines the required CloudWatch alarms and configures them to publish alerts to an SNS topic.

Specify SNS Topic: Ensure the SNS topic is located in the logging account and has the necessary permissions set to receive publications from all accounts in the organization.

Deploy Across Organization: Implement the stack set across all accounts, ensuring centralized management and standardized deployment.

AWS Documentation Reference:Learn more about deploying resources with CloudFormation StackSets: Working with AWS CloudFormation StackSets.

To restrict access to an application based on geographic location (France in this case), the appropriate routing policy in Amazon Route 53 is geolocation routing. This policy allows you to specify traffic routing based on the geographic location of your users:

B: Use a geolocation routing policy. Select France as the location in the record. This ensures that only DNS queries originating from France are routed to the application, fulfilling the requirement to limit access to users within France initially. More information about setting up geolocation routing can be found in the AWS Route 53 documentation on geolocation routing Amazon Route 53 Geolocation Routing.

To make the application accessible only through the CloudFront distribution and not directly through the Application Load Balancer (ALB), you can add a custom HTTP header to the origin settings for the CloudFront distribution. You can then create a rule in the ALB listener to forward requests that contain the matching custom header and its value to the origin. You can also add a default rule to the ALB listener to return a fixed response code of 403 for requests that do not contain the matching custom header. This will allow you to redirect all requests to the CloudFront distribution and block direct access to the application through the ALB.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html

To ensure all EC2 instances upload build artifacts through a single IP address:

A: Move all of the EC2 instances behind a NAT gateway. Provide the IP address of the NAT gateway to the third-party service for the allow list. A NAT gateway enables instances in a private subnet to connect to services outside AWS (such as a third-party service) but prevents the internet from initiating connections with those instances. Using a NAT gateway standardizes all outgoing traffic to use a single IP address. More information on NAT gateways can be found in AWS documentation NAT Gateways.

To resolve the issue of users being frequently prompted to log in, which typically indicates that session persistence is not configured:

Sticky Sessions: Enable sticky sessions (session affinity) on the ALB's target group. This configuration makes sure that all requests from a single user during a session are directed to the same EC2 instance, rather than being load balanced to different instances which might not share session data.

Configuration: This is done in the ALB settings under the target group attributes. Sticky sessions use a user-specific cookie generated by the ALB to route requests to the designated instance.

Session Cookie: The ALB handles the session cookie automatically, but you may adjust settings like the duration that the session cookie remains valid.

Enabling sticky sessions ensures that user sessions are maintained with the same server, reducing the instances of repeated logins and improving the user experience.

AWS Compute Optimizer Overview:

AWS Compute Optimizer analyzes the configuration and utilization of AWS resources, including EBS volumes, to provide cost-optimization recommendations.

Steps to Use AWS Compute Optimizer for EBS Volumes:

Enable Compute Optimizer:

Open the Compute Optimizer Console.

Enable the service for your account.

Allow Metrics Collection:

Allow sufficient time (up to 12 hours) for Compute Optimizer to gather metrics on your EBS volumes.

Review Recommendations:

Go to the Compute Optimizer dashboard.

Navigate to the EBS volume recommendations.

Review the findings for underutilized or overprovisioned volumes.

Why Other Options Are Incorrect:

A: Manually reviewing EC2 monitoring graphs is less efficient and prone to errors compared to Compute Optimizer.

B: Changing instance types to EBS-optimized without assessing performance is unnecessary and unrelated to cost optimization.

D: Installing the fio tool and benchmarking is a time-intensive, manual process that does not align with operational efficiency.

References:

AWS Compute Optimizer Documentation

EBS Volume Optimization

# Enable instance scale-in protection for specific instance.

aws autoscaling set-instance-protection --instance-ids i-5f2e8a0d --auto-scaling-group-name my-asg --protected-from-scale-in

# Disable instance scale-in protection for the specified instance.

aws autoscaling set-instance-protection --instance-ids i-5f2e8a0d --auto-scaling-group-name my-asg --no-protected-from-scale-in

https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-instance-protection.html

To ensure that EC2 instances in an Auto Scaling group are not interrupted during message processing, the most effective method is to implement scale-in protection for the instances while they are actively processing messages. This can be done programmatically by modifying the Auto Scaling group's settings using the Amazon EC2 Auto Scaling API.

Starting Message Processing: When an instance begins processing a message, your application should make an API call to enable scale-in protection. This is done using the SetInstanceProtection action, setting the ProtectedFromScaleIn parameter to true for that specific instance.

Completing Message Processing: Once the message has been processed, another API call should be made to disable scale-in protection. This is done by calling the SetInstanceProtection action again, but this time setting the ProtectedFromScaleIn parameter to false.

