SOA-C02 Amazon Web Services Exam Lab Questions

The requirement is to automate recovery if the service crashes on any of the EC2 instances.

Option A: Install the Amazon CloudWatch agent on the EC2 instances. Configure the CloudWatch agent to monitor the service. Set the CloudWatch action to restart if the service health check fails . This is a valid solution because the CloudWatch agent can be configured to monitor the service and take action (restart the service) if the health check fails .

Option C: Tag the EC2 instances. Use AWS Systems Manager State Manager to create an association that uses the AWS-RunShellScript document. Configure the association command with a script that checks if the service is running and that starts the service if the service is not running. For targets, specify the EC2 instance tag. Schedule the association to run every 5 minutes678. This is a valid solution because AWS Systems Manager State Manager can be used to maintain a consistent state of the EC2 instances. It can run a script to check if the service is running and start the service if it’s not running678.

Option B: Tag the EC2 instances. Create an AWS Lambda function that uses AWS Systems Manager Session Manager to log in to the tagged EC2 instances and restart the service. Schedule the Lambda function to run every 5 minutes . This is not a valid solution because AWS Lambda functions are not designed to log in to EC2 instances and restart services. They are used for running serverless applications.

Option D: Update the EC2 user data that is specified in the Auto Scaling group’s launch template to include a script that runs on a cron schedule every 5 minutes131415. This is not a valid solution because user data scripts are run only during the launch of an EC2 instance. They are not designed to run on a schedule.

Option E: Update the EC2 user data that is specified in the Auto Scaling group’s launch template to ensure that the service runs during startup. Redeploy all the EC2 instances in the Auto Scaling group with the updated launch template131416. This is not a valid solution because while user data can be used to ensure that the service runs during startup, it does not provide a solution for when the service crashes after the EC2 instance has started.

To rotate an AWS KMS customer master key (CMK) with imported key material every 6 months, follow these steps:

Create a New CMK with New Imported Material:

Generate new key material according to your security policies.

Create a new CMK in AWS KMS and import the new key material into this CMK.

Step-by-Step Explanation:

Understand the Problem:

Each Lambda function generates 1 GB of log data daily in its own CloudWatch Logs log group.

The security team needs a count of application errors, grouped by type, across all log groups.

Analyze the Requirements:

Aggregate and analyze log data across multiple log groups.

Count and group errors by type.

Evaluate the Options:

Option A: Perform a CloudWatch Logs Insights query.

CloudWatch Logs Insights allows querying and analyzing log data.

The stats command and count function can aggregate and count errors across log groups.

Option B: Perform a CloudWatch Logs search with groupby and count.

CloudWatch Logs search does not support these functions; Logs Insights is needed for advanced queries.

Option C: Perform an Amazon Athena query.

Athena can query data in S3 but is not directly applicable to CloudWatch Logs.

Option D: Perform an Amazon RDS query.

RDS queries are for database data, not applicable to log data in CloudWatch.

Select the Best Solution:

Option A: CloudWatch Logs Insights is designed for querying and analyzing log data, making it the appropriate choice for counting and grouping errors.

References:

Amazon CloudWatch Logs Insights

CloudWatch Logs Insights provides powerful querying capabilities to aggregate and analyze log data, including counting and grouping errors.

The problem requires modifying the inbound SSH rule to restrict access to a list of trusted IPs instead of deleting it entirely. AWS Config rules can be configured with automatic remediation actions using either Systems Manager Automation runbooks or Lambda functions. However, AWS Systems Manager Automation runbooks are often more appropriate for managing infrastructure changes like security group modifications because they are reusable, parameterized, and easier to audit.

Create a Systems Manager Automation runbook: This runbook will contain steps to add or modify the existing security group rule, allowing SSH access only from the specified IP addresses.

Update the AWS Config rule: Modify the Config rule to call this new runbook for its automatic remediation. This will prevent deletion of the SSH rule and instead update it based on the IP list.