Skill Assessment - AWS Q20

Q20. A principle of DevOps is to view infrastructure as code. 

Which AWS service allows you to script your AWS infrastructure?

•  CloudTrail
•  CloudFormation
•  AWS Config
•  AWS Service Catalog

ChatGPT

The AWS service that allows you to script your AWS infrastructure is "CloudFormation." So, the correct answer is:

·       CloudFormation

 

Please show me the simplest sample of CloudFormation.

 

ChatGPT

Certainly! Here's a very simple example of an AWS CloudFormation template in YAML format. This template creates an Amazon S3 bucket:

yamlCopy code

Resources: MyS3Bucket: Type: AWS::S3::Bucket

In this example:

·       Resources is the section where you define the AWS resources you want to create.

·       MyS3Bucket is a logical name for the S3 bucket resource.

·       Type: AWS::S3::Bucket specifies the AWS resource type, which is an S3 bucket in this case.

You can create more complex templates that include parameters, conditions, and other resources as needed for your infrastructure. CloudFormation allows you to declare your infrastructure as code, making it easier to manage and provision AWS resources consistently.

 

Q21. You created a Windows EC2 instance with a public IP address and installed SQL Server.

When attempting to connect to SQL Server from SQL Server Enterprise Manager on your local computer, the Windows EC2 instance is unable to establish a connection to the server. What is the first thing you should check?

•  Check the routing tables for the VPC.
•  Verify that the assigned security groups allow TCP port 1433 traffic from your current IP address.
•  Check the policies within Windows Firewall.
•  Verify that you are connecting to the instance using a user that is not sa.

 

Q22. You are hosting an application configured to stream media to its clients on TCP ports 3380-3384, 3386-3388, and 3390.

The Inbound tab below shows three incoming security group policies attached to this instance. Which policy should you use?

• The rule that exposes TCP ports 3380-3390 would also publicly expose port 3389 (RDP) to the entire internet. Write separate rules to only expose the needed ports.
• The first security group rule allows all traffic into this instance. Exposing your entire instance to the whole internet leaves the server open to various attacks of the other services running on different port numbers.
• Verify that the AWS account owners actually control the entire CIDR C block for 12.228.11.0-255 and these are secured IPs for RDP access into this instance.
• There are no recommendations to make.

 

Q23. You have four front-end web servers behind a load balancer,

which use NFS to access another EC2 instance that resizes and stores images for the front-end application. What security group policies should be assigned to these servers?

•  Assign Elastic IPs to all of the instances and create a group that allows all traffic to pass between each of the five Elastic IP addresses and allow all inbound HTTPS traffic.
•  Front-end web servers should allow HTTPS. Assign another group to all of the instances that allows all traffic to pass between instances using that group.
•  Create a security group that allows inbound NFS, HTTP, and HTTPS traffic from all IP addresses. Apply this group to all of the servers.
•  Create a security group that allows inbound HTTP and HTTPS traffic from all IP addresses and apply this to the web servers. Create a second security group for the NFS filestore that allows outbound NFS traffic to the private IP range of the front-end web servers.

ChatGPT

The correct approach for securing the described infrastructure is:

Create a security group that allows inbound HTTP and HTTPS traffic from all IP addresses and apply this to the web servers. Create a second security group for the NFS filestore that allows outbound NFS traffic to the private IP range of the front-end web servers.

Here's why:

1.     Front-end web servers: These servers should allow inbound HTTP and HTTPS traffic from clients. Therefore, you need to create a security group for them that allows inbound HTTP and HTTPS traffic.

2.     NFS filestore: The EC2 instance responsible for NFS should have a security group that allows outbound NFS traffic to the private IP range of the front-end web servers. This allows the NFS server to communicate with the front-end servers securely.

This configuration ensures that the web servers are accessible over HTTP and HTTPS while the NFS server can communicate with the web servers via NFS. It follows the principle of least privilege, only allowing the necessary traffic and connections for the specific services.

 

※ChatGPTの説明が説得力があると考える。

 

Q24. You have a Linux EC2 web server that suddenly is timing out 

on all HTTP requests and your SSH connection attempts are timing out. You notice that it is failing the system status check in the EC2 console. What action should you take?

•  Restore the instance from the last AMI image. System status checks indicate that the filesystem on the instance is corrupted.
•  Stop and start the instance. This will move the instance to another host.
•  Contact AWS support. Failing a system status check indicates a failure in the underlying hardware and must be addressed by an AWS representative.
•  Reboot the instance. This will stop and start the instance and move it to another host.

 

ChatGPT

In this situation, the most appropriate action to take is:

Stop and start the instance. This will move the instance to another host.

Stopping and starting the instance can often resolve issues related to the underlying hardware or the instance's networking. When you stop and start an instance, it's moved to a different host, and this can help address issues related to the current host's hardware or network problems. It's a common troubleshooting step for resolving connectivity issues or system status check failures.

Restoring from an AMI would not necessarily address the underlying issue related to the system status check failure.
Contacting AWS support should be considered if the issue persists after stopping and starting the instance.
Rebooting the instance is a less drastic step than stopping and starting, and it may not necessarily move the instance to another host, so it may not be as effective in resolving underlying hardware or networking issues.

