Amazon SOA-C02 Practice Test - Questions Answers, Page 28

In AWS CloudFormation, the PrivateDnsName property of an EC2 instance cannot be directly set within the template. This property is automatically assigned by AWS when the instance is launched within a VPC and is associated with the private IP address of the instance. The attempt to explicitly set PrivateDnsName in a CloudFormation template will result in an error, causing the stack creation to fail. Therefore, option C is correct. For reference, the AWS documentation on EC2 instances in CloudFormation does not list PrivateDnsName as a configurable property AWS CloudFormation User Guide.

The most operationally efficient and secure method to share an object from a private Amazon S3 bucket with users who do not have an AWS account is by generating a presigned URL. This URL grants temporary access to the object and can be limited by time, ensuring that users can only access the S3 object during a specified window. This does not require managing network configurations or sharing credentials, making it a secure and simple solution. Option D is therefore the correct answer. Reference to this method can be found in the AWS S3 documentation on presigned URLs Amazon S3 Presigned URLs.

For routing based on the user's geographic location to comply with data residency requirements, the best solution is to use Amazon Route 53 geolocation routing policy. This policy allows you to configure DNS responses based on the geographic location of the user, ensuring that requests are directed to specific AWS Regions that align with the company's data residency requirements. Option C is correct. The AWS Route 53 documentation provides details on implementing geolocation routing policies Amazon Route 53 Geolocation Routing.

The most operationally efficient way to monitor state changes in EC2 instances and notify the operations team is by using Amazon EventBridge. EventBridge can be configured with a rule that listens for state change events from EC2 instances. These events can then be directed to an Amazon Simple Notification Service (Amazon SNS) topic, which will distribute the notification to the relevant parties. This solution does not require deploying additional scripts or functions, thereby enhancing operational efficiency. Option B is correct. For more details, see the Amazon EventBridge documentation Amazon EventBridge.

# Enable instance scale-in protection for specific instance.

aws autoscaling set-instance-protection --instance-ids i-5f2e8a0d --auto-scaling-group-name my-asg --protected-from-scale-in

# Disable instance scale-in protection for the specified instance.

aws autoscaling set-instance-protection --instance-ids i-5f2e8a0d --auto-scaling-group-name my-asg --no-protected-from-scale-in

https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-instance-protection.html

To ensure that EC2 instances in an Auto Scaling group are not interrupted during message processing, the most effective method is to implement scale-in protection for the instances while they are actively processing messages. This can be done programmatically by modifying the Auto Scaling group's settings using the Amazon EC2 Auto Scaling API.

Starting Message Processing: When an instance begins processing a message, your application should make an API call to enable scale-in protection. This is done using the SetInstanceProtection action, setting the ProtectedFromScaleIn parameter to true for that specific instance.

Completing Message Processing: Once the message has been processed, another API call should be made to disable scale-in protection. This is done by calling the SetInstanceProtection action again, but this time setting the ProtectedFromScaleIn parameter to false.

This method ensures that while messages are being processed, the instances are not terminated by the Auto Scaling group regardless of any scale-in activities that might be triggered by other parameters like CPU utilization or a decrease in the number of messages in the queue.

AWS Documentation

Reference: You can refer to the AWS documentation on managing instance scale-in protection in Auto Scaling groups for more details: Instance Scale-In Protection.

To effectively use Amazon CloudFront as a content delivery network for an application using an Application Load Balancer as the origin, several configuration steps need to be correctly implemented:

DNS Configuration: Ensure that the DNS records for the domain serving the content point to the CloudFront distribution's DNS name rather than directly to the ALB. If the DNS still points to the ALB, users' requests will bypass CloudFront, leading directly to the ALB and maintaining the existing load on your web servers.

TTL Settings: The Time to Live (TTL) settings in the CloudFront distribution dictate how long the content is cached in CloudFront edge locations before CloudFront fetches a fresh copy from the origin. If the TTL values are set to 0, it means that CloudFront does not cache the content at all, resulting in each user request being forwarded to the ALB, which does not reduce the load.

AWS Documentation

Reference: For more information on DNS and TTL configurations for CloudFront, you can refer to the following AWS documentation:

Configuring DNS

CloudFront TTL Settings.

When managing performance and cost for EC2 instances across different families, the following steps are recommended:

Utilize AWS Compute Optimizer: This service provides recommendations for EC2 instances based on historical usage patterns and existing configurations. It helps identify optimal EC2 instance types and sizes that could deliver better performance and cost savings for your specific workload.

Implement Compute Savings Plans: After determining the most suitable instance types and sizes through Compute Optimizer, purchasing Compute Savings Plans can offer significant cost savings. These savings plans apply to any instance family across any region, providing flexibility and cost efficiency without upfront commitment to specific instance types.

AWS Documentation

Reference: Further details can be found in the AWS documentation on Compute Optimizer and Compute Savings Plans:

AWS Compute Optimizer

AWS Compute Savings Plans.

To share an encrypted Amazon RDS DB instance snapshot across accounts, the least administrative overhead involves directly managing permissions on the AWS KMS key and sharing the snapshot. Here's how to do it:

Take a Snapshot: Initiate a snapshot of your Amazon RDS DB instance in the production account. This captures the current state of the database.

Modify KMS Key Policy: Adjust the policy of the KMS key used for encryption (identified by the alias 'production-rds-key') to grant the kms:Decrypt permission to the migration account's root user. This step is crucial as it allows the migration account to use the same encryption key to decrypt the snapshot.

Share the Snapshot: Share the newly created snapshot with the migration account using the RDS console or AWS CLI. The migration account will now be able to see and use this snapshot to create a new RDS instance.

AWS Documentation

Reference: You can refer to the AWS documentation on sharing encrypted snapshots: Sharing Encrypted Snapshots.

To resolve DNS across VPCs in different accounts, you should:

Authorization: In Account B, initiate a VPC association authorization for the private hosted zone. This action allows another AWS account to associate a VPC with this hosted zone.

Association: In Account A, after receiving the authorization from Account B, associate its VPC with the private hosted zone that exists in Account B. This step will enable EC2 instances within the VPC in Account A to resolve DNS records hosted in Account B.

AWS Documentation

Reference: AWS provides detailed guidance on associating VPCs with private hosted zones across accounts in their documentation: Associating VPCs and Private Hosted Zones Across Accounts.