[Monitoring, Reporting, and Automation]
A company is using an Amazon EC2 instance to inspect inbound traffic. The EC2 instance runs Amazon Linux and has the Amazon CloudWatch agent installed and configured.
The company needs to ingest metrics and logs from the EC2 instance into CloudWatch. The company also needs to receive notification when a specific number of errors occur for rejected web management requests. Which combination of steps will meet these requirements with the MOST operational efficiency? (Select TWO.)
Answer : C, E
C: Ensures logs are ingested into CloudWatch from EC2 via the CloudWatch agent.
E: Allows creation of metric filters and alarms based on log patterns (e.g., 'rejected web requests').
From CloudWatch Logs & Alarms documentation:
You can extract metric data from log events using metric filters and then create CloudWatch alarms based on these filters.
This is the most efficient and least operational overhead solution.
[Monitoring, Reporting, and Automation]
A company needs to ensure strict adherence to a budget for 25 applications deployed on AWS Separate teams are responsible for storage compute, and database costs. A SysOps administrator must implement an automated solution to alert each team when their projected spend will exceed a quarterly amount mat has been set by the finance department. The solution cannot additional compute, storage, or database costs.
Answer : D
AWS Budgets allows you to set custom cost and usage budgets that alert you when you exceed your thresholds. This feature helps teams to monitor their spending and ensure it aligns with the set budget.
Steps:
Open AWS Budgets:
Sign in to the AWS Management Console.
Open the AWS Budgets dashboard.
Create a New Budget:
Click on 'Create a budget'.
Select 'Cost budget' and click 'Next'.
Set Budget Details:
Enter a unique name for the budget.
Define the period (e.g., quarterly) and start date.
Set the budgeted amount as specified by the finance department.
Define Filters:
Use the filters to select the specific services each team is responsible for (e.g., storage, compute, database).
Set Alerts:
Specify the threshold for forecasted cost that will trigger an alert (e.g., 80% of the budget).
Enter the email addresses of the recipients (the respective teams).
Review and Create:
Review the configuration and click 'Create budget'.
By setting up individual budgets for each team and filtering by services, you can ensure that each team is alerted when their projected spend approaches the threshold. This method does not incur additional compute, storage, or database costs.
AWS Budgets
Creating an AWS Budget
[Networking and Content Delivery]
While setting up an AWS managed VPN connection, a SysOps administrator creates a customer gateway resource in AWS The customer gateway device resides in a data center with a NAT gateway in front of it
What address should be used to create the customer gateway resource?
Answer : D
When setting up an AWS managed VPN connection and creating a customer gateway resource, if the customer gateway device resides behind a NAT device, you should use the public IP address of the NAT device. This is because the VPN connection from AWS will be established to the public IP address that AWS can reach.
Identify the Public IP Address of the NAT Device:
Determine the public IP address assigned to the NAT device in front of the customer gateway.
Create Customer Gateway Resource:
Navigate to the VPC console in the AWS Management Console.
In the navigation pane, choose 'Customer Gateways' and then click 'Create Customer Gateway'.
Enter a name for the customer gateway.
For the 'IP Address', enter the public IP address of the NAT device.
Configure VPN Connection:
Create a VPN connection by navigating to the 'VPN Connections' section and clicking 'Create VPN Connection'.
Select the created customer gateway and complete the VPN setup wizard.
Update Routing and Configuration:
Ensure that the routing configurations on both the AWS side and the on-premises side are updated to route traffic through the VPN connection.
Configure the customer gateway device (behind the NAT) to accept traffic from the NAT device and route it appropriately.
AWS Managed VPN Connections
Customer Gateway Resource
[Monitoring, Reporting, and Automation]
A company has implemented a data ingestion pipeline to process files in the form of messages. A frontend application accepts user input and stores the input in Amazon S3. A backend application uses Amazon EC2 instances to process the object that was uploaded to Amazon S3. The company recently experienced a significant increase in customer traffic. The frontend application is now sending more messages at one time than the backend application can handle, resulting in some lost messages.
Which action will resolve this problem with the LEAST operational effort?
