SOA-C02 Exam Dumps - AWS Certified SysOps Administrator - Associate (SOA-C02)

To resolve DNS names for on-premises resources from EC2 instances in a VPC, you use Amazon Route 53 Resolver outbound endpoints to forward DNS queries to on-premises DNS servers.

From the Route 53 Resolver documentation:

Resolver outbound endpoints allow DNS queries from resources in your VPC to be forwarded to DNS servers in your on-premises network over Direct Connect or VPN.

Migrating to gp3 volumes allows for customizable IOPS at a lower cost than gp2, meeting the requirement for higher IOPS during the promotion. Throughput Optimized HDD (st1) volumes do not support high IOPS, and ElastiCache does not address I/O for EBS volumes.

To address the issue of slow startup times during unexpected traffic surges, a warm pool for the Auto Scaling group is an effective solution:

Warm Pool Concept: A warm pool allows you to maintain a set of pre-initialized or partially initialized EC2 instances that are not actively serving traffic but can be quickly brought online when needed.

Management of Instances: Instances in the warm pool can be kept in a stopped state and then started much more quickly than launching new instances, as the machine-specific data caches are already created.

Scalability and Responsiveness: During a surge in traffic, especially unpredictable ones like those triggered by advertisements, instances from the warm pool can be rapidly activated to handle the increased load, ensuring that the application remains responsive without the typical delays associated with boot processes.

This method significantly reduces the time to scale out by utilizing pre-warmed instances, enhancing the application's ability to cope with sudden and substantial increases in traffic.

Weighted routing in Route 53 allows you to direct a percentage of traffic to different resources by configuring specific weights. For this requirement, you can:

Weighted Routing Policy: This is the most suitable approach for gradually rolling out a new version by controlling traffic distribution.

Weight Configuration: Setting a weight of 80 for the original resource and 20 for the new resource ensures that 80% of the traffic continues to go to the existing version, while 20% is directed to the new version.

Other routing policies, such as failover and multivalue answer, are not intended for traffic distribution based on percentage; they serve different use cases.

To enforce MFA for API calls using the AWS CLI, the users must use temporary security credentials obtained through the get-session-token command. Here’s how to do it:

Enable MFA for IAM Users:

Ensure that MFA is enabled and properly configured for each IAM user.

Configure IAM Policy for MFA Enforcement:

Attach an IAM policy that denies API calls unless MFA is used. This policy should be attached to all users.

Obtain Temporary Security Credentials Using MFA:

Users need to use the aws sts get-session-token command to obtain temporary credentials. This command requires the MFA token.

sh

Copy code

aws sts get-session-token --serial-number arn:aws:iam::123456789012:mfa/user --token-code 123456

Use Temporary Credentials for API Calls:

After obtaining the temporary credentials, set them as environment variables or configure them in the AWS CLI profile to make API calls.

export AWS_ACCESS_KEY_ID=...

export AWS_SECRET_ACCESS_KEY=...

export AWS_SESSION_TOKEN=...

Enabling MFA for IAM Users

Using Temporary Security Credentials

AWS CLI get-session-token

Understand the Problem:

The requirement is to delete the CloudFormation stack without deleting the DynamoDB table.

Analyze the Requirements:

Ensure the DynamoDB table is preserved when the CloudFormation stack is deleted.

Evaluate the Options:

Option A: Add a Retain deletion policy to the DynamoDB resource.

The Retain policy ensures that the DynamoDB table is not deleted when the stack is deleted.

Option B: Add a Snapshot deletion policy to the DynamoDB resource.

Snapshot policy is not applicable to DynamoDB tables and would not retain the table itself.

Option C: Enable termination protection on the CloudFormation stack.

Prevents stack deletion entirely but does not specifically protect the DynamoDB table.

Option D: Update the IAM policy with a Deny statement for dynamodb:DeleteTable.

Prevents deletion of the table but is not a CloudFormation stack-specific solution.

Select the Best Solution:

Option A: Adding a Retain deletion policy to the DynamoDB resource in the CloudFormation stack ensures the table is preserved when the stack is deleted.

AWS CloudFormation Deletion Policy

Using the Retain deletion policy ensures that the DynamoDB table is not deleted when the CloudFormation stack is deleted, preserving critical data.

A stack policy is used to protect specific resources within a CloudFormation stack from being unintentionally updated or deleted. By using a stack policy, you can explicitly deny updates to critical resources while allowing updates to other parts of the stack.

Create a Stack Policy:

Define a JSON stack policy that includes an explicit allow for all resources and an explicit deny for the protected resources. For example:

json

Copy code

{

"Statement": [

{

"Effect": "Allow",

"Action": "Update:*",

"Principal": "*",

"Resource": "*"

},

{

"Effect": "Deny",

"Action": "Update:*",

"Principal": "*",

"Resource": "arn:aws:cloudformation:region:account-id:stack/stack-name/protected-resource"

}

]

}

Replace region, account-id, stack-name, and protected-resource with the appropriate values.

Apply the Stack Policy:

Navigate to the CloudFormation console.

Select the stack you want to protect.

Choose "Stack actions" and then "Edit stack policy".

Paste the stack policy JSON and save the policy.

Perform Stack Updates:

When performing stack updates, the stack policy will enforce the rules specified, preventing accidental updates to the protected resources.

Review and Adjust:

Periodically review the stack policy to ensure it still meets the needs of the organization and update it as necessary.

AWS CloudFormation Stack Policies

Creating and Applying a Stack Policy

"You can add tags to resources when you create the resource. You can use the resource's service console or API to add, change, or remove those tags one resource at a time. To add tags to—or edit or delete tags of—multiple resources at once, use Tag Editor. With Tag Editor, you search for the resources that you want to tag, and then manage tags for the resources in your search results." https://docs.aws.amazon.com/ARG/latest/userguide/tag-editor.html