This chapter covers the following official AWS Certified SysOps Administrator – Associate (SOA-C02) exam domains:
Domain 1: Monitoring, Logging, and Remediation
Domain 4: Security and Compliance
(For more information on the official AWS Certified SysOps Administrator – Associate [SOA-C02] exam topics, see the Introduction.)
As a general rule, you should consider the services, instances, and objects you deploy to AWS to “just work.” Of course, you need to take this rule with a grain of salt because back-end issues might cause impairment of services in an availability zone, thus impairing the application’s functionality. However, if there is impairment on the AWS side, you can just examine the API response and determine whether the issue is at your end or at the provider’s end.
In this chapter, we discuss the three aspects of troubleshooting and remediation and introduce AWS services that can help you detect and remediate issues.
ExamAlert
Remember that proper troubleshooting and remediation can be done only if you have already set up your monitoring and log collection in advance. The tools and services discussed in this section rely heavily on the services discussed in Chapter 2, “Monitoring Services in AWS.” For this reason, the exam usually ties troubleshooting, monitoring, and remediation into one question, so services from both this and the preceding chapter could be included in a specific question in the exam.
This section covers the following official AWS Certified SysOps Administrator – Associate (SOA-C02) exam domains:
Domain 1: Monitoring, Logging, and Remediation
Domain 4: Security and Compliance
CramSaver
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. You have issued a request to download an object on an S3 bucket. Your request receives a 403 HTTP response. What could be the cause of the bad response?
2. True or False: You need to enable the EC2 instance health monitoring first before you can create a CloudWatch Alarm based on the state of the instance check.
Answers
1. Answer: There is an issue in the user, group, role, or bucket policy. All polices in AWS combine with equal weight, and a denial to a resource in one policy has a global effect on the request.
2. Answer: False. EC2 instances have the automatic health check configured; health monitoring can be used directly in CloudWatch Alarms to trigger an alert based on the health check.
In any IT environment, alarms can be triggered by specific issues, breaches of certain monitoring metric thresholds, or detection of changes in a specific defined log stream. Generally, in AWS these issues take three different forms:
Infrastructure issues
Application issues
Security issues