Last Attempt SOA-C03 Questions

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

CloudFront is a global edge network service, and its performance (latency and data transfer behavior) depends heavily on the geographic location of viewers and the edge locations that serve them. Therefore, a valid load test must generate traffic from multiple geographic regions to reflect real user distribution and to measure end-to-end latency across diverse network paths.

Additionally, CloudFront uses DNS to return multiple possible edge IP addresses and can direct clients to different edge locations based on resolver behavior and network conditions. For a realistic test, each client should make an independent DNS request and distribute traffic across the returned IP addresses, rather than pinning all load to a single IP. Spreading requests across the returned set avoids biasing the test to one edge path and better represents how real browsers and applications resolve and connect to CloudFront.

Options A and B fail to model global viewer behavior because they test from only one region. Option C introduces an unrealistic constraint by forcing identical DNS resolution and concentrating load on a single IP address, which can distort latency and throughput results. Option D best matches CloudOps guidance for performance validation of CDN workloads: multi-region testing with realistic DNS resolution and traffic distribution.

The AWS Cloud Operations and Infrastructure-as-Code documentation specifies that when using AWS CloudFormation, resources are created in parallel by default unless explicitly ordered using DependsOn.

If a custom resource (Lambda) depends on another resource (like an EC2 instance) to exist before execution, a DependsOn attribute must be added to enforce creation order. This ensures the EC2 instance is launched and available before the custom resource executes its automation logic.

Updating the service token (Option B) doesn’t affect order of execution. The cfn-response module (Option C) handles callback communication but not sequencing. Fn::If (Option D) is for conditional creation, not dependency control.

Therefore, Option A is correct — adding a DependsOn attribute guarantees that CloudFormation provisions the EC2 instance before executing the Lambda custom resource.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Doocuments:

EC2 Instance Connect Endpoint (EIC Endpoint) enables SSH to instances in private subnets without public IPs and without needing to traverse the public internet. CloudOps guidance explains that you deploy the endpoint in the same VPC/subnet as the targets, then allow inbound SSH on the instance security group from the endpoint’s security group. Access is governed by IAM—administrators must have Instance Connect permissions; while the example uses a broad policy, the key mechanism is EIC in the private subnet plus SG rules scoped to the endpoint. Systems Manager Session Manager can provide shell access without SSH, but the requirement explicitly states “connect through SSH,” making EIC the purpose-built solution. Options B and D misuse Systems Manager for SSH and propose unnecessary SG changes or incorrect endpoint placement; Option C places the endpoint in a public subnet, which is not required for private SSH access. Therefore, creating an EC2 Instance Connect endpoint in the private subnet and updating SGs accordingly meets the requirement while keeping the instance non-internet-exposed.

The CloudWatch agent supports modular configuration using the append-config option, which allows additional log sources to be added without overwriting the existing baseline configuration. This makes it ideal for incremental log collection changes across large fleets.

By creating a separate configuration file specifically for DHCP logs and using Systems Manager Run Command, the CloudOps engineer can remotely update only the relevant instances in a scalable and automated manner. This approach avoids manual login and preserves the existing baseline configuration.

Options B and C require manual intervention on each instance, which is not scalable or operationally efficient. Option D captures additional logs indiscriminately and does not specifically target DHCP logs, potentially increasing noise and cost.

Therefore, Option A is the most efficient and AWS-recommended approach.