Answer : D
This is a classic decoupling scenario --- SQS is used to buffer requests between frontend (producer) and backend (consumer) to handle sudden traffic spikes.
From SQS documentation:
SQS is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.
This approach ensures messages are not lost and the backend can process at its own pace.
[Monitoring, Reporting, and Automation]
An application runs on multiple Amazon EC2 instances in an Auto Scaling group The Auto Scaling group is configured to use the latest version of a launch template A SysOps administrator must devise a solution that centrally manages the application logs and retains the logs for no more than 90 days
Which solution will meet these requirements?
Answer : C
To centrally manage application logs and retain them for no more than 90 days, you can use the Amazon CloudWatch Logs agent to send logs to a CloudWatch log group and configure the log group's retention period.
Update the Launch Template User Data:
Navigate to the EC2 console.
Select the launch template used by the Auto Scaling group.
Edit the launch template to include the following user data script:
#!/bin/bash
yum update -y
yum install -y awslogs
cat <<EOF > /etc/awslogs/awslogs.conf
[general]
state_file = /var/lib/awslogs/agent-state
[/var/log/messages]
file = /var/log/messages
log_group_name = /my-log-group
log_stream_name = {instance_id}/messages
datetime_format = %b %d %H:%M:%S
[/var/log/secure]
file = /var/log/secure
log_group_name = /my-log-group
log_stream_name = {instance_id}/secure
datetime_format = %b %d %H:%M:%S
EOF
systemctl start awslogsd
systemctl enable awslogsd
Replace /my-log-group with the name of your CloudWatch log group.
Configure the Log Group Retention Period:
Navigate to the CloudWatch console.
In the navigation pane, choose 'Logs'.
Select the log group created by the CloudWatch Logs agent.
Click on 'Actions' and then 'Edit retention settings'.
Set the retention period to 90 days.
Verify the Configuration:
Ensure that logs from the EC2 instances are being sent to the CloudWatch log group.
Verify that the log group's retention period is correctly set to 90 days.
Amazon CloudWatch Logs Agent
Setting Log Retention in CloudWatch
[Cost and Performance Optimization]
A team of developers is using several Amazon S3 buckets as centralized repositories. Users across the world upload large sets of files to these repositories. The development team's applications later process these files.
A SysOps administrator sets up a new S3 bucket. DOC-EXAMPLE-BUCKET, to support a new workload. The new S3 bucket also receives regular uploads of large sets of files from users worldwide. When the new S3 bucket is put into production, the upload performance from certain geographic areas is lower than the upload performance that the existing S3 buckets provide.
What should the SysOps administrator do to remediate this issue?
Answer : C
For improving upload performance globally for an Amazon S3 bucket, enabling S3 Transfer Acceleration is the best solution. This service optimizes file transfers to S3 using Amazon CloudFront's globally distributed edge locations. After enabling this feature, uploads to the S3 bucket are first routed to an AWS edge location and then transferred to S3 over an optimized network path. Option C is correct, and the developers should use the provided accelerate endpoint in their API calls. For more details, consult the AWS documentation on S3 Transfer Acceleration Amazon S3 Transfer Acceleration.
[Security and Compliance]
A SysOps administrator receives an alert from Amazon GuardDuty about suspicious network activity on an Amazon EC2 instance. The GuardDuty finding lists a new external IP address as a traffic destination. The SysOps administrator does not recognize the external IP address. The SysOps administrator must block traffic to the external IP address that GuardDuty identified.
Which solution will meet this requirement?
Answer : C
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
To block traffic to the external IP address identified by Amazon GuardDuty, the SysOps administrator should create a network ACL and add an outbound deny rule for traffic to the external IP address.
Network ACL:
Network ACLs (Access Control Lists) are stateless and operate at the subnet level. They can allow or deny specific inbound and outbound traffic based on rules.
Steps to Implement:
Go to the VPC console and select the network ACL associated with the subnet containing the EC2 instance.
Add an outbound rule to deny traffic to the external IP address provided by GuardDuty.
Ensure the rule is properly placed in the rule number order to be evaluated correctly.
Network ACLs
GuardDuty Documentation