Amazon Web Services Updated SOA-C02 Exam Questions and Answers by romilly

To meet the requirement of using only IPv6 for all EC2 instances while allowing outbound internet access and preventing inbound internet access, an egress-only internet gateway is the correct solution. An egress-only internet gateway allows outbound communication over IPv6 and blocks inbound communication, ensuring that the instances can access the internet but are not directly accessible from the internet.

Create an Egress-Only Internet Gateway:

Open the Amazon VPC console at Amazon VPC Console.

In the navigation pane, choose Egress-only internet gateways.

Choose Create egress-only internet gateway, and then attach it to your VPC.

Create a Custom Route Table:

In the VPC console, navigate to Route Tables.

Create a new route table or select an existing one.

Add a route with the destination set to ::/0 (which represents all IPv6 addresses) and the target set to the egress-only internet gateway.

Attach the Route Table to IPv6-Only Subnets:

Associate the route table with the IPv6-only subnets in your VPC.

This configuration ensures that your IPv6-only EC2 instances can access the internet while being protected from inbound internet traffic.

References:

Egress-Only Internet Gateways

IPv6 Addresses

To meet the requirement of having 50% CPU available to accommodate bursts of traffic and to handle the significant load increase between 09:00 and 17:00, you need a combination of target tracking and scheduled scaling policies.

Target Tracking Scaling Policy:

Create a target tracking scaling policy that keeps the CPU utilization at 50%. This ensures that the fleet scales in or out to maintain the target CPU utilization.

This policy will ensure that the fleet scales automatically based on actual CPU usage, maintaining availability and performance.

Scheduled Scaling Policies:

First Policy: Create a scheduled scaling policy to scale out the fleet at 09:00 when the load increases.

In the AWS Management Console, navigate to the EC2 Auto Scaling Groups.

Select your Auto Scaling group and choose Actions > Edit.

Add a new scheduled action to increase the desired capacity at 09:00.

Second Policy: Create another scheduled scaling policy to scale in the fleet at 17:00 when the load decreases.

Similarly, add another scheduled action to decrease the desired capacity at 17:00.

This approach ensures that the fleet is prepared for the increased load during peak hours while maintaining efficient resource usage during off-peak times.

References:

Target Tracking Scaling Policies

Scheduled Scaling

To control the production account efficiently, the most operationally efficient solution is to create a service control policy (SCP) and apply it to the production OU. SCPs allow you to manage permissions for AWS Organizations at the organizational unit (OU) or account level.

Service Control Policies (SCPs):

SCPs are a type of policy that can restrict what services and actions can be used in the accounts within an OU.

They are applied at the organizational unit level and provide a way to enforce corporate policies across multiple AWS accounts.

Steps to Implement:

Navigate to the AWS Organizations console.

Create a new SCP that specifies the allowed or denied services and actions.

Apply the SCP to the production OU.

References:

AWS Organizations SCPs

To rotate an AWS KMS customer master key (CMK) with imported key material every 6 months, follow these steps:

Create a New CMK with New Imported Material:

Generate new key material according to your security policies.

Create a new CMK in AWS KMS and import the new key material into this CMK.