Amazon Web Services SOA-C02 - AWS Certified SysOps Administrator - Associate (SOA-C02)

Here are the steps to configure Amazon EventBridge to meet the above requirements:

Log in to the AWS Management Console by using the AWS Management Console shortcut from the VM desktop. Make sure that you are logged in to the desired AWS account.

Go to the EventBridge service in the us-east-2 Region.

In the EventBridge service, navigate to the "Event buses" page.

Click on the "Create event bus" button.

Give a name to your event bus, and select "default" as the event source type.

Navigate to "Rules" page and create a new rule named "RunFunction"

In the "Event pattern" section, select "Schedule" as the event source and set the schedule to run every 15 minutes.

In the "Actions" section, select "Send to Lambda" and choose the existing AWS Lambda function named "LogEventFunction"

Create another rule named "SpotWarning"

In the "Event pattern" section, select "EC2" as the event source, and filter the events on "EC2 Spot Instance interruption"

In the "Actions" section, select "Send to SNS topic" and create a new standard Amazon SNS topic named "TopicEvents"

In the "Input Transformer" section, set the Input Path to {“instance” : “$.detail.instance-id”} and Input template to “The EC2 Spot Instance has been interrupted on account.

Now all Amazon EC2 events in the default event bus will be replayable for past 90 days.

Note:

You can use the AWS Management Console, AWS CLI, or SDKs to create and manage EventBridge resources.

You can use CloudTrail event history to replay events from the past 90 days.

You can refer to the AWS EventBridge documentation for more information on how to configure and use the service: https://aws.amazon.com/eventbridge/

Here are the steps to configure an Amazon S3 bucket to serve a static error page in the event of a failure at the primary site:

Log in to the AWS Management Console and navigate to the S3 service in the us-east-2 Region.

Find the existing S3 bucket named lab-751906329398-26023898.com and click on it.

In the "Properties" tab, click on "Static website hosting" and select "Use this bucket to host a website".

In "Index Document" field, enter the name of the object that you want to use as the index document, in this case, "index.html"

In the "Permissions" tab, click on "Block Public Access", and make sure that "Block all public access" is turned OFF.

Click on "Bucket Policy" and add the following policy to allow public read access:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "PublicReadGetObject",

"Effect": "Allow",

"Principal": "*",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::lab-751906329398-26023898.com/*"

}

]

}

Now navigate to the Amazon Route 53 service, and find the existing hosted zone named lab-751906329398-26023898.com.

Click on the "A record" and update the routing policy to "Primary - Failover" and add the existing ALB as the primary record.

Click on "Create Record" button and create a new secondary failover alias record for the domain lab-751906329398-26023898.com that routes traffic to the existing S3 bucket.

Now, when the primary site (ALB) goes down, traffic will be automatically routed to the S3 bucket serving the static error page.

Note:

You can use CloudWatch to monitor the health of your ALB.

You can use Amazon S3 to host a static website.

You can use Amazon Route 53 for routing traffic to different resources based on health checks.

You can refer to the AWS documentation for more information on how to configure and use these services:

https://aws.amazon.com/s3/

https://aws.amazon.com/route53/

https://aws.amazon.com/cloudwatch/

Graphical user interface, application, Teams Description automatically generated

https://aws.amazon.com/blogs/compute/using-amazon-rds-proxy-with-aws-lambda/

RDS Proxy acts as an intermediary between your application and an RDS database. RDS Proxy establishes and manages the necessary connection pools to your database so that your application creates fewer database connections. Your Lambda functions interact with RDS Proxy instead of your database instance. It handles the connection pooling necessary for scaling many simultaneous connections created by concurrent Lambda functions. This allows your Lambda applications to reuse existing connections, rather than creating new connections for every function invocation.

Check "Database proxy for Amazon RDS" section in the link to see how RDS proxy help Lambda handle huge connections to RDS MySQL https://aws.amazon.com/blogs/compute/using-amazon-rds-proxy-with-aws-lambda/

To prevent accounts from leaving an AWS Organization, an SCP that denies the LeaveOrganization action should be applied to the root organizational unit (OU).

Service Control Policy (SCP): By denying LeaveOrganization, member accounts are restricted from leaving the organization.

Root OU Application: Applying this policy at the root level ensures that no account in the organization can bypass it.

