A company has an Amazon EC2 instance that runs Windows Server 2019.

Amazon Web Services SOA-C02 Question Answer

A company has an Amazon EC2 instance that runs Windows Server 2019. An encrypted Amazon Elastic Block Store (Amazon EBS) volume is attached to the instance as the main boot volume. The company has lost the ability to use Remote Desktop Protocol (RDP) to connect to the instance.

The company needs to back up the instance. Before the backup, a SysOps administrator must change local Windows Firewall settings to fix the RDP connectivity issue.

The SysOps administrator stops the instance.

What should the SysOps administrator do next to regain access to the instance?

Detach the main boot volume from the instance. Disable encryption on the main boot volume. Reattach the main boot volume to the instance. Create a new key pair. Assign the new key pair to the instance Reboot the instance. Connect to the instance by using RDP.

Detach the mam boot volume from the instance. Use Amazon Inspector to reconfigure the Windows Firewall settings to allow RDP connectivity.

Disable encryption for the main boot volume. Use Amazon Inspector to reconfigure the Windows Firewall settings to allow RDP connectivity. Re-enable encryption for the main boot volume.

Detach the main boot volume from the instance. Attach the main boot volume to a working instance that has EC2Rescue installed. Use EC2Rescue to reconfigure the Windows Firewall settings to allow RDP connectivity. Detach the main boot volume from the working instance. Reattach the main boot volume to the initial instance.

Explanation:

Scenario Analysis:

The EC2 instance is inaccessible through RDP due to misconfigured Windows Firewall settings.

The boot volume is encrypted, which restricts direct modification without proper mounting and decryption tools.

The goal is to back up the instance and regain RDP connectivity.

Why Option D is Correct:

AWS provides EC2Rescue for Windows Server as a tool to resolve common connectivity and boot issues for Windows EC2 instances.

The process of detaching the boot volume and attaching it to another instance ensures that the misconfigured instance does not impede further configuration.

The working instance acts as a recovery environment where EC2Rescue can be run to modify the Windows Firewall settings and allow RDP access.

Steps to Resolve the Issue (Following Option D):

Step 1: Stop the instance.In the EC2 console, select the affected instance and stop it to ensure safe operations.

Step 2: Detach the boot volume.Navigate to the instance's storage section, identify the boot volume (usually /dev/sda1), and detach it.

Step 3: Attach the boot volume to a recovery instance.

Identify a working instance that has EC2Rescue installed.

Attach the detached boot volume to the recovery instance as a secondary volume.

Step 4: Run EC2Rescue to fix Windows Firewall settings.

Select the attached secondary volume and run diagnostics or select specific repairs (e.g., enabling RDP access in Windows Firewall settings).

Step 5: Detach the boot volume from the recovery instance.After applying the fix, safely detach the volume from the recovery instance.

Step 6: Reattach the boot volume to the original instance.Attach the volume back to the original instance as its boot volume.

Step 7: Start the instance and verify connectivity.Start the original instance and attempt to connect via RDP using the instance's public or private IP (depending on the network configuration).

AWS References and Best Practices:

EC2Rescue for Windows Server:Official documentation: EC2Rescue

Encrypted EBS Volumes:Ensure the proper use of the same AWS KMS key when attaching encrypted volumes to other instances. Reference: EBS Encryption

Backup Before Modifications:AWS recommends creating snapshots of EBS volumes before making changes. Reference: Creating EBS Snapshots

Why Other Options Are Incorrect:

Option A: AWS does not support disabling encryption for EBS volumes directly. Additionally, creating a new key pair does not address the firewall misconfiguration.

Option B: Amazon Inspector does not provide tools for modifying Windows Firewall settings. It is primarily used for vulnerability assessments.

Option C: Disabling encryption is not supported, and Amazon Inspector cannot fix firewall issues.

Amazon Web Services SOA-C02 View All Questions