ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 348 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 348
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company has used infrastructure as code (IaC) to provision a set of two Amazon EC2 instances. The instances have remained the same for several years.

The company's business has grown rapidly in the past few months. In response, the company’s operations team has implemented an Auto Scaling group to manage the sudden increases in traffic. Company policy requires a monthly installation of security updates on all operating systems that are running.

The most recent security update required a reboot. As a result, the Auto Scaling group terminated the instances and replaced them with new, unpatched instances.

Which combination of steps should a solutions architect recommend to avoid a recurrence of this issue? (Choose two.)

  • A. Modify the Auto Scaling group by setting the Update policy to target the oldest launch configuration for replacement.
  • B. Create a new Auto Scaling group before the next patch maintenance. During the maintenance window, patch both groups and reboot the instances.
  • C. Create an Elastic Load Balancer in front of the Auto Scaling group. Configure monitoring to ensure that target group health checks return healthy after the Auto Scaling group replaces the terminated instances.
  • D. Create automation scripts to patch an AMI, update the launch configuration, and invoke an Auto Scaling instance refresh.
  • E. Create an Elastic Load Balancer in front of the Auto Scaling group. Configure termination protection on the instances.
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️
by cypkir at Nov. 22, 2023, 7:24 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
LazyAutonomy
Highly Voted 1 year, 2 months ago
Selected Answer: AD
Terrible, terrible question. All answers are technically wrong. But the answer they want is A & D. C & E - There is nothing in the question to suggest any requirement that warrants the introduction of a load balancer of any kind. Is there any inbound traffic? Maybe, maybe not. Even if the traffic is inbound, what if they've implemented DNS-round-robin "load balancing" directly to the EC2 public/private IPs (ie no need for ELB)? There's also nothing to suggest that the "traffic" is consistently the same 24x7, which means they may want the ASG to periodically scale-in and scale-out instances dynamically e.g. in response to EC2 CPU usage. Enabling termination protection will also prevent the ASG from replacing genuinely unhealthy instances, defeating the purpose of having an ASG in the first place. So that leaves us with A, B & D.
upvoted 14 times
LazyAutonomy
1 year, 2 months ago
But why is ASG terminates those instances? What's happening is that ansible/puppet/chef/whatever IaC processes are causing OS updates to be applied long after the default 300s health check grace period ends, which means new kernel, new glibc, etc packages are installed, requiring a reboot for the change to take effect. During these reboots, EC2 ASG thinks the instances are unhealthy (EC2 ping health checks will fail) and replaces them with new instances instantiated from an old unpatched AMI. If you still have lingering doubts about eliminating C and E, then consider the fact that deploying an ELB and turning on ELB health checks in the ASG wont make a difference. A rebooting instance will still get terminated by ASG because EC2 + ELB health checks will fail during the reboot. The instances will probably die faster. So the problem isn't the reboot. The problem is ASG killing rebooting servers and replacing them with unpatched servers.
upvoted 2 times
LazyAutonomy
1 year, 2 months ago
The simplest solution would be to just increase the health check grace period to something large, like 1 hour, and make sure IaC patches & reboots new instances within the grace period. That will buy you a month before the next senseless EC2 massacre. But nothing resembling that option is being offered here. The next simplest option is to protect individual EC2 instances from scale-in while they're being rebooted. But nothing resembling that option is being offered here either. So we're left with somehow updating the kernel/glibc/etc that's baked into the AMI itself, thus altogether avoiding the need for new instances to reboot in the first place (let's just ignore livepatch methods for the moment). Yes, we all know that launch configs can't technically be updated in place (and AMIs can't be "patched" either), but if we eliminate D for that reason then we're left A & B, neither of which mention new AMIs or launch configs at all.
upvoted 3 times
LazyAutonomy
1 year, 2 months ago
Can we eliminate B? Yes. I can safely assume the intention of B is to create a new ASG with the same old launch config + existing AMI. The behaviour of new ASG will match the old ASG. Any instance rebooted after the health check grace period ends will get terminated, even during a "maintenance window" (which is not a thing). Option A wants to modify the termination policy of the existing ASG to "Oldest launch configuration". That's unnecessary but harmless. The default termination policy will do this anyway, and AZ re-balancing always takes precedence even when using a non-default termination policy. https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-termination-policies.html "Amazon EC2 Auto Scaling always balances instances across Availability Zones first, regardless of which termination policy is used"
upvoted 3 times
LazyAutonomy
1 year, 2 months ago