The RemoveAccountFromOrganization action pertains to removing an account by the organization’s management account rather than preventing member accounts from leaving. AWS Config’s account-part-of-organizations rule does not enforce this restriction but only monitors it.

To upgrade the instance type of a Memcached cluster in Amazon ElastiCache due to increased usage and the need for more memory:

ModifyCacheCluster API: Utilize the ModifyCacheCluster API call. This API allows you to change various settings of an existing cache cluster, including the instance type, which is referred to as cacheNodeType.

Instance Upgrade: Specify a new, larger cacheNodeType that provides more memory. This upgrade will involve a brief interruption as nodes are replaced with the larger type, but it is necessary to accommodate the increased load and memory requirements.

Cluster Availability: Ensure that the Memcached cluster is configured for minimal downtime during this change. The upgrade process is handled by ElastiCache, and the new nodes will join the cluster with more memory capacity.

This approach enables you to effectively scale up the resources available to your Memcached cluster, enhancing its performance and capacity to handle larger workloads.

To resolve the issue where mobile users are being served the desktop version of the website, you need to forward the User-Agent header from CloudFront to your origin (ALB). This allows the origin to detect the type of device and serve the appropriate content.

Login to AWS Management Console:

Open the CloudFront console at Amazon CloudFront Console.

Select the Distribution:

Choose the CloudFront distribution you want to modify.

Update Cache Behavior Settings:

Go to the Behaviors tab.

Select the default behavior (or any specific behavior that you want to update) and choose Edit.

Forward Headers:

Under Cache Key and Origin Requests, choose Origin Request Policy.

Select Create Policy and include the User-Agent header in the policy.

Save the policy and apply it to the cache behavior.

This configuration ensures that the User-Agent header is forwarded to the origin, enabling it to serve different content based on the device type.

Configuring CloudFront to Forward Headers

Creating CloudFront Cache Behaviors

To optimize the cost of a computing environment consisting of control nodes that are always on and task nodes that operate for a limited number of hours each day, consider the following strategies:

Purchase EC2 Instance Savings Plans for the Control Nodes: Since the control nodes are required to be operational 24/7, purchasing EC2 Instance Savings Plans is a cost-effective choice. These plans provide a lower price compared to on-demand instances, in exchange for a commitment to a consistent amount of usage (measured in $/hour) for a one or three-year period.

Use Spot Instances for the Task Nodes: Given that task nodes are used for a shorter duration (4 hours a day) and presumably can tolerate interruptions, using Spot Instances can significantly reduce costs. Spot Instances offer unused EC2 capacity at a fraction of the regular price, which can lead to substantial cost savings. Additionally, configure the system to fall back to On-Demand Instances during periods when Spot Instances are not available to ensure availability.

This combination leverages cost savings for continuous use and flexible, lower-cost options for intermittent use, optimizing overall operational costs efficiently.

Using a Route 53 Resolver outbound endpoint allows DNS queries for on-premises hosts to be forwarded to the on-premises DNS server over the Direct Connect connection, minimizing maintenance and automating name resolution without the need for manual entry or file management.

Step-by-Step Explanation:

Understand the Problem:

Manage a database password securely and rotate it every 90 days.

Analyze the Requirements:

Ensure secure management and automatic rotation of the database password.

Minimize manual intervention and risk of exposing the password.

Evaluate the Options:

Option A: Use the AWS SecretsManager Secret resource with the GenerateSecretString property.

Secrets Manager can automatically generate a strong password.

The RotationSchedule resource defines a rotation schedule to rotate the password every 90 days.

Option B: Use the AWS SecretsManager Secret resource with the SecretString property.

Requires accepting a password as a CloudFormation parameter and does not automate password generation.

Option C: Use the AWS SSM Parameter resource.

AWS Systems Manager Parameter Store can store secure strings, but it does not support automatic rotation.

Option D: Use the AWS SSM Parameter resource without secure string.

This option does not offer the security of Secrets Manager and does not support automatic rotation.

Select the Best Solution:

Option A: Using AWS Secrets Manager with the GenerateSecretString property and RotationSchedule resource ensures secure management and automatic rotation of the database password.

AWS Secrets Manager

Rotate AWS Secrets Manager Secrets

AWS Secrets Manager provides secure storage, automatic rotation, and seamless integration with applications for accessing secrets.