This method ensures that while messages are being processed, the instances are not terminated by the Auto Scaling group regardless of any scale-in activities that might be triggered by other parameters like CPU utilization or a decrease in the number of messages in the queue.

AWS Documentation Reference:You can refer to the AWS documentation on managing instance scale-in protection in Auto Scaling groups for more details: Instance Scale-In Protection.

When managing performance and cost for EC2 instances across different families, the following steps are recommended:

Utilize AWS Compute Optimizer: This service provides recommendations for EC2 instances based on historical usage patterns and existing configurations. It helps identify optimal EC2 instance types and sizes that could deliver better performance and cost savings for your specific workload.

Implement Compute Savings Plans: After determining the most suitable instance types and sizes through Compute Optimizer, purchasing Compute Savings Plans can offer significant cost savings. These savings plans apply to any instance family across any region, providing flexibility and cost efficiency without upfront commitment to specific instance types.

AWS Documentation Reference:Further details can be found in the AWS documentation on Compute Optimizer and Compute Savings Plans:

AWS Compute Optimizer

AWS Compute Savings Plans.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ Cookies.html

You can configure each cache behavior to do one of the following: Forward all cookies to your origin – CloudFront includes all cookies sent by the viewer when it forwards requests to the origin. https://docs.aws.amazon.com/elastic loadbalancing/latest/application/sticky-sessions.html

By default, an Application Load Balancer routes each request independently to a registered target based on the chosen load-balancing algorithm.

When users report that old content is still appearing on the website after modifying files in an S3 bucket used by CloudFront, creating a CloudFront invalidation is the best solution.

CloudFront Invalidation:

Invalidation is the process of removing objects from the CloudFront cache before they expire.

This ensures that the updated content is served to the users.

Creating an Invalidation:

Open the CloudFront console.

Select the distribution and go to the "Invalidations" tab.

Create a new invalidation and specify the paths of the updated files.

References:

Invalidating Files in Amazon CloudFront

To securely connect to Amazon S3 buckets from Amazon EC2 instances over a private connection without incurring additional costs, you can use a gateway VPC endpoint for S3. This method allows you to create a single gateway VPC endpoint for all S3 buckets in the same region, ensuring secure, private communication.

Create a Gateway VPC Endpoint:

Navigate to the VPC console.

In the navigation pane, choose "Endpoints" and then click "Create Endpoint".

Select "AWS services" and then choose "com.amazonaws..s3" from the service name dropdown.

Select the VPC in which to create the endpoint and the appropriate route tables.

Click "Create endpoint".

Update the Route Tables:

The gateway VPC endpoint will automatically update the selected route tables to include routes that direct S3 traffic through the endpoint.

Ensure that the route tables associated with your subnets include routes for the S3 service pointing to the gateway VPC endpoint.

Verify the Configuration:

Ensure that instances in the VPC can access the S3 buckets using private IP addresses.

Check the routing configuration to confirm that traffic to S3 is routed through the gateway VPC endpoint.

References:

Gateway VPC Endpoints for Amazon S3

Creating a Gateway Endpoint

To ensure that the new web subnet can communicate with the database instance, follow these steps:

Create an Inbound Allow Rule for MySQL/Aurora (3306):

On the network ACL for the database subnets, add an inbound allow rule to permit traffic from the third web subnet on port 3306 (MySQL/Aurora).

To configure Route 53 for high availability with failover between a primary and a secondary server, the following steps should be taken:

Create Health Checks:

Create HTTP health checks for both the primary and secondary servers. Ensure these health checks are configured to look for HTTP 2xx or 3xx status codes.

To control the production account efficiently, the most operationally efficient solution is to create a service control policy (SCP) and apply it to the production OU. SCPs allow you to manage permissions for AWS Organizations at the organizational unit (OU) or account level.

Service Control Policies (SCPs):

SCPs are a type of policy that can restrict what services and actions can be used in the accounts within an OU.

They are applied at the organizational unit level and provide a way to enforce corporate policies across multiple AWS accounts.

Steps to Implement:

Navigate to the AWS Organizations console.

Create a new SCP that specifies the allowed or denied services and actions.

Apply the SCP to the production OU.

References:

AWS Organizations SCPs

To achieve maximum cost savings and flexibility for a 24/7 running application across different AWS regions and operating systems, the best approach is to use a Compute Savings Plan. Compute Savings Plans provide the most flexibility by automatically applying to any EC2 instance usage regardless of instance family, size, OS, tenancy, or AWS Region, and also apply to AWS Fargate and AWS Lambda usage.

Understand Compute Savings Plans:

Compute Savings Plans offer significant savings over On-Demand prices, with the flexibility to use the compute option that best suits your needs.

