AWS : Solutions Architect Professional Exam — Part 5

A Quick Review for Continuous Improvement for Existing Solutions

Part 5: Continuous Improvement for Existing Solutions (29% of exam)

• Logging & Monitoring
• Reliability & Performance
• Automated Response to Detection of Security Vulnerabilities
• Automated Deployment & Rollback Strategy

1 — A company stores confidential documents in an Amazon S3 bucket. In the event that a public object was identified, the IT Compliance team must be notified immediately and the object’s permissions must be remediated automatically. The notification must be sent as soon as a public object was created in the bucket.

What is the most suitable solution that comply with this data policy ?

• Enable object-level logging in the S3 bucket to automatically track S3 actions using CloudTrail.
• Set up an Amazon CloudWatch Events rule with an SNS Topic to notify the IT Compliance team when a PutObject API call with public-read permission is detected in the CloudTrail logs.
• Launch another CloudWatch Events rule that invokes an AWS Lambda function to turn the newly uploaded public object to private.

2 — The application is deployed on EC2 instance which has been allocated with an IAM Role that provides access to data files stored in an S3 bucket

What IAM policies control access to your data files in S3 ?

• An IAM trust policy that allows the EC2 instance to assume an EC2 instance role.
• An IAM permissions policy that allows the EC2 role to access S3 objects.

Note — To delegate permission to access a resource, you create an IAM role in the trusting account that has two policies attached:

1. IAM trust policy — specifies which trusted service are allowed to assume the role.
2. IAM permissions policy — grants the needed permissions to carry out the intended tasks.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html

3 — Your website is using an Application Load Balancer which provides loads of incoming traffic to an Auto Scaling group of On-Demand EC2 instances. To improve SEO ranking and to provide more security, you decided to enable SSL on their website.

You would like to ensure a separation of roles between the Development team and the Security team in handling the sensitive SSL certificate. The Development team can login to EC2 Instances but they should not have access to the SSL certificate, which only the Security team has exclusive control of.

In this scenario, what setup should be implemented ?

• Store the SSL certificate in IAM and authorize access only to the Security team using an IAM policy.
• Configure the Application Load Balancer to use the SSL certificate instead of the EC2 instances.

4 —The website of new mobile game has high traffic with user registrations from around the world. The website is hosted on a fleet of Amazon EC2 instances. The website contains static content that is loaded differently depending on the user’s device type. With the sudden increase in user traffic, the fleet of Amazon EC2 instances experienced high CPU usage and users are reporting slow response on the website.

What can you implement to improve the website response time ?

• Create an Amazon S3 bucket to host the static contents.
• Set this bucket as the origin for an Amazon CloudFront distribution.
• Write a Lambda@Edge function to parse the User-Agent HTTP header and serve the appropriate contents based on the user’s device type.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-at-the-edge.html

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html#request-custom-user-agent-header

5 — A company is running hundreds of Amazon EC2 instances launched with custom AMIs that are dedicated to specific products and services. As part of the security compliance, vulnerability scanning must be done on all EC2 instances — each instance must be scanned and pass a Common Vulnerabilities and Exposures (CVE) assessment.
How should you implement to achieve the security requirements ?

You can use Amazon Inspector to conduct CVE scan in your EC2 instances.

Note — Amazon Inspector offers pre-defined software called an agent that you can optionally install in the operating system of the EC2 instances that you want to assess. Amazon Inspector also has rules packages that help verify whether the EC2 instances in your assessment targets are exposed to common vulnerabilities and exposures (CVEs).

https://aws.amazon.com/inspector/faqs/

6 — A startup has recently consolidated their multiple AWS accounts using AWS Organizations. They currently have two teams in their organization, a security team and a development team.

The security team is required to set up a system that will check if all of the running EC2 instances are using an approved AMI. However, the solution should not stop the development team from deploying an EC2 instance running on a non-approved AMI. The disruption is only allowed once the deployment has been completed.

In addition, they have to set up a notification system that sends the compliance state of your resources to determine whether they are compliant.

What is the most suitable solution for this requirement ?

Use an AWS Config Managed Rule and specify a list of approved AMI IDs. This rule will check whether running EC2 instances are using specified AMIs.
Configure AWS Config to stream configuration changes and notifications to an Amazon SNS topic which will send a notification for non-compliant instances.

https://docs.aws.amazon.com/config/latest/developerguide/approved-amis-by-id.html

7 — A company has a critical application running on an Auto Scaling group of Amazon EC2 instances. The application CI/CD pipelines are created on AWS CodePipeline and all of the relevant AWS resources are defined in AWS CloudFormation templates. During deployments, the Auto Scaling group spawns new instances and the user data script downloads the new artifact from a central Amazon S3 bucket. With several code updates during the development cycle, a recent update on the CloudFormation templates has caused a major application downtime.

What should you implement to minimize downtime during deployments ?

• Add an AWS CodeBuild stage on the deployment pipeline to automatically test on a non-production environment.
• Use change sets on AWS CloudFormation to preview changes before applying to production.
• Setup a blue/green deployment pattern on AWS CodeDeploy to deploy changes on a separate environment and to quickly rollback if needed.

Related Articles

• AWS Solutions Architect Professional Exam — Part 1
• AWS Solutions Architect Professional Exam — Part 2
• AWS Solutions Architect Professional Exam — Part 3
• AWS Solutions Architect Professional Exam — Part 4
• AWS Solutions Architect Professional Exam — Part 5

Reference

• [Udemy] AWS Certified Solutions Architect Professional Practice Exam