Exam Scenarios

Administrator needs to check if any Amazon EC2 instances will be affected by scheduled hardware maintenance
Click the card to flip 👆
1 / 55
Terms in this set (55)
Administrator needs to check if any Amazon EC2 instances will be affected by scheduled hardware maintenance
Check the AWS Personal Health Dashboard
Scheduled hardware maintenance will affect a critical EC2 instance
Stop and start the instance to move it to different underlying hardware
When launching an EC2 instance, the InsufficientInstanceCapacity error is experienced
This means AWS does not currently have enough capacity to service the request for that instance type. Try a different AZ or instance type
The error InstanceLimitExceeded is experienced when launching EC2 instances
EC2 instance limits have been reached, need to contact support to request an increased limit
System status checks are failing for an EC2 instance
Stop and start again to move to a new host
Design required for highly available and secure website on EC2 with ALB, and DB on EC2
Launch ALB in public subnets, web servers in private subnets, and DB layer in private subnets - all layers across AZs
HealthyHostCount metrics for an ALB have dropped from 6 to 2. Determine the cause
The health checks on target EC2 instances are failing
An instance attached to an ALB exceeded the UnhealthThresholdCount for consecutive health check failures. What will happen?
Health checks will continue and the ALB will take the instance out of service
There is a requirement to track the source IP of clients and the instance that processes the request
Check the ALB access logs for this information
503/504 errors experienced and instances have high CPU utilization
Use EC2 Auto Scaling to dynamically scale
User deleted some data in an Amazon EBS volume and there's a recent snapshotCan create a new EBS volume from the snapshots and attach it to an instance and copy the deleted file acrossEBS volume runs out of space and need to prevent it happening againUse CloudWatch agent on EC2 and monitor disk metrics with CloudWatch alarmLow latency access required for image files in an office location with synchronized backup to offsite location. Local access required and disaster recoveryUse AWS Storage Gateway volume gateway configured as a stored volumeEBS volume capacity is increased but cannot see the spaceNeed to extend the volume's file system to gain access to extra spaceNeed to replace user-shared drives. Must support POSIX permissions and NFS protocols and be accessible from on-premises servers and EC2Use Amazon EFSApplication running on EC2 needs login credentials for a DB that are stored as secure strings in SSM Parameter StoreCreate an IAM role for the instance and grant permission to read the parametersLinux instances are patched with Systems Manager Patch Manager. Application slows down whilst updates are happeningChange maintenance window to patch 10% of instances in the patch group at a timeCustom Linux AMI used with AWS Systems Manager. Can't find instances in Session Manager consoleNeed to add permissions to instance profile and install the SSM agent on the instancesMultiple environments require authentication credentials for external service. Deployed using CloudFormationStore credentials in SSM Parameter Store and pass an environment tag as a parameter in CloudFormation templateIAM access keys used to manage EC2 instances using the CLI. Company policy mandates that access keys are automatically disabled after 60 daysUse an AWS Config rule to identify noncompliant keys. Create a custom AWS Systems Manager Automation document for remediationNeed to review updates to an AWS CloudFormation stack before deploying them in productionUse change setsStack deployed and manual changes were made. Need to capture changes and update templateUse drift detection and use output to update template and redeploy the stackNeed to update new version of app on EC2 and ALB. Must avoid DNS changes and be able to rollbackUpdate template with AutoScalingReplacingUpdate policy and perform an updateNeed to write a single template that can be deployed across several environments/RegionUse parameters to enter custom values and use Ref intrinsic function to reference the parameterTried to launch instance in a different region from a working template and it failsProbably due to incorrect AMI IDNeed to identify the instances that are generating the most traffic using a NAT gatewayUse VPC flow logs on the NAT gateway ENI and use CloudWatch Insights to filter based on source IP addressLatency on a NAT instance has increased, need a solution that scales with demand cost-effectivelySwap with a NAT gatewayNAT gateway is NOT highly available across AZs, only within an AZUse multiple NAT gateways for HA across AZsNAT instance is deployed but not workingMake sure to disable source/destination checksNeed to enable access to S3 without the instances using public IP addressesUse a NAT gateway or VPC endpointUse Route 53 to direct based on health checks with 2xx traffic to primary and other responses to secondaryNeed to create an A record for each server and a HTTP health checkRoute 53 health check uses string matching for "/html." Alert shows health check failsThe search string must appear entirely within the first 5,120 bytes of the response bodyNeed to make a website promotion visible to users from a specific country onlyUse Route 53 geolocation routing policyNew website runs on EC2 behind ALB. Need to create a record in Route 53 to point to the domain apex (e.g. example.com)Use an alias recordHosted zone in Account A and ALB in Account B. Need the most cost-effective and efficient solution for pointing to the ALB.Create an Alias record in Account A that point to ALB in Account B.Static website on Amazon S3 with custom domain name setupRequires that the bucket name matches the DNS name/record set name in Route 53503 errors experienced with new site and thousands of usersRequest rate is too highDiscrepancy with number of objects in bucket console vs CloudWatchUse Amazon S3 Inventory to properly determine the number of objects in a bucketNeed to enforce encryption on all objects uploaded to bucketUse a bucket policy with a "Condition": { "Bool": { "aws:SecureTransport": "false" statement for PutObject and with the resource = bucketUnauthorized users tried to connect to S3 buckets. Need to know which buckets are targeted and who is trying to get accessUse S3 server access logs and Athena to query for HTTP 403 errors and look for IAM user or role making requestsAutomated failover of a multi-AZ DB occurredThis may be due to a storage failure on the primary DB OR the instance type could have been changedNeed to encrypt unencrypted RDS databaseTake a snapshot, encrypt it, then restore a new encrypted instance from the snapshotRDS DB query latency is high and CPU utilization is at 100%Scale up with a larger instance typeNeed to share RDS DB snapshots across different accounts. Data must be encryptedUse an AWS KMS key for encryption and update the key policy to grant accounts with access, then share the snapshotDB needs to be made HA to protect against failure. Updates cannot impact users during business hoursChange to Multi-AZ outside of business hoursAudit requests to AWS Organizations for creating new accounts by federated usersUse CloudTrail and look for federated identity user nameEmployees have created individual AWS accounts not under control. Security team needs them in AWS OrganizationsSend each account an invitation from the central organizationNeed to restrict ability to launch specific instance types for a specific team/accountUse an organization's SCP to deny launches unless the instance type is T2. Create an IAM group in the account granting access to the T2 instances to the relevant usersNeed to test notification settings for CloudWatch alarm with SNSUse the set-alarm-state CLI command to testNeed to automatically disable access keys that are greater than 90 days oldUse an AWS Config rule to identify noncompliant keys and use Systems Manager Automation to remediateCompany wishes to force users to change their passwords regularlyCreate an IAM password policy and enable password expirationNeed to restrict access to a bucket based on source IP rangeUse bucket policy with "Condition": "NotIpAddress": statementNeed to control access to group of EC2 instances with specific tagsUse an IAM policy with a condition element granting access based on the tag. Attach an IAM policy to the user or groups that require accessIAM policy for SQS queue allows too much access. Who is responsible for correcting the issue?According to the AWS shared responsibility model, this is a customer responsibilityData is encrypted with AWS KMS customer-managed CMKs. Need to enable rotation ensuring the data remains readableJust enable key rotation in AWS KMS for the CMK (backing key is rotated, data key is not changed)