AWS EC2 & Auto Scaling – Bare Essentials for DVA-C02 Quiz

Study only the topics below. They cover almost everything needed to answer the quiz correctly. fileciteturn0file0


1. EC2 IAM Roles (Instance Profiles)

What it is

An IAM Role attached to an EC2 instance so applications can securely access AWS services.

Remember

Exam Tip

✅ EC2 → IAM Role → Temporary Credentials

❌ Hardcoded Access Keys


2. Cross-Account Access

Best Practice

Application in Account A accessing resources in Account B:

  1. Create IAM Role in Account B.
  2. Trust Policy allows Account A role.
  3. Application calls
STS AssumeRole
  1. Receives temporary credentials.

Never share IAM users or root credentials.


3. HTTPS-only S3 Access

Bucket Policy can force HTTPS.

Use

aws:SecureTransport = false

inside a Deny statement.

This blocks HTTP access.

Remember

Bucket Policy

Deny if SecureTransport = false

HTTPS only


4. DynamoDB Optimistic Locking

Prevents two EC2 instances from overwriting each other's updates.

Uses

If version changed

Write fails

Retry


5. Secrets Manager

Never store:

inside

Store in

AWS Secrets Manager

Benefits


6. IAM Policy Evaluation

Important Exam Trick

If CLI uses

aws configure

then it uses the IAM user's credentials.

The EC2 Role is ignored.

Example

Role:

Deny S3

User:

Allow S3

CLI configured with user keys

→ User permissions apply.


7. IAM Policy Simulator

Before deployment test permissions using

simulate-principal-policy

No real API call is made.


8. CloudWatch Custom Metrics

EC2 application metrics like

are NOT collected automatically.

Publish using

PutMetricData

Then


9. PutMetricData Permission

EC2 Role must allow

cloudwatch:PutMetricData

Without it

Metric never appears.


10. CloudWatch Alarm Flow

Typical architecture

EC2 Metric

↓

CloudWatch Alarm

↓

SNS

↓

Lambda

↓

Slack / Teams / Email

Very common exam question.


11. AWS X-Ray on EC2

Need TWO things

1. X-Ray SDK

inside application

2. X-Ray Daemon

running on EC2

The SDK sends traces to

UDP Port 2000

Daemon forwards them to X-Ray.

Also IAM Role needs

xray:PutTraceSegments

xray:PutTelemetryRecords

12. EC2 Security Groups

Security Groups are

Everything else is denied.

Example

Allow

Everything else

Automatically blocked


13. EC2 UserData + CloudFormation

Need CloudFormation to wait until bootstrapping finishes.

Use

WaitCondition

+

WaitConditionHandle

+

cfn-signal

CloudFormation waits.

Without signal

Stack rollback.


14. CodeDeploy Lifecycle

Correct order

ApplicationStop

↓

DownloadBundle

↓

BeforeInstall

↓

Install

↓

AfterInstall

↓

ApplicationStart

↓

ValidateService

Memorize exactly.


15. appspec.yml Location

Must be at

Root of ZIP/TAR bundle

Not inside folders.


16. appspec.yml Permissions

Can set

using

permissions:

inside

appspec.yml

No shell script required.


17. Auto Scaling Basics

Auto Scaling Group (ASG)

Automatically

Main settings


18. CodeDeploy with Auto Scaling

Want only 25% updated at once.

Use

MinimumHealthyHosts = 75%

Meaning

75% stay healthy

25% updated

Safer deployment


19. ECS Launch Types

ECS EC2

You manage

Good for predictable workloads.


ECS Fargate

AWS manages everything.

No EC2.

Serverless containers.

Perfect for


20. SQS Long Polling

Without

WaitTimeSeconds

ReceiveMessage immediately returns.

Many empty polls.

Higher cost.

Enable

WaitTimeSeconds

1–20 seconds

Fewer API calls.

Lower cost.


21. CloudFormation Secure Parameters

Sensitive values

Never

Use

SSM Parameter Store

SecureString

+

ssm-secure dynamic reference

CloudFormation retrieves securely.


22. EC2 Metadata Service (IMDS)

SDK and CLI obtain temporary credentials from

Instance Metadata Service

No access keys required.

Remember

EC2

↓

IAM Role

↓

IMDS

↓

Temporary Credentials

↓

AWS SDK

23. Security Best Practices

Always

✅ IAM Roles

✅ Secrets Manager

✅ HTTPS

✅ Temporary Credentials

✅ KMS Encryption

Never

❌ Hardcoded Passwords

❌ Access Keys

❌ Root Credentials

❌ Plaintext Secrets


24. High-Probability Exam Memory Sheet

If you see... Answer
EC2 credentials IAM Role (Instance Profile)
Cross-account AssumeRole
DB password Secrets Manager
Force HTTPS to S3 Bucket Policy + aws:SecureTransport
Prevent DynamoDB overwrite Optimistic Locking
Custom Metric PutMetricData
Metric missing cloudwatch:PutMetricData permission
X-Ray EC2 SDK + Daemon + IAM permission
Secure EC2 firewall Security Group
CloudFormation wait WaitCondition + cfn-signal
CodeDeploy order ApplicationStop → Install → ValidateService
appspec.yml Root of bundle
appspec permissions permissions section
25% deployment MinimumHealthyHosts = 75%
Bursty containers ECS Fargate
Long polling WaitTimeSeconds
Secure CloudFormation secret SSM SecureString
Auto credentials IMDS

Final 30-Second Revision