SOA-C02 Exam Dumps - AWS Certified SysOps Administrator - Associate (SOA-C02)

To address the issue of an errant process consuming an entire processor and running at 100%, the SysOps administrator can automate the restarting of the instance using Amazon CloudWatch and AWS Systems Manager.

Enable Detailed Monitoring:

Ensure that detailed monitoring is enabled on the EC2 instance. Detailed monitoring provides data in 1-minute periods, which is crucial for detecting the 2-minute threshold accurately.

To ensure that database credentials are never stored in plaintext and the password is rotated every 30 days, use AWS Secrets Manager:

Store Credentials in Secrets Manager:

Open the AWS Secrets Manager console.

Click on "Store a new secret."

Select "RDS database credentials" and provide the necessary details (username, password, database instance).

Configure the secret's name and details.

Enable Automatic Rotation:

During the secret creation process, enable automatic rotation.

Specify an automatic rotation schedule of 30 days.

Choose the Lambda function that Secrets Manager will use to update the database password automatically.

Update Lambda Functions:

Update each Lambda function to retrieve the database password from Secrets Manager.

Use the AWS SDK in your Lambda code to access Secrets Manager and fetch the secret value.

References:

AWS Secrets Manager

Rotating AWS Secrets Manager Secrets

Retrieve Secrets from AWS Lambda

Using Amazon S3 Block Public Access as a centralized way to limit public access. Block Public Access settings override bucket policies and object permissions. Be sure to enable Block Public Access for all accounts and buckets that you don't want publicly accessible.

https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/#:~:text=Using%20Amazon%20S3%20Block%20 Public,don't%20want%20publicly%20accessible.

To prevent all teams within an AWS Organizations structure from using Amazon DynamoDB while allowing access to other AWS services, the most effective solution is to use a Service Control Policy (SCP). SCPs apply at the organization, organizational unit (OU), or account level and can override individual IAM policies, including the root user's permissions:

B: Create a service control policy (SCP) in the management account to deny all DynamoDB actions. Apply the SCP to the root of the organization. This policy will effectively block DynamoDB actions across all member accounts without affecting the ability to access other AWS services. SCPs are powerful tools for centrally managing permissions in AWS Organizations and can enforce policy compliance across all accounts. Further information on SCPs and their usage can be found in the AWS documentation on Service Control Policies AWS Service Control Policies.

Storing the credentials in AWS Secrets Manager and configuring automatic rotation with a rotation interval of 30 days is the most efficient way to meet the requirements with the least operational overhead. AWS Secrets Manager automatically rotates the credentials at the specified interval, so there is no need for an additional AWS Lambda function or manual rotation. Additionally, Secrets Manager is integrated with Amazon RDS, so the credentials can be easily used with the RDS database.

To address the performance issues of a CPU-heavy application running on a t2.large EC2 instance, the best course of action is to upgrade to a compute-optimized instance. Compute-optimized instances provide a higher ratio of CPU resources compared to memory, making them ideal for applications that require high CPU performance.

Upgrade to a Compute-Optimized Instance:

Identify a suitable compute-optimized instance type, such as the c5.large, which offers better CPU performance compared to the t2.large.

Stop the current EC2 instance and change the instance type to the chosen compute-optimized instance.

To view a list of security groups that are open to the internet on port 3389, the most appropriate tool is AWS Trusted Advisor.

AWS Trusted Advisor:

AWS Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices.

It includes a security check that identifies security groups with unrestricted access.

Using Trusted Advisor:

Go to the AWS Trusted Advisor console.

In the "Security" category, look for the check that identifies security groups with unrestricted access.

Review the report to find security groups that allow unrestricted access on port 3389 (RDP).

References:

AWS Trusted Advisor

AWS Trusted Advisor Best Practices

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html