Purchase a Compute Savings Plan:

Login to the AWS Management Console.

Navigate to the Savings Plans section.

Choose Purchase Savings Plan and select Compute Savings Plan.

Define the hourly commitment amount and the term length (one or three years).

Monitor and Optimize Usage:

Ensure that your usage aligns with the Savings Plan to maximize savings.

Use AWS Cost Explorer and Savings Plans Utilization reports to monitor usage.

References:

Savings Plans

Compute Savings Plans

When experiencing slow file retrieval from an EFS file system as usage increases, configuring the file system for Provisioned Throughput can improve performance.

Provisioned Throughput:

Amazon EFS offers two throughput modes: Bursting Throughput and Provisioned Throughput.

With Provisioned Throughput, you can set a fixed throughput limit for your file system independent of the amount of data stored.

Configuring Provisioned Throughput:

Go to the EFS console and select your file system.

Click on "Manage File System" and then "Edit."

Choose the "Provisioned Throughput" option and set the desired throughput limit.

Benefits:

Provisioned Throughput ensures consistent performance and is beneficial for applications with high throughput requirements.

It helps in cases where the default Bursting Throughput mode might not provide sufficient throughput during peak times.

References:

Amazon EFS Performance

Managing Amazon EFS File Systems

To count application errors grouped by type across all CloudWatch Logs log groups, use CloudWatch Logs Insights.

Steps:

Access CloudWatch Logs Insights:

Open the CloudWatch console and navigate to Logs Insights.

Using CloudFormation Stack Sets:

CloudFormation stack sets allow you to deploy CloudFormation stacks across multiple AWS accounts and regions.

Steps:

Go to the AWS Management Console.

Navigate to CloudFormation and select "StackSets."

Click on "Create StackSet."

Provide the template URL or upload a template file.

Configure the stack set options and specify the accounts and regions.

Deploy the stack set to the specified accounts and regions.

To resolve DNS across VPCs in different accounts, you should:

Authorization: In Account B, initiate a VPC association authorization for the private hosted zone. This action allows another AWS account to associate a VPC with this hosted zone.

Association: In Account A, after receiving the authorization from Account B, associate its VPC with the private hosted zone that exists in Account B. This step will enable EC2 instances within the VPC in Account A to resolve DNS records hosted in Account B.

AWS Documentation Reference:AWS provides detailed guidance on associating VPCs with private hosted zones across accounts in their documentation: Associating VPCs and Private Hosted Zones Across Accounts.

 AWS Config Managed Rule for S3 Logging:

The s3-bucket-logging-enabled AWS Config rule checks whether S3 buckets have logging enabled.

Steps:

Go to the AWS Management Console.

Navigate to AWS Config.

Create a rule using s3-bucket-logging-enabled.

Add a remediation action using an AWS Lambda function or Systems Manager Automation runbook.

For routing based on the user's geographic location to comply with data residency requirements, the best solution is to use Amazon Route 53 geolocation routing policy. This policy allows you to configure DNS responses based on the geographic location of the user, ensuring that requests are directed to specific AWS Regions that align with the company’s data residency requirements. Option C is correct. The AWS Route 53 documentation provides details on implementing geolocation routing policies Amazon Route 53 Geolocation Routing.

Split-tunnel routing allows you to specify that only the traffic destined for your VPC is routed through the VPN tunnel. All other internet traffic is routed through the user’s local network.

Steps:

Open the Client VPN Console:

Sign in to the AWS Management Console.

Open the Amazon VPC console.

Modify the Client VPN Endpoint:

Select the Client VPN endpoint.

Choose "Modify Client VPN endpoint".

Enable the "Split-tunnel" option.

Update Route Table:

Ensure that the route table associated with the Client VPN endpoint routes traffic destined for the VPC IP range to the appropriate target (e.g., VPC subnet).

This configuration ensures that only traffic destined for resources in the VPC is sent over the VPN tunnel, while other traffic uses the user’s local internet connection.

References:

Split-Tunnel VPN Routing

AWS Client VPN Documentation

Amazon CloudWatch Synthetics allows you to create canaries that monitor your endpoints and APIs. Canaries are scripts that run on a schedule to check your application’s availability and performance, and can detect issues before your customers do.

Create a CloudWatch Synthetics Canary:

Open the Amazon CloudWatch console at Amazon CloudWatch Console.

Navigate to Synthetics and choose Create Canary.

Use the CloudWatch Synthetics Recorder plugin to generate the script for the canary run.

Configure the Canary:

Define the schedule for the canary to run (e.g., every minute).

Specify the endpoint URL of the website.