So where does that leave us? A - does nothing meaningful at all, but at least it's harmless. B - working instances will all die on reboot during the "maintenance window" (all at the same time? lol) C - working instances will die faster when rebooted D - perfect, except it technically isn't possible to "update" launch configs or "patch" AMIs in place. Bummer. E - broken instances will never get replaced, defeating the purpose of ASGs. I think it's safe to conclude the author of this question was just really sloppy with how they worded option D. To avoid a re-occurrence of this issue, I am compelled by common sense to adopt a more relaxed interpretation of D. If I infer that the intent of D is New AMI + New launch config + Invoke ASG refresh, then I don't actually need to do anything else. D will be enough to prevent re-occurrence. But I have to pair it with a second option. So I'll pair it with A, which sounds good but actually does nothing and is harmless.
upvoted 4 times
LazyAutonomy
1 year, 2 months ago
Answer: A + D. Terrible, terrible, terrible question.
upvoted 3 times
...
...
...
...
...
...
yuliaqwerty
Highly Voted 1 year, 4 months ago
A and C. D is wrong launch config can't be updated https://docs.aws.amazon.com/autoscaling/ec2/userguide/change-launch-config.html
upvoted 6 times
...
d401c0d
Most Recent 2 months, 2 weeks ago
Selected Answer: AD
How to implement: Access your Auto Scaling group: Navigate to your Auto Scaling group in the AWS console. Edit the update policy: Go to the "Update policy" section within your Auto Scaling group settings. Select "oldest" option: Choose the option that specifies to target the oldest launch configuration for replacement when scaling activities occur.
upvoted 1 times
...
deepakR20
3 months, 3 weeks ago
Selected Answer: AD
A and D
upvoted 1 times
...
AzureDP900
5 months, 1 week ago
A D for me. Here's why: A: Modifying the Auto Scaling group to target the oldest launch configuration for replacement ensures that the most recent instance replacements do not reuse unpatched images. This approach helps maintain the security of the newly patched instances. D: Creating automation scripts to patch an AMI, update the launch configuration, and invoke an Auto Scaling instance refresh enables a more streamlined process for updating instances with the latest security patches. Automation can help ensure consistency in the patching process, reducing the risk of human error.
upvoted 1 times
...
0b43291
5 months, 2 weeks ago
Selected Answer: CD
The recommended steps to avoid the issue are: D. Create automation scripts to patch AMI, update launch configuration, and invoke Auto Scaling instance refresh. C. Create ELB in front of Auto Scaling group. Configure monitoring for target group health checks after instance replacement. Explanation: D. Automation scripts ensure new instances launched by Auto Scaling group are patched and secure. C. ELB distributes traffic to healthy instances. Monitoring ensures new instances are ready before terminating old ones, maintaining availability during refresh.
upvoted 1 times
...
kgpoj
8 months, 2 weeks ago
Selected Answer: CD
D should get the job done. The rest are redundant. But C seems to be not hurting to do anyway
upvoted 1 times
...
053081f
9 months, 3 weeks ago
Selected Answer: AD
While options A and D are considered the most suitable (and safest) answers to the question's requirements, they may not completely solve the problem. For example, if there are 10 instances in an Auto Scaling group (No.1, No.2, No.3 ... No.10), and two of them are unpatched, the Oldest Launch setting would prioritize replacing the older unpatched instances. However, there's a possibility that only No.10 might be scaled in, leaving No.9 still unpatched and active in the group.
upvoted 1 times
...
seetpt
12 months ago
Selected Answer: CD
CD i think
upvoted 1 times
...
titi_r
1 year ago
Selected Answer: AC
A and C.
upvoted 1 times
...
Dgix
1 year, 1 month ago
Selected Answer: AD
Sometimes I really hate the AWS exam writers. This questions is on a level to which even they shouldn't plumb. All of the alternatives are wrong in some way. So you have to guess. Whoever wrote this should be fired. D, since it addresses the AMI (though "update" is not what you do with an AMI). And then A, for the reasons LazyAutonomy gives. But wow do I sometimes hate the exam writers. It's one thing to force us to focus on minute details; it's quite another to subject us to their own sloppiness.
upvoted 2 times
...
adelynllllllllll
1 year, 2 months ago
Answer: A, C https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-tutorial-update-patch-windows-ami-autoscaling.html
upvoted 1 times
...
career360guru
1 year, 3 months ago
Selected Answer: CD
Option C and D
upvoted 2 times
...
JMAN1
1 year, 3 months ago
Selected Answer: DE
A and C does not prevent EC2 to be terminated by security patch. B is very burdened(create new group each time?). D is poorly worded as it says 'update configuration'. But I will go with D E.
upvoted 1 times
JMAN1
1 year, 3 months ago
Sorry. E does not prevent terminating from patch.Let me go with C D.
upvoted 1 times
...
...
Atown
1 year, 3 months ago
Selected Answer: CD
CD Answer is worded a bit poorly but this is correct.
upvoted 3 times
...
awsamar
1 year, 4 months ago
Selected Answer: AC
D is out AC then
upvoted 2 times
...
awsamar
1 year, 4 months ago
Option D is out because it says to "update launch configuration" AWS Auto Scaling launch configurations cannot be updated directly. Once a launch configuration is created, it cannot be modified; instead, a new one must be created to reflect any changes
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago