Amazon Web Services SOA-C02 - AWS Certified SysOps Administrator - Associate (SOA-C02)

To centrally store traffic logs for a website delivered through Amazon CloudFront and ensure all data is encrypted at rest, using an S3 bucket with default server-side encryption is the optimal solution.

Create an S3 Bucket:

Open the Amazon S3 console at Amazon S3 Console.

Create a new S3 bucket for storing the logs.

Enable Default Encryption:

Select the S3 bucket, navigate to Properties, and enable Default encryption.

Choose AES-256 for server-side encryption.

Configure CloudFront Logging:

Open the Amazon CloudFront console at Amazon CloudFront Console.

Select the CloudFront distribution and navigate to Edit.

In the logging section, enable logging and specify the S3 bucket created for log storage.

This setup ensures that all logs are encrypted at rest using AES-256 and stored centrally in an S3 bucket.

Amazon CloudFront Access Logs

Amazon S3 Default Encryption

To optimize storage costs while maintaining immediate access to objects for one year, the following strategy is recommended:

Initial Storage in S3 Standard:Store the objects in S3 Standard for the first 30 days, as they are frequently accessed during this period.

Transition to S3 Standard-Infrequent Access (S3 Standard-IA):After 30 days, transition the objects to S3 Standard-IA, which is designed for data that is accessed less frequently but requires rapid access when needed. This storage class offers lower storage costs compared to S3 Standard, making it cost-effective for data that is rarely accessed after the initial 30 days.

This approach ensures that the objects remain immediately retrievable for the entire year while optimizing storage costs based on access patterns.

Understand the Problem:

A user attempts to deploy a CloudFormation template to create an S3 bucket but the stack creation fails.

The user authenticates using Active Directory credentials.

Analyze the Requirements:

Identify permissions required for successful CloudFormation stack creation.

Evaluate the Options:

Option A: The user's IAM policy does not allow the cloudformation:CreateStack action.

Without this permission, the user cannot create CloudFormation stacks.

Option B: The user's IAM policy does not allow the cloudformation:CreateStackSet action.

StackSet is used for managing stacks across multiple accounts and regions, not relevant for a single stack creation.

Option C: The user's IAM policy does not allow the s3:CreateBucket action.

This permission is required to create an S3 bucket as part of the stack.

Option D: The user's IAM policy explicitly denies the s3:ListBucket action.

This permission is not required for bucket creation but for listing existing buckets.

Option E: The user's IAM policy explicitly denies the s3:PutObject action.

This permission is required to put objects in a bucket, not to create the bucket.

Select the Best Solution:

Option A and C: The user must have permissions for cloudformation:CreateStack and s3:CreateBucket to successfully create the stack and the S3 bucket.

AWS CloudFormation Permissions

IAM Policies and Permissions

Ensuring the user has the required permissions for cloudformation:CreateStack and s3:CreateBucket is crucial for successful stack creation.

To manage common components across multiple CloudFormation templates efficiently:

Create Nested Stacks:

Develop separate CloudFormation templates for the common components.

Use these templates as nested stacks within the main templates.

The VolumeQueueLength metric being high indicates the volume can’t process I/O operations fast enough, leading to performance degradation.

From Amazon EBS Performance Guide:

For gp3 volumes, performance can be adjusted by increasing IOPS or throughput independently of storage size.

The gp3 volume type allows provisioning up to:

16,000 IOPS

1,000 MB/s throughput

❌ Why the other options are incorrect:

A: ElastiCache is a caching layer and doesn't attach to EBS volumes.

B: Auto-Enabled IO is only relevant when IO is disabled due to volume-level issues, not performance.

D: Enhanced networking helps network performance, not disk I/O latency.

Amazon Macie is a security service designed to help organizations find, classify, and protect sensitive data stored in Amazon S3. Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in Amazon S3. Creating a discovery job with the managed data identifier will allow Macie to identify sensitive personal information in the S3 files and classify it accordingly. Enabling AWS Config and Amazon GuardDuty will not help with this requirement as they are not designed to automatically classify and protect data.

To use the static website as a backup to the web application and ensure automated failover, the SysOps administrator should set up failover routing policies in Amazon Route 53.

Failover Routing Policies:

Route 53 failover routing allows you to route traffic to a primary resource when it is healthy and automatically failover to a secondary resource when the primary becomes unhealthy.

Steps to Implement:

Primary Failover Record: Create a primary failover routing policy record and set the value to the ALB. Associate this record with a Route 53 health check that monitors the ALB.

Secondary Failover Record: Create a secondary failover routing policy record and set the value to the static website.

Amazon Route 53 Failover Routing

One possible cause for the failure of the CloudFormation template to create an EC2 instance in the us-west-2 Region is that the Amazon Machine Image (AMI) ID referenced in the template could not be found in the us-west-2 Region. This could be due to the fact that the AMI is not available in that region, or the credentials used to access the AMI were not configured properly. The other options (resource tags defined in the CloudFormation template are specific to the us-east-I Region, the cfn-init script did not run during resource provisioning in the us-west-2 Region, and the IAM user was not created in the specified Region) are not valid causes for this failure.

Dedicated Hosts are physical servers that are dedicated to a single customer, ensuring that the customer’s workloads are not shared with other customers or with other AWS accounts within the company. This will ensure that the company’s security policy is followed and that sensitive workloads are running on hardware that is not shared with other customers or with other AWS accounts within the company.

The Kubernetes Horizontal Pod Autoscaler (HPA) automatically scales the number of pods in a deployment, replica set, or stateful set based on observed CPU utilization or other custom metrics.

From Kubernetes documentation:

The HPA automatically scales the number of pods in a deployment depending on CPU usage or other select metrics.

It is commonly used to handle traffic surges with minimal manual intervention.

This is the most efficient and low-maintenance way to scale workloads in Amazon EKS in response to traffic changes.