Configure the canary to check for specific errors or issues based on your requirements.

Create Alarms:

Set up CloudWatch alarms to notify you when the canary detects issues. You can configure the alarm to send notifications via Amazon SNS.

References:

Creating and Managing Canaries

CloudWatch Synthetics

For predictable, significant traffic increases during a specific time period every day:

EC2 Auto Scaling Group: Set up an Auto Scaling group for the EC2 instances running the web application. This group automatically adjusts the number of instances based on policies defined.

Scheduled Scaling Policy: Use a scheduled scaling policy to pre-emptively increase the number of instances before the expected increase in traffic each day. Scheduled scaling allows you to specify the scaling actions to occur at specific times, based on known or expected demand patterns.

Attach to ALB: Ensure the Auto Scaling group is attached to the Application Load Balancer, which will distribute incoming traffic across the dynamically adjusted pool of EC2 instances.

This approach ensures that the application scales up resources ahead of the expected load, maintaining performance and user experience without manual intervention.

Objective:

Resolve the failure of the CloudFormation Auto Scaling group resource creation due to a missing wait condition signal.

cfn-signal:

The cfn-signal command is used in user data scripts to signal CloudFormation that the resource has been successfully created or configured.

This ensures the stack creation process continues as expected.

Steps to Implement:

At the end of the user data script in the EC2 launch template:

Add the command: cfn-signal --stack --resource --region

Replace , , and with appropriate values.

AWS References:

cfn-signal:Using cfn-signal to Signal Completion

Why Other Options Are Incorrect:

Option B: While port 443 is necessary for CloudFormation signaling, the main issue is the absence of cfn-signal.

Option C: Reducing DesiredCapacity may bypass the error but does not solve the root cause.

Option D: Associating a public IP may help connectivity but is unrelated to the wait condition.

Storing the credentials in AWS Secrets Manager and configuring automatic rotation with a rotation interval of 30 days is the most efficient way to meet the requirements with the least operational overhead. AWS Secrets Manager automatically rotates the credentials at the specified interval, so there is no need for an additional AWS Lambda function or manual rotation. Additionally, Secrets Manager is integrated with Amazon RDS, so the credentials can be easily used with the RDS database.

To resolve the issue of the EC2 instance in a private subnet not being able to connect to external websites via HTTPS (port 443), it is necessary to adjust the security group settings:

Outbound Security Group Rules: Verify that the security group associated with the EC2 instance allows outbound traffic on port 443 to any destination (0.0.0.0/0). This rule is crucial because it enables the instance to initiate HTTPS connections to external websites.

Network ACLs: While the primary concern here is the security group, ensure also that the Network Access Control List (ACL) associated with the subnet permits outbound HTTPS traffic. However, the ACLs by default allow all outbound traffic unless specifically restricted.

Internet Connectivity: Since the instance is in a private subnet, ensure that it has a route to the internet through a NAT Gateway or NAT Instance located in a public subnet. Without this, the instance won't be able to reach external networks even if the security groups and ACLs are correctly configured.

By ensuring that the security group permits outbound HTTPS traffic, you address the most common configuration oversight that would prevent such connectivity.

To configure replication of a DynamoDB table to another AWS Region for disaster recovery, you should use DynamoDB Global Tables. Global Tables use DynamoDB Streams to replicate changes across multiple regions.

Enable DynamoDB Streams:

Navigate to the DynamoDB console.

Select your table and enable DynamoDB Streams.

Add a Global Table Region:

With Streams enabled, go to the Global Tables tab.

Add a new region to the table, specifying the region where you want to replicate the data.

Automatic Replication:

DynamoDB will handle the replication of data across regions automatically, ensuring data consistency and high availability.

References:

DynamoDB Global Tables

Enabling DynamoDB Streams

To control access to Amazon EC2 instances using AWS Systems Manager Session Manager based on specific tags:

Attach an IAM Policy to Users or Groups: Create and attach an Identity and Access Management (IAM) policy to the IAM users or groups who need access to the EC2 instances. This policy should specify the permissions required to use Session Manager to start sessions with the instances.

Create an IAM Policy with Tag-Based Conditions: Create an IAM policy that includes a condition element to allow access to EC2 instances based on specific tags. This policy can be designed to grant the ssm:StartSession permission only for instances that match certain tags, as defined in the condition block of the IAM policy. Here is a sample condition block that could be used:

"Condition": {

"StringEquals": {

"ec2:ResourceTag/YourTagName": "YourTagValue"

}

}

This ensures that only authorized users can initiate sessions with instances that have the specified tags, enhancing security and operational management.

By implementing these policies, you ensure that only the appropriate personnel have the controlled access required, based on the specific business needs and security guidelines.