 

※ここでもChatGPTの説明に説得力があると感じる。

 

Q25. You have several on-premise servers 

and would like to store your offsite backups on AWS. What fully managed backup service can you use to ship your backups to AWS?

•  Windows Server 2016 supports S3 as a target when using storage replicas.
•  Use Storage Gateway.
•  Sync files directly to S3 with the AWS CLI.
•  Use the RDS console to force a reboot of the database instance so that the primary server becomes the master server again.

 

ChatGPT

The fully managed service you can use to ship your backups to AWS is AWS Storage Gateway.

AWS Storage Gateway is a hybrid cloud storage service that enables on-premises applications to seamlessly use AWS cloud storage. It allows you to store backups, archives, and other data in AWS cloud storage services like Amazon S3 (Simple Storage Service). You can configure it to act as a backup target for your on-premises servers, and it provides various storage interfaces, including file, volume, and tape, making it a flexible and versatile option for backing up on-premises data to AWS.

 

Q26. What is the best practice for creating a highly available PostgreSQL database 

in RDS that can sustain the loss of a single AWS region?

•  PostgreSQL cannot be replicated across regions. Restore the database backups from an S3 bucket and repoint your database connections to the new instance.
•  Create Read Replicas in other AWS regions. You can designate a new master database from any of the read replicas until the regional failure is resolved.
•  Verify that your instance is configured for Multi-AZ support. Database changes will be automatically synced to another region in the event of a failure and RDS will automatically select a new master until the regional failure is resolved.
•  Create Read Replicas in other AWS regions. Ensure read operations against the database occur on an available Read Replica, and send write operations to another region if you need to promote a Read Replica to a standalone database if the master is down.

 

ChatGPT

The best practice for creating a highly available PostgreSQL database in Amazon RDS (Relational Database Service) that can sustain the loss of a single AWS region is:

 

Create Read Replicas in other AWS regions. Ensure read operations against the database occur on an available Read Replica, and send write operations to another region if you need to promote a Read Replica to a standalone database if the master is down.

 

This strategy involves setting up Read Replicas in multiple AWS regions for failover and high availability. It allows you to have read-only access to the data in the standby region and promotes a Read Replica to become the new master database if the primary region experiences a failure. This approach helps to minimize downtime and data loss in the event of a regional failure.

Multi-AZ (Availability Zone) support doesn't inherently replicate data across regions, and it only provides high availability within the same region.

 

Q27. You created a new Linux EC2 instance and installed PostgreSQL 

but you are not able to establish a connection to the server from your local computer. What steps do you take to resolve this issue?

•  Create a security group rule that allows all traffic from 0.0.0.0/0. This will verify whether or not another rule is denying the traffic.
•  Verify that the assigned security groups allow traffic from your IP address to port 5432. Verify that PostgreSQL is configured to listen to external traffic and is bound to the public interface.
•  Make sure that you are using an Elastic IP and that it is included within the postgresql.conf configuration file.
•  Stop and start the instance. New security group rules will only take effect after a restart

 

Q28. What does the statement body of this S3 bucket policy do?

{

  "Sid": "bucketpolicy1",

  "Effect": "Allow",

  "Principal": "*",

  "Action": "s3:GetObject",

  "Resource": "arn:aws:s3:::userreports/*",

  "Condition": {

    "IpAddress": { "aws:SourceIp": "68.249.108.0/24" },

    "NotIpAddress": { "aws:SourceIp": "68.249.108.128/32" }

  }

}

•  bucketpolicy1 allows any user to perform any action on the objects in the userreports bucket, but limits the objects to read-only permissions for anyone coming from 68.249.108.0 to 68.249.108.255 – except 68.249.108.128.
•  bucketpolicy1 allows any user coming from the IP range of 68.249.108.0 to access objects in the userreports bucket and denies access to 68.249.108.128.
•  bucketpolicy1 allows any user to perform any action on the objects in the userreports bucket – except anyone coming from the IP of 68.249.108.128.
•  bucketpolicy1 allows any user coming from the IP range of 68.249.108.0 to 68.249.108.255 to access objects in the userreports bucket-except anyone coming from the IP of 68.249.108.128.

 

ChatGPT

The statement body of this S3 bucket policy does the following:

 

bucketpolicy1 allows any user to perform any action on the objects in the userreports bucket – except anyone coming from the IP of 68.249.108.128.

 

The "Effect" is set to "Allow," so it allows actions, but the "Condition" specifies that it allows any user from the IP range 68.249.108.0 to 68.249.108.255 to access objects in the "userreports" bucket while denying access to anyone with the specific IP address 68.249.108.128.

 

※ChatGPTの解答間違い。解答最終コメントが正しいのだが、問題文選択肢の文脈を取り違えたのか。

 

Q29. A new developer has been added to the team 

and you have been asked to provide access to the organization’s AWS account. What is the best practice for granting access?

•  Give the new developer the IAM login that is assigned to the development team. This IAM user should already include all of the policies that a developer would need.
•  Create a IAM user for the new developer. Manually assign policies to the new IAM user account.
•  Do not give the new developer access to the AWS console. Using the IAM user that is assigned to the development group, generate a new set of access keys and label these with the name of the developer.
•  Create a IAM user for the new developer. Assign the new developer the a developer group you already created for the other developers.

 

関連スキルテスト編

https://akasaka-taro.blogspot.com/2023/10/skill-assessment-aws-q3.html