AWS DevOps Engineer - Professional

To migrate a content sharing web application to a serverless architecture using Amazon API Gateway and AWS Lambda, and to retain the ability to test new features on a small number of users before rolling the features out to the entire user base, the best strategy is to use AWS CloudFormation to deploy API Gateway and Lambda functions with Lambda function versions. When code needs to be changed, updating the CloudFormation stack with the new Lambda code and using a canary release strategy allows for promoting the new version once testing is complete, which satisfies the requirements for controlled feature rollouts and minimizes disruption.

To address latency issues for users on a different continent, the best approach involves multiple actions. First, creating new ALB and Auto Scaling group resources in the new Region allows the application to serve traffic locally, reducing latency by geographically distributing the load (C). Additionally, setting up Amazon Route 53 with health checks and latency-based routing policies ensures that traffic is directed to the ALB with the least latency, which improves response times for users (D). Lastly, converting the DynamoDB table to a global table enables replication across multiple regions, providing low-latency access to database records for users in both regions and ensuring high availability (F). These combined actions will minimize application response times and improve availability for users in both regions.

When using a custom resource in AWS CloudFormation, the Lambda function must respond to a pre-signed URL provided in the event it receives from CloudFormation. This URL is used by CloudFormation to get the status of the custom resource creation. If the Lambda function does not send a response to this URL, CloudFormation will not know that the resource creation has finished, resulting in the stack remaining in the CREATE_IN_PROGRESS state.

To use AWS Systems Manager Session Manager securely over a private network, two actions are critical. First, attaching an IAM policy with the necessary Systems Manager permissions to the existing IAM instance profile is essential because it grants the EC2 instances permissions to utilize Systems Manager. Second, creating a VPC endpoint for Systems Manager in the desired Region ensures that communication between the instances and Systems Manager occurs over the private network, without traversing the internet. This setup provides enhanced security for access to Session Manager within a private network.

To standardize patching across Amazon EC2 and on-premises configurations while adhering to the company's policy of patching only during non-business hours, a combination of the following actions is required: Adding the physical machines into AWS Systems Manager using Systems Manager Hybrid Activations is essential to manage the on-premises machines (A). Attaching an IAM role to the EC2 instances will allow those instances to be managed by AWS Systems Manager, providing the necessary permissions (B). Finally, using AWS Systems Manager Maintenance Windows is crucial for scheduling the patch window during non-business hours (F). These steps ensure that both environments are consistently and securely patched according to the specified schedule.