To share an encrypted Amazon RDS DB instance snapshot across accounts, the least administrative overhead involves directly managing permissions on the AWS KMS key and sharing the snapshot. Here’s how to do it:

Take a Snapshot: Initiate a snapshot of your Amazon RDS DB instance in the production account. This captures the current state of the database.

Modify KMS Key Policy: Adjust the policy of the KMS key used for encryption (identified by the alias 'production-rds-key') to grant the kms:Decrypt permission to the migration account’s root user. This step is crucial as it allows the migration account to use the same encryption key to decrypt the snapshot.

Share the Snapshot: Share the newly created snapshot with the migration account using the RDS console or AWS CLI. The migration account will now be able to see and use this snapshot to create a new RDS instance.

AWS Documentation Reference:You can refer to the AWS documentation on sharing encrypted snapshots: Sharing Encrypted Snapshots.

To alleviate performance degradation on a heavily queried Amazon Aurora DB cluster:

A: Create an Aurora Replica node and implement an Auto Scaling policy based on CPU utilization. Ensure all reporting requests use the read-only connection string to redirect read queries to the replica. This setup alleviates the load on the primary DB instance by balancing read traffic, which can significantly improve stability during periods of high demand. Aurora Replicas are ideal for scaling read operations and can improve the performance of the primary instance by offloading read requests. More details on Aurora Replicas and their benefits can be found in the AWS documentation on Aurora Replicas Amazon Aurora Replicas.

To prevent all teams within an AWS Organizations structure from using Amazon DynamoDB while allowing access to other AWS services, the most effective solution is to use a Service Control Policy (SCP). SCPs apply at the organization, organizational unit (OU), or account level and can override individual IAM policies, including the root user's permissions:

B: Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization. This policy will effectively block DynamoDB actions across all member accounts without affecting the ability to access other AWS services. SCPs are powerful tools for centrally managing permissions in AWS Organizations and can enforce policy compliance across all accounts. Further information on SCPs and their usage can be found in the AWS documentation on Service Control Policies AWS Service Control Policies.

To track instance memory utilization and available disk space using Amazon CloudWatch, the SysOps administrator should install and configure the CloudWatch agent on all instances.

Install and Configure the CloudWatch Agent:

The CloudWatch agent can collect both system-level metrics (e.g., memory utilization, disk space) and application-level metrics and logs.

Install the CloudWatch agent on each EC2 instance and configure it to collect the necessary metrics.

Attach an IAM Role:

The EC2 instances need permissions to write logs and metrics to CloudWatch.

Attach an IAM role with the necessary permissions (e.g., CloudWatchAgentServerPolicy) to each EC2 instance.

To troubleshoot high CPU utilization during load testing without scaling out, the SysOps administrator should suspend the Launch and Terminate process types in the Auto Scaling group.

Suspending Processes:

Suspending the Launch and Terminate processes will temporarily stop the Auto Scaling group from adding or removing instances, allowing for troubleshooting without automatic scaling interruptions.

This ensures that the root cause of the high CPU utilization can be investigated without the Auto Scaling group launching additional instances.

Steps to Suspend Processes:

Go to the Auto Scaling group in the AWS Management Console.

Select the group and choose the "Suspend Processes" option.

Suspend the Launch and Terminate processes.

After troubleshooting, resume the processes to re-enable scaling.

To deliver digital content to authorized users through CloudFront while restricting unauthorized access, you can use an origin access identity (OAI) with signed URLs.

Store Content in S3 with Public Access Blocked:

Ensure the S3 bucket has public access blocked.

Navigate to the S3 console, select the bucket, and configure the "Block Public Access" settings.

AWS Config can continuously monitor and record your AWS resource configurations. It provides AWS Config rules that automatically check the configuration of AWS resources and notify you of compliance and non-compliance.

Steps:

Enable AWS Config:

Open the AWS Config console.

Follow the steps to set up AWS Config if it is not already enabled.

Add AWS Managed Rules:

In the AWS Config console, choose "Rules".

Add the s3-bucket-public-read-prohibited managed rule.

Configure the rule to check all S3 buckets.

Set Up SNS Notifications:

Create an Amazon SNS topic.

Subscribe your email or other communication channels to the SNS topic.

In AWS Config, configure the rule to send notifications to the SNS topic whenever there is a compliance change.

This approach ensures operational efficiency as AWS Config will automatically monitor S3 buckets and notify you through SNS if any bucket becomes publicly accessible.

