Amazon Web Services SOA-C02 - AWS Certified SysOps Administrator - Associate (SOA-C02)

To meet the requirements for data storage and retrieval, the most cost-effective solution is to store the data in S3 Standard for the first 90 days and set up an S3 Lifecycle rule to move the data to S3 Glacier Flexible Retrieval after 90 days.

S3 Standard:

Provides high availability and low latency access.

Suitable for frequently accessed data.

S3 Lifecycle Rule:

Set up a lifecycle rule to transition the data from S3 Standard to S3 Glacier Flexible Retrieval after 90 days.

S3 Glacier Flexible Retrieval offers low-cost archival storage with retrieval times ranging from minutes to hours, which meets the requirement of less than 5 hours.

Implementation Steps:

Open the S3 console.

Select the bucket and navigate to "Management" -> "Lifecycle rules."

Create a new lifecycle rule to transition objects from S3 Standard to S3 Glacier Flexible Retrieval after 90 days.

Amazon S3 Storage Classes

S3 Lifecycle Configuration

To reduce the time required for new instances to become available in an Auto Scaling group, pre-installing the necessary software in the AMI used by the Auto Scaling group is the most effective solution.

Use EC2 Image Builder:

Utilize EC2 Image Builder to create a custom AMI that includes all the required software and configurations.

This reduces the setup time during instance launch, as the user data script will no longer need to install the software.

Understand the Problem:

All AWS resources must be tagged according to a company policy.

Continuous identification and enforcement of non-compliant resources are required.

Analyze the Requirements:

Monitor resources for compliance with tagging policies.

Enforce tagging policies and provide ongoing compliance reporting.

Evaluate the Options:

Option A: AWS CloudTrail.

Tracks user activity and API usage but does not enforce tagging policies.

Option B: Amazon Inspector.

Provides security assessments but does not monitor or enforce resource tagging.

Option C: AWS Config.

Monitors and evaluates the configurations of AWS resources.

AWS Config rules can be used to enforce tagging policies and continuously monitor compliance.

Option D: AWS Systems Manager.

Provides operational insights and management but does not specifically enforce tagging compliance.

Select the Best Solution:

Option C: AWS Config is designed for compliance and configuration monitoring, making it the ideal service for enforcing and identifying non-compliant resource tags.

AWS Config

Managing Resource Tag Compliance with AWS Config

AWS Config provides the necessary tools to enforce and monitor resource tagging compliance, ensuring all resources adhere to the set policy.

Cluster placement groups are designed to place EC2 instances close together within a single Availability Zone, which reduces latency and maximizes network performance between instances.

Cluster Placement Group: Reduces network latency by keeping instances in close proximity within the same hardware, providing low-latency, high-throughput networking.

High Network Performance: Ideal for latency-sensitive applications, especially those running within a clustered architecture.

Spread placement groups are designed for high availability rather than low latency. Jumbo frames may improve throughput but not significantly reduce latency.

AWS Systems Manager Maintenance Windows allow you to define a schedule for performing administrative tasks on your instances. By setting up a maintenance window:

Schedule Reboots:

Define a maintenance window outside business hours.

Register the EC2 instances as targets.

Assign the AWS-RestartEC2Instance Automation document to the task.

This setup ensures that instances are rebooted regularly, mitigating the effects of the memory leak until a permanent fix is implemented.

To securely manage and rotate the credentials for an Amazon RDS database created by a CloudFormation template, you should use AWS Secrets Manager. The AWS::SecretsManager::Secret resource can be used to create a secret, and the resolve:secretsmanager dynamic reference can be used to retrieve the secret.

Define Secrets Manager Resource in CloudFormation Template:

Add an AWS::SecretsManager::Secret resource to the CloudFormation template to store the database credentials.

Reference the Secret in RDS Resource:

Use the resolve:secretsmanager dynamic reference to retrieve the secret when creating the AWS::RDS::DBInstance resource.

Example CloudFormation Template:

MyDatabaseSecret:

Type: AWS::SecretsManager::Secret

Properties:

Name: MyDatabaseSecret

GenerateSecretString:

SecretStringTemplate: '{"username": "admin"}'

GenerateStringKey: "password"

PasswordLength: 16

ExcludeCharacters: '"@/\\'

MyRDSInstance:

Type: AWS::RDS::DBInstance

Properties:

DBInstanceIdentifier: MyRDSInstance

Engine: mysql

MasterUsername: !Sub '{{resolve:secretsmanager:MyDatabaseSecret:SecretString:username}}'

MasterUserPassword: !Sub '{{resolve:secretsmanager:MyDatabaseSecret:SecretString:password}}'

DBInstanceClass: db.t2.micro

AllocatedStorage: 20

AWS::SecretsManager::Secret

Dynamic References

If EC2 instances in one region (eu-central-1) need to access a database in another (us-east-1), and the database must remain only in us-east-1, the most operationally efficient solution is a VPC peering connection.

From the VPC Peering documentation:

Inter-Region VPC peering enables routing of traffic between VPCs in different AWS Regions using private IP addresses, without VPN or additional hardware.

Also:

You must manually update security group rules to allow traffic from the peered VPC.

So:

Create the VPC peering

Add the private IP range of the remote EC2 instances to the inbound rules of the database’s security group

To restrict resource creation in unapproved regions across multiple AWS accounts efficiently, combining SCPs and Control Tower settings is effective:

SCP for Regional Restrictions: Create and apply an SCP that explicitly denies access to AWS services in unapproved regions. This policy will enforce region-based restrictions at the organizational unit or account level.

Control Tower Regional Governance: Adjust the settings in AWS Control Tower's landing zone to include governance for approved regions. This helps in maintaining a standard configuration that aligns with organizational policies regarding AWS regions.

AWS Documentation Reference:

For more information, check the AWS documentation on SCPs and AWS Control Tower:

Service Control Policies

AWS Control Tower.

Root user usage is strongly discouraged in AWS best practices, and cannot be restricted using identity-based IAM policies, because the root user has inherent and unalterable permissions. However, within an AWS Organization, Service Control Policies (SCPs) can be used to put maximum permission boundaries on even the root user in member accounts.

From the AWS Organizations User Guide:

SCPs affect all users and roles in attached accounts, including the root user.

If you attach an SCP that explicitly denies access to specific actions, even the root user is denied.

So, to prevent the root user from performing EC2 actions, you would:

Use the organization's management account

Create an SCP with a Deny on ec2:* actions for Principal: "arn:aws:iam::*:root"

Attach the SCP to member accounts

❌ Why other options are incorrect:

A. IAM policies cannot control root user access – Root is not governed by IAM identity-based policies.

C. AWS Config is a monitoring tool, not a preventive security control mechanism. It tracks what happened, not blocks it.

D. Amazon Inspector detects vulnerabilities; it does not prevent or deny actions by any user, including root.

The least privilege required for reading encrypted data involves kms:Decrypt to decrypt, kms:DescribeKey to understand key properties, and kms:ListAliases if needed to identify the key alias.