Whizlabs Section Exams
Being an AWS administrator for a certain company which has AWS infrastructure in two regions., you are involved in architecting a web application environment. There is a requirement for monitoring API calls to ensure that auditing the environment for compliance is easy and follows strict security compliance requirements and also the logs should be encrypted. Which of the following would help to achieve this?
AWS CloudTrail logs. AWS cloud trails helps in monitoring all the API calls in your AWS account and is used for compliance purposes and it supports multi-region configuration. By default AWS encrypts automatically the CloudTrail logs stored in the S3 bucket using Amazon S3 server-side encryption.
You are working as SysOps administrator for a global IT firm having IT infrastructure spread across multiple regions. Based upon business verticals a separate AWS account is created. Operations director wants a consolidated report of resources count & compliance in all accounts across all regions. Which of the following can be used to achieve this requirement?
AWS Config Aggregated view. The Aggregated view displays the configuration data of AWS resources and provides an overview of your rules and their compliance state. It provides the total resource count of AWS resources. The resource types and source accounts are ranked by the highest number of resources. It also provides a count of compliant and noncompliant rules.
You are working as SysOps architect with a financial company. You have a finance application on EC2 instance behind an application load balancer. There is third party audit to be schedule next month. As a pre-requisite, on a daily basis, the Auditors require a complete report of configuration changes on EC2 servers regardless of changes made to these servers. Which of the following can be configured to meet this requirement?
AWS Config Periodic rule with frequency of 24 hours. A periodic rule can be configured for this requirement. A periodic rule is triggered at a specified frequency. Available frequencies are 1hr, 3hr, 6hr, 12hr or 24hrs.
You are working as SysOps admin for a HR firm. They are storing resumes of all probable candidates in a S3 bucket. A separate bucket is being created based upon domain of each candidate.HR Head is concerned about policy violations which may grant public read / write access to these S3 buckets. He wants to have a tool for monitoring all these bucket & rectify if any violations. Which of the following may be used to achieve these processes? Select four options.
AWS Config. AWS Lambda. AWS Trusted advisor. AWS CloudWatch Events. AWS Config can be used to monitor Amazon Simple Storage Service (S3) bucket ACLs and policies for violations which allow public read or public write access. If AWS Config finds a policy violation, it can trigger an Amazon CloudWatch Event rule to trigger an AWS Lambda function which corrects the S3 bucket ACL. Following are steps to enable this, Enable AWS Config to monitor Amazon S3 bucket ACLs and policies for compliance violations. Create and configure a CloudWatch Events rule that triggers the Lambda function when AWS Config detects an S3 bucket ACL or policy violation. Create a Lambda function that uses the IAM role to review S3 bucket ACLs and policies, correct the ACLs, and also notify your team of out-of-compliance policies. AWS Trusted Advisor checks buckets in Amazon Simple Storage Service (Amazon S3) that have open access permissions. Bucket permissions that grant List access to everyone can result in higher than expected charges if objects in the bucket are listed by unintended users at a high frequency. AWS Trusted Advisor examines explicit bucket permissions and associated bucket policies
You are an AWS admin for a certain organization. According to the renewed company policy, SSH port 22 is not supposed to be opened to anyone since the company new company policy allows any administrator activities to be performed using AWS Systems Manager. However you have got a notification that SSH port 22 has been opened in the security group. Your boss wants you to find out who is responsible for this. Which two services will help provide detailed report of who did the change and when?
AWS cloud trail and AWS config. AWS CloudTrail: It enables governance, compliance, operational auditing, and risk auditing of your AWS account.The main objective of the CloudTrail is to monitor the API calls. AWS Config: In general, this helps keep track of the activities of your account It help track configuration changes and compliance rules. You are able to also view when the changes were done and those changes. The question generally is requiring a service which tracks the history of configuration changes and service which will help give visibility to the team member who disobeyed the company's policy This can be done by audit of all the company's AWS account operations and configuration history..And from the above explanations we see option D satisfies the questions requirement.
A company has an E-commerce website hosted in an Amazon EC2 instance. They recently started leveraging use of CloudFront to help reduce latencies while accessing the site and improve user experience. In the solution origin access identity was enabled.They needed to identify the most bought item in the site so that to keep track of stock levels for that commodity. How can this be achieved easily?