References:

AWS Config Managed Rules

Setting Up AWS Config

To efficiently manage application deployments and updates on Amazon EC2 instances within an Auto Scaling group, along with ensuring security through vulnerability scans:

EC2 Image Builder: This AWS service automates the creation, management, and deployment of customized, secure, and up-to-date "golden" server images. By using EC2 Image Builder, you can automate the installation of software, patches, and security configurations.

Custom Recipes: Define a custom recipe in EC2 Image Builder that includes steps to install the application and its dependencies. Additionally, configure the recipe to perform vulnerability scans as part of the image creation process.

Automated Pipeline: Set up an Image Builder pipeline that triggers on a regular schedule (e.g., weekly) to incorporate the latest application updates and security patches into the AMI. The new AMIs can then be automatically used by the Auto Scaling group to launch updated and secure instances.

This solution not only streamlines the management of application deployments and updates but also ensures that all instances launched by the Auto Scaling group meet the latest security and compliance standards, minimizing operational overhead and enhancing security.

To securely manage and rotate the credentials for an Amazon RDS database created by a CloudFormation template, you should use AWS Secrets Manager. The AWS::SecretsManager::Secret resource can be used to create a secret, and the resolve:secretsmanager dynamic reference can be used to retrieve the secret.

Define Secrets Manager Resource in CloudFormation Template:

Add an AWS::SecretsManager::Secret resource to the CloudFormation template to store the database credentials.

Reference the Secret in RDS Resource:

Use the resolve:secretsmanager dynamic reference to retrieve the secret when creating the AWS::RDS::DBInstance resource.

Example CloudFormation Template:

MyDatabaseSecret:

Type: AWS::SecretsManager::Secret

Properties:

Name: MyDatabaseSecret

GenerateSecretString:

SecretStringTemplate: '{"username": "admin"}'

GenerateStringKey: "password"

PasswordLength: 16

ExcludeCharacters: '"@/\\'

MyRDSInstance:

Type: AWS::RDS::DBInstance

Properties:

DBInstanceIdentifier: MyRDSInstance

Engine: mysql

MasterUsername: !Sub '{{resolve:secretsmanager:MyDatabaseSecret:SecretString:username}}'

MasterUserPassword: !Sub '{{resolve:secretsmanager:MyDatabaseSecret:SecretString:password}}'

DBInstanceClass: db.t2.micro

AllocatedStorage: 20

References:

AWS::SecretsManager::Secret

Dynamic References

This is the most operationally efficient solution that meets the requirements, as it will allow the company to monitor the number of times that the web server returns an HTTP 404 response in real-time. The other solutions (creating a CloudWatch Logs subscription filter, an AWS Lambda function, or a script) will require additional steps and resources to monitor the number of times that the web server returns an HTTP 404 response.

A metric filter allows you to search for specific terms, phrases, or values in your log events, and then to create a metric based on the number of occurrences of those search terms. This allows you to create a CloudWatch Metric that can be used to create alarms and dashboards, which can be used to monitor the number of HTTP 404 responses returned by the web server.

To prevent the EC2 instances and their data from being deleted when a CloudFormation stack is deleted:

DeletionPolicy Attribute: In the CloudFormation template that defines the EC2 instances, set the DeletionPolicy attribute to Retain for each EC2 instance resource. This setting ensures that when the CloudFormation stack is deleted, the EC2 instances are not terminated.

Impact of the Retain Policy: With this policy, all data on the instance, such as data on its attached EBS volumes, remains intact even after the stack deletion. The resources will remain in your AWS account and will need to be managed or deleted manually thereafter.

This approach is directly supported by AWS CloudFormation and provides a simple and effective way to protect EC2 instances and their data during stack deletions.

Objective:

Notify administrators via email whenever a root user sign-in event occurs.

Using Amazon EventBridge and Amazon SNS:

EventBridge: Captures the root user sign-in events from AWS CloudTrail.

SNS: Publishes email notifications to subscribed recipients.

Steps to Implement:

Step 1: Enable CloudTrail for management events if not already enabled.

Step 2: Create an EventBridge rule:

Event pattern:

{

"source": ["aws.signin"],

"detail-type": ["AWS Console Sign In via Root Account"]

}

Step 3: Set the rule target to an SNS topic.

Step 4: Subscribe email addresses to the SNS topic.

AWS References:

EventBridge Rules:Creating EventBridge Rules

SNS Subscriptions:Amazon SNS Subscriptions

Why Other Options Are Incorrect:

Option A: Trusted Advisor does not directly send notifications for root sign-ins.

Option B: Using an EC2 instance and scripts is less efficient and not operationally optimized.

Option C: Sending notifications to SQS introduces unnecessary complexity and delays.

AWS WAF (Web Application Firewall) is designed to protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF can help mitigate cross-site scripting (XSS) vulnerabilities by allowing users to create rules to filter specific types of HTTP requests.

