Amazon Web Services Updated SOA-C02 Exam Questions and Answers by ivy-rae

Configuring Security Groups:

Security groups act as virtual firewalls for your instances to control inbound and outbound traffic.

Steps:

Go to the AWS Management Console.

Navigate to EC2.

Select "Security Groups" from the left-hand menu.

Find and select the security group associated with your EC2 instances.

Choose the "Inbound rules" tab and click "Edit inbound rules."

Add a rule to allow traffic from the security group associated with the NLB.

Type: Custom TCP (or the specific port your application uses)

Source: Select "Custom" and enter the ID of the NLB's security group.

This setup ensures that the EC2 instances accept traffic only from the NLB, enhancing security with minimal operational overhead.

NAT Gateway Setup:

A NAT gateway allows instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances.

Steps:

Go to the AWS Management Console.

Navigate to VPC and select "NAT Gateways."

Create a NAT gateway in the public subnet of each Availability Zone.

Allocate an Elastic IP address to each NAT gateway.

Update the route tables for the private subnets to route internet-bound traffic to the NAT gateways.

To send local logs from a fleet of servers to Amazon CloudWatch:

Install the Unified CloudWatch Agent: The unified CloudWatch agent is capable of collecting both logs and metrics from servers. This agent supports various operating systems and can be configured according to specific logging requirements.

Configuration of the Agent: The agent's configuration involves specifying which log files to monitor and how they should be processed. This configuration can be done manually or through the AWS Systems Manager for automated deployment across multiple servers.

Send Logs to CloudWatch: Once configured and running, the CloudWatch agent will continuously monitor the specified log files and send the log data to Amazon CloudWatch Logs, allowing you to view, search, and set alarms on log data.

This setup ensures a robust and scalable way to manage log data across a fleet of servers, leveraging AWS native services for seamless integration and management.

To ensure that the application running on an Amazon EC2 instance can read, write, and delete messages from the SQS queues in the most secure manner, the recommended approach is to use IAM roles for EC2 instances. This approach avoids the need to embed or export long-term AWS credentials, which can be a security risk.

Create an IAM Role for EC2:

Navigate to the IAM console in the AWS Management Console.

Choose "Roles" in the navigation pane, then click "Create role".

Select "AWS service" as the type of trusted entity and choose "EC2" as the use case. Click "Next: Permissions".

Attach the Required Permissions:

On the "Attach permissions policies" page, you can either select an existing policy or create a custom policy.

For a custom policy, click "Create policy" and use the following JSON policy to allow the required SQS actions:

json

Copy code

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"sqs:SendMessage",

"sqs:ReceiveMessage",

"sqs:DeleteMessage"

],

"Resource": "arn:aws:sqs:region:account-id:queue-name"

}

]

}

Replace region, account-id, and queue-name with appropriate values for your SQS queues.

Assign the Role to the EC2 Instance:

After creating the role with the necessary permissions, navigate to the EC2 console.

Select the instance that needs access to the SQS queues.

In the "Actions" menu, choose "Security", then "Modify IAM role".

Attach the newly created IAM role to the instance.

Verify the Permissions:

Ensure that the IAM role is properly attached to the EC2 instance.

Test the application to confirm that it can successfully perform the required actions (read, write, delete) on the SQS queues.

References:

IAM Roles for Amazon EC2

Amazon SQS Policy Examples