Amazon Web Services SOA-C02 - AWS Certified SysOps Administrator - Associate (SOA-C02)

https://docs.aws.amazon.com/zh_tw/Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries.html

To give the application the ability to resolve internal domain names, the SysOps administrator should create an Amazon Route 53 Resolver outbound endpoint and configure it to forward DNS queries to the on-premises DNS server.

Route 53 Resolver Outbound Endpoint:

An outbound endpoint enables DNS queries to be forwarded from AWS resources in a VPC to an on-premises DNS server.

Steps to Implement:

In the Route 53 console, create a new outbound endpoint in the VPC.

Configure the outbound endpoint with the IP address of the on-premises DNS server.

Update the VPC DNS settings to use the Route 53 Resolver.

Route 53 Resolver Endpoints

Creating an Outbound Endpoint

To restrict EC2 resource deployment in a specific region and restrict root credentials usage:

Create Service Control Policies (SCPs):

Use AWS Organizations to create SCPs that restrict actions for all member accounts.

Create an SCP to deny the creation of EC2 instances in the ap-southeast-2 region.

Create an SCP to deny the use of root credentials in member accounts.

https://docs.aws.amazon.com/efs/latest/ug/encryption.html

Amazon EFS supports two forms of encryption for file systems, encryption of data in transit and encryption at rest. You can enable encryption of data at rest when creating an Amazon EFS file system. You can enable encryption of data in transit when you mount the file system.

Objective:

Address high and unpredictable CPU usage by automating the scaling of resources.

Using Auto Scaling Policies:

Scaling policies can dynamically adjust the number of instances in an Auto Scaling group based on metrics like CPU utilization.

Steps to Implement:

Step 1: Increase the maximum capacity of the Auto Scaling group (e.g., from 2 to a higher value like 5).

Step 2: Create a scaling policy:

Use a target tracking scaling policy with a threshold of 80% CPU utilization.

When the CPU usage exceeds 80%, additional instances will be launched automatically.

Step 3: Monitor scaling behavior and adjust thresholds or capacities if necessary.

AWS References:

Target Tracking Scaling Policies:Scaling Policies for Auto Scaling Groups

Dynamic Scaling Best Practices:Dynamic Scaling in Auto Scaling

Why Other Options Are Incorrect:

Option A: Deploying additional instances outside the Auto Scaling group is not scalable and defeats the purpose of automation.

Option B: Switching to burstable instances does not resolve the issue since the workload is CPU-bound and consistently high.

Option D: Increasing desired capacity does not account for the unpredictability of peak periods, as it sets a static scaling behavior rather than dynamic.

AWS Budgets allows you to set custom cost and usage budgets that alert you when you exceed your thresholds. This feature helps teams to monitor their spending and ensure it aligns with the set budget.

Steps:

Open AWS Budgets:

Sign in to the AWS Management Console.

Open the AWS Budgets dashboard.

Create a New Budget:

Click on "Create a budget".

Select "Cost budget" and click "Next".

Set Budget Details:

Enter a unique name for the budget.

Define the period (e.g., quarterly) and start date.

Set the budgeted amount as specified by the finance department.

Define Filters:

Use the filters to select the specific services each team is responsible for (e.g., storage, compute, database).

Set Alerts:

Specify the threshold for forecasted cost that will trigger an alert (e.g., 80% of the budget).

Enter the email addresses of the recipients (the respective teams).

Review and Create:

Review the configuration and click "Create budget".

By setting up individual budgets for each team and filtering by services, you can ensure that each team is alerted when their projected spend approaches the threshold. This method does not incur additional compute, storage, or database costs.

Modifying the DB instance to a Multi-AZ deployment is the recommended solution for failover and high availability in RDS. Multi-AZ RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone, allowing automatic failover in case of an instance or Availability Zone failure.

Multi-AZ Deployment: Provides resilience with automatic failover and minimizes application downtime.

No Application Changes Needed: Multi-AZ is managed by AWS, so the failover is transparent to the application.

Read replicas and Auto Scaling groups do not provide automatic failover for write operations, and RDS Proxy only improves connection management rather than high availability.

Access to Amazon DynamoDB requires credentials. Those credentials must have permissions to access AWS resources, such as an Amazon DynamoDB table or an Amazon Elastic Compute Cloud (Amazon EC2) instance. The following sections provide details on how you can use AWS Identity and Access Management (IAM) and DynamoDB to help secure access to your resources. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/authentication-and-access-control.html

To address the issue of slow startup times during unexpected traffic surges, a warm pool for the Auto Scaling group is an effective solution:

Warm Pool Concept: A warm pool allows you to maintain a set of pre-initialized or partially initialized EC2 instances that are not actively serving traffic but can be quickly brought online when needed.

Management of Instances: Instances in the warm pool can be kept in a stopped state and then started much more quickly than launching new instances, as the machine-specific data caches are already created.

Scalability and Responsiveness: During a surge in traffic, especially unpredictable ones like those triggered by advertisements, instances from the warm pool can be rapidly activated to handle the increased load, ensuring that the application remains responsive without the typical delays associated with boot processes.

This method significantly reduces the time to scale out by utilizing pre-warmed instances, enhancing the application's ability to cope with sudden and substantial increases in traffic.

Several factors can affect the availability of an S3 object through a presigned URL:

Expiration of Presigned URL: A presigned URL is valid only until its specified expiration time. Once expired, it becomes inaccessible.

Invalid Access Key: If the access key of the SysOps administrator who generated the presigned URL is revoked or rotated, the URL will no longer be valid.

Other options like enabling Block Public Access or changing the object ACL to All Users are not necessary for presigned URLs, as these URLs temporarily grant access regardless of public bucket settings.

FIFO queues don't support per-message delays, only per-queue delays. If your application sets the same value of the DelaySeconds parameter on each message, you must modify your application to remove the per-message delay and set DelaySeconds on the entire queue instead.

https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/FIFO-queues-moving.html