Create a Web ACL:

Go to the AWS WAF & Shield console.

Click "Create web ACL" and specify a name and the AWS resource to protect (e.g., an Application Load Balancer).

Add Rules to Mitigate XSS:

Within the Web ACL, add a new rule.

Select "Rule builder" and choose a rule type. For mitigating XSS, use "AWS Managed Rules" or create a custom rule.

AWS Managed Rules include a predefined set for XSS that you can enable.

Configure the XSS Rule:

If using a custom rule, configure it to inspect requests and block any that contain XSS patterns.

Use regular expressions or specific patterns to identify malicious scripts.

Deploy the Web ACL:

Once configured, save the Web ACL.

Associate it with your Application Load Balancer or CloudFront distribution to start filtering requests.

Monitor and Adjust:

Monitor the requests being blocked by AWS WAF.

Adjust the rules as necessary to ensure legitimate traffic is not affected and the application remains protected.

References:

AWS WAF Developer Guide

AWS WAF Managed Rules

Objective:

Ensure all traffic is encrypted using HTTPS.

Maintain the same endpoint (www.example.com) for existing users.

Use the validated ACM certificate for encryption.

Steps to Implement (Following Option D):

Step 1: Modify the HTTP Listener (Port 80):

Navigate to the ALB settings in the AWS Management Console.

Locate the existing HTTP listener on port 80.

Add a rule to redirect all HTTP traffic to HTTPS on port 443.

Redirection ensures users accessing http://www.example.com are automatically sent to https://www.example.com without any manual changes.

Step 2: Create an HTTPS Listener (Port 443):

Add a new listener for HTTPS on port 443 to the ALB.

Configure the listener to use the ACM certificate for www.example.com.

Set the default action to forward requests to the target group serving the application.

Step 3: Test the Configuration:

Verify that both http://www.example.com and https://www.example.com work seamlessly, with HTTP requests being redirected to HTTPS.

AWS References:

ALB HTTPS Redirection:Redirect HTTP to HTTPS using ALB

SSL Certificates with ACM:Using ACM certificates with ALB

Best Practices for ALB Configuration:ALB Listener Rules

Why Other Options Are Incorrect:

Option A and B: Do not address the redirection from HTTP to HTTPS, leaving the application exposed to unencrypted traffic.

Option C: Incorrectly suggests modifying the HTTP listener’s default rule for SSL, which is technically unsupported. The HTTP listener cannot use an SSL certificate.

Update AWS Account Name:

The AWS account name can only be changed by the root user of the account.

Steps:

Sign in to the AWS Management Console using the root user credentials.

Navigate to the "My Account" page.

Update the account name field and save the changes.

To delete the AWS CloudFormation stack without deleting the DynamoDB table, you need to apply a deletion policy to the DynamoDB resource. The Retain deletion policy ensures that the specified resource is not deleted when the stack is deleted. Instead, it is retained.

Steps:

Modify the CloudFormation Template:

Add a deletion policy to the DynamoDB table resource.

json

Copy code

{

"Resources": {

"MyDynamoDBTable": {

"Type": "AWS::DynamoDB::Table",

"DeletionPolicy": "Retain",

}

}

}

To meet the requirements of storing and rotating database credentials monthly and handling write-intensive traffic with variable client connections, you can use AWS Secrets Manager and Amazon RDS Proxy.

AWS Secrets Manager for Credential Rotation:

Open the AWS Secrets Manager console at AWS Secrets Manager Console.

Store the database credentials as a new secret and configure automatic rotation for every 30 days.

AWS Secrets Manager will handle the rotation process and update the secret with new credentials.

Amazon RDS Proxy for Connection Management:

Open the Amazon RDS console at Amazon RDS Console.

Create an RDS Proxy for the PostgreSQL DB instance.

Configure the proxy to handle the connection pooling and manage the connections efficiently.

The proxy will help manage the database connections, reduce the overhead on the database, and improve performance during peak loads.

This solution ensures that database credentials are securely stored and rotated automatically while handling increased database connections effectively.

References:

AWS Secrets Manager

Using AWS Secrets Manager to Rotate Amazon RDS Database Credentials

Amazon RDS Proxy

Increasing DB Instance Size:

Increasing the instance size provides more CPU and memory resources, which can help handle higher loads.

Steps:

Go to the AWS Management Console.

Navigate to RDS and select the DB instance.

Modify the instance to increase its size.

Apply the changes during the next maintenance window or immediately if it is a critical issue.

Monitoring Performance:

After resizing, monitor the instance during the next report run to ensure that it handles the load effectively.

