Amazon Web Services Updated SOA-C02 Exam Questions and Answers by orin

A stack policy is used to protect specific resources within a CloudFormation stack from being unintentionally updated or deleted. By using a stack policy, you can explicitly deny updates to critical resources while allowing updates to other parts of the stack.

Create a Stack Policy:

Define a JSON stack policy that includes an explicit allow for all resources and an explicit deny for the protected resources. For example:

json

Copy code

{

"Statement": [

{

"Effect": "Allow",

"Action": "Update:*",

"Principal": "*",

"Resource": "*"

},

{

"Effect": "Deny",

"Action": "Update:*",

"Principal": "*",

"Resource": "arn:aws:cloudformation:region:account-id:stack/stack-name/protected-resource"

}

]

}

Replace region, account-id, stack-name, and protected-resource with the appropriate values.

Apply the Stack Policy:

Navigate to the CloudFormation console.

Select the stack you want to protect.

Choose "Stack actions" and then "Edit stack policy".

Paste the stack policy JSON and save the policy.

Perform Stack Updates:

When performing stack updates, the stack policy will enforce the rules specified, preventing accidental updates to the protected resources.

Review and Adjust:

Periodically review the stack policy to ensure it still meets the needs of the organization and update it as necessary.

AWS CloudFormation Stack Policies

Creating and Applying a Stack Policy

For member accounts in AWS Organizations to receive notifications about estimated costs exceeding a predetermined amount, billing alerts must be enabled in the management/payer account.

Enable Billing Alerts in the Management Account:

Open the AWS Billing and Cost Management console at AWS Billing Console.

In the navigation pane, choose Billing preferences.

Under Billing preferences, ensure that Receive Billing Alerts is enabled.

Create a Budget and Set Up Notifications:

Open the AWS Budgets console at AWS Budgets Console.

Create a budget and configure it to monitor the estimated costs.

Set up notifications for when the budget thresholds are exceeded and specify the email addresses of the managers in the member accounts.

By enabling billing alerts in the management account, you allow member accounts to receive notifications about their estimated costs.

Setting Up Alerts and Notifications

Creating an AWS Budget

To track instance memory utilization and available disk space using Amazon CloudWatch, the SysOps administrator should install and configure the CloudWatch agent on all instances.

Install and Configure the CloudWatch Agent:

The CloudWatch agent can collect both system-level metrics (e.g., memory utilization, disk space) and application-level metrics and logs.

Install the CloudWatch agent on each EC2 instance and configure it to collect the necessary metrics.

Attach an IAM Role:

The EC2 instances need permissions to write logs and metrics to CloudWatch.

Attach an IAM role with the necessary permissions (e.g., CloudWatchAgentServerPolicy) to each EC2 instance.

Installing the CloudWatch Agent

Create IAM Roles to Use with the CloudWatch Agent

To enable automatic failover for RDS (MySQL in this case), you must configure it as a Multi-AZ deployment.

From Amazon RDS Multi-AZ documentation:

Multi-AZ deployments provide high availability and automatic failover support.

❌ Why other options are incorrect:

A: Changing engine to PostgreSQL does not help with failover.

C: Read replicas are used for scaling reads, not failover.

D: Automated backups help with point-in-time recovery, not failover.