Amazon Web Services SOA-C02 - AWS Certified SysOps Administrator - Associate (SOA-C02)

For a disaster recovery (DR) plan with a 15-minute RTO and RPO, the most cost-effective steps include:

B: Configuring the Aurora cluster to replicate data to the DR region using the Aurora global database option. This allows continuous replication with typically low replication lag, meeting the 15-minute RPO requirement efficiently.

C: Pre-configuring the DR region with an ALB and an Auto Scaling group using the same configuration as the primary region. This ensures readiness and quick failover, aligning with the 15-minute RTO target.

These steps provide a robust disaster recovery setup that minimizes downtime and data loss while optimizing costs by using built-in AWS functionalities and avoiding over-provisioning. More information can be found in the AWS documentation on Aurora Global Databases Aurora Global Databases and disaster recovery planning AWS Disaster Recovery.

Network ACLs (Access Control Lists) are stateless, meaning that return traffic must be explicitly allowed. While the inbound rule allows HTTP traffic on port 80, the absence of an outbound rule permitting return traffic on ephemeral ports (typically 1024-65535) prevents the response from reaching the client.

To resolve this:

Add an Outbound Rule:

Protocol: TCP

Port Range: 1024-65535

Destination: 0.0.0.0/0

Action: Allow

This configuration ensures that the server can send responses back to clients initiating HTTP requests.

AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation. Using a stack set, the SysOps administrator can manage deployments across different regions and accounts within AWS Organizations efficiently.

Setting up StackSets: First, define your CloudFormation template that describes all the resources that need to be deployed across the regions. Store this template in an S3 bucket accessible by the central administration account.

Service-Managed Permissions: When creating a stack set, select the option for service-managed permissions if you are using AWS Organizations. This allows AWS CloudFormation to automatically set up the necessary permissions in the target accounts.

Deploying the Stack Set: From the central administration account, create the stack set and specify the target accounts and regions. CloudFormation will then ensure that the resources defined in the template are instantiated in each of the specified regions and accounts.

This method simplifies management and ensures consistency of infrastructure across multiple regions and accounts, leveraging the organizational units in AWS Organizations for centralized governance.

To ensure that the application can scale based on the number of users that connect to the application, the SysOps administrator should create a scaling policy that scales the application based on the ActiveConnectionCount Amazon CloudWatch metric generated from the ELB.

ActiveConnectionCount Metric:

The ActiveConnectionCount metric indicates the number of active connections to the ELB. By monitoring this metric, the application can scale in response to the number of users actively connected.

Steps to Implement:

Go to the Amazon EC2 Auto Scaling console.

Select the Auto Scaling group that manages the EC2 instances for the application.

Create a new scaling policy.

Set the policy to scale based on the ActiveConnectionCount metric from the ELB.

Elastic Load Balancing Metrics and Dimensions

Auto Scaling Policies

Amazon Elastic File System (EFS) provides a scalable and highly available file storage solution for use with Amazon EC2 instances. To achieve high availability and durability:

EFS Standard Storage Class: Stores data redundantly across multiple Availability Zones, ensuring data durability and availability.

Mount Targets: For optimal performance and availability, create a mount target in each Availability Zone. EC2 instances should connect to the mount target in their respective Availability Zone.

By configuring EFS in this manner, the company ensures that all EC2 instances, regardless of their Availability Zone, have reliable and efficient access to shared data.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

To block traffic to the external IP address identified by Amazon GuardDuty, the SysOps administrator should create a network ACL and add an outbound deny rule for traffic to the external IP address.

Network ACL:

Network ACLs (Access Control Lists) are stateless and operate at the subnet level. They can allow or deny specific inbound and outbound traffic based on rules.

Steps to Implement:

Go to the VPC console and select the network ACL associated with the subnet containing the EC2 instance.

Add an outbound rule to deny traffic to the external IP address provided by GuardDuty.

Ensure the rule is properly placed in the rule number order to be evaluated correctly.

Network ACLs

GuardDuty Documentation

AWS Backup supports automated backups for EC2 (including attached EBS volumes). It allows:

Central management

Scheduled daily backups

Low operational overhead

From AWS Backup documentation:

You can create backup plans with schedules and retention rules, and assign resources like EC2 instances for automated backup.

To optimize the routing of requests to the application for users in different geographic locations, use Amazon Route 53's latency-based routing:

Latency Routing Policy: Modify the Route 53 DNS settings for app.anycompany.com by changing the routing policy to latency. This policy routes user requests to the server that has the lowest latency relative to the user's location.

Configure Latency Records: Create latency records for each ALB—one for the ALB in us-west-2 and another for the new ALB in ap-southeast-2. Route 53 will automatically direct traffic to the endpoint that provides the lowest latency connection to the user.

Seamless User Experience: By using latency routing, the URL remains the same (app.anycompany.com), but the backend service location varies based on which endpoint is likely to respond the fastest. This setup provides a seamless experience for users, reducing latency without requiring any changes to how they access the application.

This method leverages Route 53's advanced DNS capabilities to ensure optimal performance and user experience by dynamically routing traffic based on geographic latency considerations.

The problem requires modifying the inbound SSH rule to restrict access to a list of trusted IPs instead of deleting it entirely. AWS Config rules can be configured with automatic remediation actions using either Systems Manager Automation runbooks or Lambda functions. However, AWS Systems Manager Automation runbooks are often more appropriate for managing infrastructure changes like security group modifications because they are reusable, parameterized, and easier to audit.

Create a Systems Manager Automation runbook: This runbook will contain steps to add or modify the existing security group rule, allowing SSH access only from the specified IP addresses.

Update the AWS Config rule: Modify the Config rule to call this new runbook for its automatic remediation. This will prevent deletion of the SSH rule and instead update it based on the IP list.

Content-MD5 Header:

The Content-MD5 header provides an MD5 checksum of the object being uploaded. Amazon S3 uses this checksum to verify the integrity of the object.

Steps:

When uploading an object to S3, calculate the MD5 checksum of the object.

Include the Content-MD5 header with the base64-encoded MD5 checksum value in the upload request.

This ensures that S3 can detect if the object is corrupted during the upload process.

PUT Object - Amazon Simple Storage Service