To remediate the InsufficientInstanceCapacity error when scaling the Auto Scaling group, the SysOps administrator can take the following actions:

Change the Instance Type:

Insufficient capacity errors can occur if there is not enough available capacity for the specified instance type in the selected Availability Zone.

Changing to a different instance type might resolve the capacity issue.

Here are the steps to update an existing AWS CloudFormation stack:

Log in to the AWS Management Console and navigate to the CloudFormation service in the us-east-2 Region.

Find the existing stack named 1700182 and click on it.

Click on the "Update" button.

Choose "Replace current template" and upload the updated CloudFormation template from the Amazon S3 bucket named "cloudformation-bucket"

In the "Parameter" section, update the EC2 instance type to us-east-t2.nano and add the IP address range 192.168.100.0/30 for SSH access.

Replace the instance profile IAM role with IamRoleB.

In the "Capabilities" section, check the checkbox for "IAM Resources"

Choose the role CFServiceR01e and click on "Update Stack"

Wait for the stack to be updated.

Once the update is complete, navigate to the stack and click on the "Stack options" button, and select "Prevent updates to prevent accidental deletion"

To get the value of the Prodlnstanceld , navigate to the "Outputs" tab in the CloudFormation stack and find the key "Prodlnstanceld". The value corresponding to it is the value that you need to enter in the text box below.

Note:

You can use AWS CloudFormation to update an existing stack.

You can use the AWS CloudFormation service role to deploy updates.

You can refer to the AWS CloudFormation documentation for more information on how to update and manage stacks: https://aws.amazon.com/cloudformation/

Here are the steps to configure Amazon EventBridge to meet the above requirements:

Log in to the AWS Management Console by using the AWS Management Console shortcut from the VM desktop. Make sure that you are logged in to the desired AWS account.

Go to the EventBridge service in the us-east-2 Region.

In the EventBridge service, navigate to the "Event buses" page.

Click on the "Create event bus" button.

Give a name to your event bus, and select "default" as the event source type.

Navigate to "Rules" page and create a new rule named "RunFunction"

In the "Event pattern" section, select "Schedule" as the event source and set the schedule to run every 15 minutes.

In the "Actions" section, select "Send to Lambda" and choose the existing AWS Lambda function named "LogEventFunction"

Create another rule named "SpotWarning"

In the "Event pattern" section, select "EC2" as the event source, and filter the events on "EC2 Spot Instance interruption"

In the "Actions" section, select "Send to SNS topic" and create a new standard Amazon SNS topic named "TopicEvents"

In the "Input Transformer" section, set the Input Path to {“instance” : “$.detail.instance-id”} and Input template to “The EC2 Spot Instance has been interrupted on account.

Now all Amazon EC2 events in the default event bus will be replayable for past 90 days.

Note:

You can use the AWS Management Console, AWS CLI, or SDKs to create and manage EventBridge resources.

You can use CloudTrail event history to replay events from the past 90 days.

You can refer to the AWS EventBridge documentation for more information on how to configure and use the service: https://aws.amazon.com/eventbridge/

Here are the steps to configure an Amazon S3 bucket to serve a static error page in the event of a failure at the primary site:

Log in to the AWS Management Console and navigate to the S3 service in the us-east-2 Region.

Find the existing S3 bucket named lab-751906329398-26023898.com and click on it.

In the "Properties" tab, click on "Static website hosting" and select "Use this bucket to host a website".

In "Index Document" field, enter the name of the object that you want to use as the index document, in this case, "index.html"

In the "Permissions" tab, click on "Block Public Access", and make sure that "Block all public access" is turned OFF.

Click on "Bucket Policy" and add the following policy to allow public read access:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "PublicReadGetObject",

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::lab-751906329398-26023898.com/*"

}

]

}

Now navigate to the Amazon Route 53 service, and find the existing hosted zone named lab-751906329398-26023898.com.

Click on the "A record" and update the routing policy to "Primary - Failover" and add the existing ALB as the primary record.

Click on "Create Record" button and create a new secondary failover alias record for the domain lab-751906329398-26023898.com that routes traffic to the existing S3 bucket.

Now, when the primary site (ALB) goes down, traffic will be automatically routed to the S3 bucket serving the static error page.

Note:

You can use CloudWatch to monitor the health of your ALB.

You can use Amazon S3 to host a static website.

You can use Amazon Route 53 for routing traffic to different resources based on health checks.

You can refer to the AWS documentation for more information on how to configure and use these services:

https://aws.amazon.com/s3/

https://aws.amazon.com/route53/

https://aws.amazon.com/cloudwatch/

Graphical user interface, text, application Description automatically generated

Graphical user interface, application, Teams Description automatically generated