SOA-C02 Exam Dumps - AWS Certified SysOps Administrator - Associate (SOA-C02)

To delete the AWS CloudFormation stack without deleting the DynamoDB table, you need to apply a deletion policy to the DynamoDB resource. The Retain deletion policy ensures that the specified resource is not deleted when the stack is deleted. Instead, it is retained.

Steps:

Modify the CloudFormation Template:

Add a deletion policy to the DynamoDB table resource.

json

Copy code

{

"Resources": {

"MyDynamoDBTable": {

"Type": "AWS::DynamoDB::Table",

"DeletionPolicy": "Retain",

}

}

}

To meet the requirements of storing and rotating database credentials monthly and handling write-intensive traffic with variable client connections, you can use AWS Secrets Manager and Amazon RDS Proxy.

AWS Secrets Manager for Credential Rotation:

Open the AWS Secrets Manager console at AWS Secrets Manager Console.

Store the database credentials as a new secret and configure automatic rotation for every 30 days.

AWS Secrets Manager will handle the rotation process and update the secret with new credentials.

Amazon RDS Proxy for Connection Management:

Open the Amazon RDS console at Amazon RDS Console.

Create an RDS Proxy for the PostgreSQL DB instance.

Configure the proxy to handle the connection pooling and manage the connections efficiently.

The proxy will help manage the database connections, reduce the overhead on the database, and improve performance during peak loads.

This solution ensures that database credentials are securely stored and rotated automatically while handling increased database connections effectively.

References:

AWS Secrets Manager

Using AWS Secrets Manager to Rotate Amazon RDS Database Credentials

Amazon RDS Proxy

The most efficient way to enable DNS resolution between the VPC and the on-premises environment is by configuring a Route 53 Resolver outbound endpoint.

Route 53 Resolver Outbound Endpoint: This enables the VPC to forward DNS queries to the on-premises DNS server, which can resolve internal hostnames.

Minimal Maintenance: This solution is scalable and requires minimal ongoing maintenance compared to manual entries or creating and managing a large number of DNS entries manually.

To resolve issues with high disk I/O during the bootstrap process:

Increase EBS Volume IOPS: Higher IOPS allows the EBS volume to handle more input/output operations per second, which is critical for high I/O demands like downloading large Docker images.

Increase EBS Volume Throughput: Boosting throughput allows for faster data transfer rates, which is useful when the workload requires sustained high data throughput during initialization.

Increasing the instance size or changing the instance type is not necessary if the root cause is related specifically to EBS performance. Nitro instances generally provide higher performance and are well-suited for high I/O tasks.

Split-tunnel routing allows you to specify that only the traffic destined for your VPC is routed through the VPN tunnel. All other internet traffic is routed through the user’s local network.

Steps:

Open the Client VPN Console:

Sign in to the AWS Management Console.

Open the Amazon VPC console.

Modify the Client VPN Endpoint:

Select the Client VPN endpoint.

Choose "Modify Client VPN endpoint".

Enable the "Split-tunnel" option.

Update Route Table:

Ensure that the route table associated with the Client VPN endpoint routes traffic destined for the VPC IP range to the appropriate target (e.g., VPC subnet).

This configuration ensures that only traffic destined for resources in the VPC is sent over the VPN tunnel, while other traffic uses the user’s local internet connection.

References:

Split-Tunnel VPN Routing

AWS Client VPN Documentation

Specifying the capacity-optimized allocation strategy for Spot Instances and adding more instance types to the Auto Scaling group is the best action to meet the requirements. Increasing the size of the instances in the Auto Scaling group will not necessarily help with the launch time or reduce interruptions, as the Spot Instances could still be interrupted even with larger instance sizes.

Since the EC2 instance is attempting to access the internet using HTTP (port 80) but is configured only to allow HTTPS (port 443) traffic, the security group needs adjustment:

Security Group Configuration: The outbound rules of the security group associated with the EC2 instance must allow traffic over HTTP. Add an outbound rule that enables port 80 to destination 0.0.0.0/0. This rule will allow the instance to send HTTP requests to any IP address on the internet.

Test Connectivity: After updating the security group, test the connectivity using the curl command again to ensure the configuration allows internet access via HTTP.

This change is necessary because the existing security group configuration does not permit outbound HTTP traffic, which is essential for accessing websites using HTTP.

Using AWS Systems Manager Distributor and State Manager is an automated and scalable solution for managing software installation across EC2 instances.

Systems Manager Distributor: Allows packaging and distributing the auditing software across multiple Regions.

State Manager Association: Automates software installation on both existing and new instances, ensuring consistent deployment across all managed instances.

Manually connecting to instances or using Lambda is not scalable or efficient for this type of ongoing software management.