Amazon Web Services Updated SOA-C02 Exam Questions and Answers by andrei

AWS Secrets Manager allows you to store, manage, and automatically rotate database credentials. This service is designed to be used for such requirements efficiently.

Store Database Credentials in AWS Secrets Manager:

Open the AWS Secrets Manager console at AWS Secrets Manager Console.

Choose Store a new secret.

Select Credentials for RDS database and provide the database connection details and credentials.

Choose Next to configure the secret.

Configure Rotation:

Enable automatic rotation for the secret.

Set the rotation interval to 365 days.

Select or create a Lambda function that will be used to rotate the secret. AWS Secrets Manager provides a template for this function which can be customized if necessary.

Apply and Monitor:

Apply the changes and ensure that your application retrieves credentials from AWS Secrets Manager.

Monitor the rotation activity in Secrets Manager to ensure that the credentials are being rotated as expected.

AWS Secrets Manager

Rotating Your AWS Secrets Manager Secrets

To resolve issues with high disk I/O during the bootstrap process:

Increase EBS Volume IOPS: Higher IOPS allows the EBS volume to handle more input/output operations per second, which is critical for high I/O demands like downloading large Docker images.

Increase EBS Volume Throughput: Boosting throughput allows for faster data transfer rates, which is useful when the workload requires sustained high data throughput during initialization.

Increasing the instance size or changing the instance type is not necessary if the root cause is related specifically to EBS performance. Nitro instances generally provide higher performance and are well-suited for high I/O tasks.

AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation. Using a stack set, the SysOps administrator can manage deployments across different regions and accounts within AWS Organizations efficiently.

Setting up StackSets: First, define your CloudFormation template that describes all the resources that need to be deployed across the regions. Store this template in an S3 bucket accessible by the central administration account.

Service-Managed Permissions: When creating a stack set, select the option for service-managed permissions if you are using AWS Organizations. This allows AWS CloudFormation to automatically set up the necessary permissions in the target accounts.

Deploying the Stack Set: From the central administration account, create the stack set and specify the target accounts and regions. CloudFormation will then ensure that the resources defined in the template are instantiated in each of the specified regions and accounts.

This method simplifies management and ensures consistency of infrastructure across multiple regions and accounts, leveraging the organizational units in AWS Organizations for centralized governance.

To automate the process of disabling unused IAM user accounts that have not been active for 90 days, using an AWS Config managed rule with an AWS Systems Manager automation runbook is the most operationally efficient method.

Set Up AWS Config Managed Rule:

Open the AWS Config console.

Create a rule using the managed rule iam-user-no-policies-check.

Configure the rule to trigger when IAM users have not been active for 90 days.

AWS Systems Manager Automation Runbook:

Create a Systems Manager automation document (runbook) to disable the access keys for inactive IAM users.

Use the aws:executeAutomation action to disable access keys and passwords.

Schedule the Automation:

Use Amazon EventBridge (formerly CloudWatch Events) to schedule the automation to run periodically.

AWS Config Managed Rules

AWS Systems Manager Automation

Scheduling AWS Systems Manager Automation