Access the CloudFront popular objects report. CloudFront uses reports to help one to know its activities. In this question in particular, the reports which will help one to know the most popular item will be the cloudfront popular object reports. It helps give the list of the most popular objects and statistics.
An AWS user has set up an Auto Scaling group associated with an elastic load balancer. The client checks the HealthyHostCount and UnHealthyHostCount metrics in CloudWatch, which is automatically provisioned when you launch an elastic load balancer. CloudWatch metrics for the ELb indicates that there are no healthy hosts. Further the AWS user noted the ELB health check showed the instances were unhealthy. However, the auto scaling group does not terminate this instances. You are approached to give the solution to this tricky situation. Being an AWS admin, what advice would you give the AWS user to solve this problem?
Ask the AWS user to check the health check type used for the auto scaling group and to verify that the ELB security group settings are set correct. There are two different types of health check types; EC2 health checks — watches for instance availability from hypervisor and networking point of view. For example, in the case of a hardware problem, the check will fail. Also, if an instance was configured and doesn't respond to network requests, it will be marked as faulty. Two types of EC2 status checks are: System Status checks and Instance Status checks. ELB health checks — ELB health checks are a little smarter and verify that actual application works instead of verifying that just an instance works. In this case to integrate the auto-scaling group to the elastic load balancer and make sure that the auto scaling group perform its processes based on ELB health checks, you have to change the health check type of the ASG to ELB when provisioning. NB: When you set the Elastic load balancer, you usually set the ping target, which consist of the ELB listener protocol, e.g. HTTP. You have to set the security groups for this EC2 servers behind the load balancer to allow listener protocol inbound traffic e.g. HTTP or HTTPS. Bonus points: Cloud watch metrics for ELB are automatically provisioned by AWS as soon as you create the load balancer. Different ways to monitor load balancers include; request tracing, CloudTrail logs, access logs and cloud watch metrics. If you are using a static load balancer and you want to migrate to either network load balancer or application load balancer you can use migration wizard tool. EC2 host level metrics include; network, status check, CPU utilization and disk. Cloud watch is used to monitor performance.
As an AWS systems administrator for your company, you have enabled CloudTrail logs for your company's account. The head of IT operations has also advised that the logs need to be encrypted. As the AWS admin for the company, what advice would you offer?
CloudTrails logs are automatically encrypted, hence no cause for alarm.B y default the CloudTrail logs delivered to the S3 bucket are encrypted by server side encryption using AWS using SSE-S3. You can encrypt data in transit using SSL or client side encryption. To encrypt data at rest in amazon S3, you can use S3 server-side encryption or client side encryption. However, we do not need to encrypt data in transit using SSL, because already CloudTrail logs are automatically encrypted using AWS SSE-S3 server side encryption .
You are working as a SysOps architect for a media firm. All news footage files are uploaded in S3 buckets. To archive old video footage, you set S3 Lifecycle policies to move these files to STANDARD_IA after 30 days & to S3 Glacier vaults after 90 days. For all compliance & audit requirements, you are looking for a tool which will gather records across all regions. Which of the following can be used to evaluate AWS Glacier vaults? Choose 2 options.
Create a AWS Config Custom rule & assign Lambda function to this rule. Create a Lambda function to evaluate AWS S3 Glacier Vault. AWS Config doesn't currently record Amazon S3 Glacier vaults. You can create custom rules to run evaluations for resource types not yet recorded by AWS Config. To create a custom rule, you first create an AWS Lambda function, which contains the evaluation logic for the rule. Then you associate the function with a custom rule that you create in AWS Config.
An AWS team needs to know of the upcoming AWS hardware maintenance events. Recently, a team member was on maternity leave and the team missed an event, which resulted in an outage. The team wants a simple method to ensure that everyone is aware of upcoming events without depending on one individual member checking the dashboard. Which of the following can help achieve this?
Create an Amazon CloudWatch Events event based on the AWS personal Health dashboard and send a notification to an Amazon SNS topic monitored by the team. AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you. While the Service Health Dashboard displays the general status of AWS services, Personal Health Dashboard gives you a personalized view into the performance and availability of the AWS services underlying your AWS resources. he AWS Health service publishes Amazon CloudWatch Events. CloudWatch Events can trigger Amazon SNS notifications. This method requires neither additional coding nor infrastructure. It automatically notifies the team of upcoming events.
