Amazon SOA-C02 Practice Test - Questions Answers, Page 42

Using a Systems Manager Automation runbook is appropriate for managing security group rules within the AWS Config remediation framework. A runbook provides a reusable, automated solution that can update the security group rule based on an IP list.

Automation Runbook for Security Group Updates: A runbook can automate security group modifications, such as adding the trusted IP addresses specified by the business units.

AWS Config Integration: Config rules can be set to use this runbook for automatic remediation, ensuring that the rule is updated without deleting it, which aligns with the requirement for SSH access from specific IPs.

Lambda functions could work but would require additional customization and complexity, making the runbook a more manageable and scalable solution for this task.

The MixedInstancesPolicy feature in Auto Scaling groups allows for the configuration of both On-Demand and Spot Instances within a single Auto Scaling group, balancing cost savings and high availability:

MixedInstancesPolicy: Enables configuration to maintain a minimum of three On-Demand Instances and add Spot Instances when prices drop, without the need to create separate launch templates.

Setting Maximum Spot Price: Ensures that additional Spot Instances are launched only when within the defined budget.

This solution offers the least management overhead, as it combines both On-Demand and Spot instances seamlessly in one configuration.

To prevent accounts from leaving an AWS Organization, an SCP that denies the LeaveOrganization action should be applied to the root organizational unit (OU).

Service Control Policy (SCP): By denying LeaveOrganization, member accounts are restricted from leaving the organization.

Root OU Application: Applying this policy at the root level ensures that no account in the organization can bypass it.

The RemoveAccountFromOrganization action pertains to removing an account by the organization's management account rather than preventing member accounts from leaving. AWS Config's account-part-of-organizations rule does not enforce this restriction but only monitors it.

Using ALB health checks in the Auto Scaling group will provide more accurate health monitoring and replace instances if they are unhealthy.

ALB Health Checks: Configure health checks based on HTTP response codes, which will detect application-level issues causing the HTTP 500 errors and replace instances as needed.

EC2 vs. ALB Health Checks: EC2 status checks only verify instance hardware and OS, not the application's responsiveness. By using ALB health checks, Auto Scaling can remove instances that are failing at the application level, thus preventing users from receiving 500 errors.

Replacing the ALB with a Network Load Balancer does not address HTTP 500 errors, and enabling session affinity does not resolve application health issues. The CloudWatch agent would not provide the required health check functionality for automated instance replacement.

Modifying the DB instance to a Multi-AZ deployment is the recommended solution for failover and high availability in RDS. Multi-AZ RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone, allowing automatic failover in case of an instance or Availability Zone failure.

Multi-AZ Deployment: Provides resilience with automatic failover and minimizes application downtime.

No Application Changes Needed: Multi-AZ is managed by AWS, so the failover is transparent to the application.

Read replicas and Auto Scaling groups do not provide automatic failover for write operations, and RDS Proxy only improves connection management rather than high availability.

Enabling consolidated control findings in Security Hub reduces duplication by merging findings for similar controls across multiple standards. This reduces the operational burden of prioritizing remediation based on multiple copies of the same findings.

Consolidated Control Findings: Merges findings for controls across standards to avoid duplicates, providing a clearer view of misconfigurations without the need for additional infrastructure or manual processing.

Least Operational Overhead: This solution is managed within Security Hub without the need for external tools or manual exports.

Using AWS Config aggregators, QuickSight visualization, or custom EC2-based solutions would introduce additional complexity and overhead.

To allow CloudFormation templates in all accounts within the organization to reference the latest AMI ID:

Parameter Store in Standard Tier: Storing the AMI ID in Systems Manager Parameter Store provides a central and easy-to-update source.

Enable Resource Sharing with Organizations: This allows the parameter to be shared across accounts in the organization.

Resource Share in AWS RAM: AWS Resource Access Manager (RAM) can be used to share the parameter with the entire organization, allowing other accounts to access the AMI ID.

Using the standard tier in Parameter Store is sufficient, and an EventBridge rule with Lambda for updating AMIs would add unnecessary complexity.

To improve security and availability, the best approach is to configure Multi-AZ for both the web and database tiers.

Multi-AZ Auto Scaling for Web Tier: Deploying the web-tier instances in an Auto Scaling group across multiple AZs with an internet-facing ALB provides high availability and fault tolerance.

RDS Multi-AZ for SQL Server: Migrating the SQL Server to RDS with Multi-AZ deployment ensures database redundancy and failover without additional management overhead.

Placing the web tier in multiple Regions would add unnecessary complexity, and migrating the database to DynamoDB is not suitable for applications requiring SQL Server's relational capabilities.

Using a Route 53 Resolver outbound endpoint allows DNS queries for on-premises hosts to be forwarded to the on-premises DNS server over the Direct Connect connection, minimizing maintenance and automating name resolution without the need for manual entry or file management.