An AWS Administrator is managing a company with multiple member accounts on the Enterprise Support plan all linked to the master account. The AWS admin wants to be notified automatically of AWS Personal Health Dashboard events. In the master account, he configures Amazon CloudWatch Events triggered by AWS Health events to issue notifications using Amazon SNS, but alerts in all the accounts in the AWS Organization failed to trigger. What could be the reason?
The AWS Personal Health Dashboard only reports events from one account. AWS personal health dashboard gives you a personalized view into the performance and availability of the AWS services that you are using, along with alerts that are automatically triggered by changes in the health of the services. It provides alerts and remediation guidance when AWS is experiencing events that may impact you. While the Service Health Dashboard displays the general status of AWS services, Personal Health Dashboard gives you a personalized view into the performance and availability of the AWS services underlying your AWS resources. AWS Personal Health Dashboard can integrate with Amazon CloudWatch Events, enabling you to build custom rules and select targets such as AWS Lambda functions to define automated remediation actions. It is available to all AWS customers, and provides status and notifications (SNS) for all services across all Regions and Availability Zones.
You are working as solution architect for a media firm. Your technical manager asks to evaluate cost for implementing AWS Config. Which of the following are component of AWS Config pricing? Select any two options.
Total number of active Config rules. Number of configuration Items. With AWS Config, you are charged based on the number of configuration items recorded and the number of active AWS Config rules in your account. A configuration item is a record of the configuration of a resource, in your AWS account. There is no up-front commitment and you can stop recording configuration items at any time. An AWS Config rule is considered active during a month if it records a compliance result against at least one resource during a month.
You are an AWS consultant of a certain company. There is concern that the performance of web applications must be monitored because the festive season is approaching and there might be high spikes in traffic to your applications and you need an efficient way to respond to this. You want to test your CloudWatch alarm which you want to implement for this use case as you research on other possible ways. Which is the cost-effective way to achieve this test?
Use AWS CLI set-alarm-state command. The SetAlarmState temporarily sets the state of an alarm for testing goals
You have just joined a company as an AWS administrator. The company has a fleet of EC2 instances using the auto-scaling group and behind an Application Load Balancer. The company runs an E-commerce platform that usually has Flash sales Fridays twice a month There are complains that each Flash sale Friday due to high spikes of traffic there is usually 5xx errors reported by users. As an AWS administrator, you need to investigate this issue so that you can know which CloudWatch metrics you should use and know the root cause of these 5xx errors and find a resilient solution. However, there is a problem because the instances have been terminated due to scaling activities. You need to access the logs for those instances to be able to understand the problem before the next coming Flash sale Friday. Which of the following is you supposed to do?
Use Application load balancer access logs to help get the logs of these terminated instances. The Access logs provide the following details; the time request was received, the IP address of the client, request paths, latencies and server responses.
Your application is using ElastiCache to handle session state and cache frequently accessed data, however during peak times users are complaining that your website is running very slowly. You checked the CloudWatch metrics for your application servers and databases and cannot see any evidence of an issue, however, you notice that your Redis cluster is showing 40% CPU utilization.You notice also that the other metrics are just at the normal ranges and you are still convinced this issue is about CPU utilization. Which is the best way to go about this use case?
Use both the CPU Utilization and EngineCPUUtilization metrics together to get a detailed understanding of CPU Utilization for your Redis clusters. Elasticache usually has got two metrics to measure the CPU utilization. That is the EngineCPUUtilization and the CPU utilization.The CPU Utilization does not give complete visibility, in that it gives us insights about the CPU utilization for the instance whereas the EngineCPUUtilization provides addition visibility to the CPU utilization of the Redis process level.
For a test setup of new application, Team members are initiating large number of EC2 instance. Finance Team wants to evaluate how many of these EC2 instance are m4. large EC2 instance for cost projection. You created an AWS Config custom rule along with Lambda function. After successful rule creation, under Compliance section you are getting error as "No resources in scope". Which of the following may be reason for this error?
Verify custom rules, to confirm EC2 instance are part of its scope. AWS Config cannot evaluate your recorded AWS resources against this rule because none of your resources are within the rule's scope. To get evaluation results, edit the rule and change its scope, or add resources for AWS Config to record by using the Settings page. Verify that AWS Config is recording EC2 instances.