ExamGecko
Search Search Login
Home Home / Amazon / ANS-C00

Amazon ANS-C00 Practice Test - Questions Answers, Page 12

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URLs, the instances should be able to access any Amazon S3 bucket in the same region via any URL. Which of the following solutions should you deploy? (Choose two.)
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)
Which element of AWS Config can be used to help maintain internal and external compliance controls?
A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their onpremises version of the application to serve a small portion of the customers who haven't yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?
A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy. What is the MOST cost-effective solution to meet these requirements?

Question 111

Report
Export
Collapse

You can turn on the AWS Config service from the AWS CLI by running the subscribe command and passing as parameters a valid IAM role, SNS topic, and ____.

A.
EBS volume
A.
EBS volume
Answers
B.
EC2 instance
B.
EC2 instance
Answers
C.
S3 bucket
C.
S3 bucket
Answers
D.
Kinesis stream
D.
Kinesis stream
Answers
Suggested answer: C

Explanation:

Explanation:

You can use the AWS CLI to turn on AWS Config. All it takes is the subscribe command and a few additional parameters.

The parameters are -s3-bucket, which specifies the S3 bucket to which AWS Config data will be saved, -sns-topic, which specifies to which SNS topic messages from AWS Config will be sent, and -iam-role, which is an IAM role containing appropriate permissions for AWS Config to access the resources it monitors.

Reference: http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-subscribe.html

Question 112

Report
Export
Collapse

You are under a DDoS attack and you have added a deny all TCP rule to your NACL, but traffic is still coming. What did you do wrong?

A.
You configured the rule number to be too low.
A.
You configured the rule number to be too low.
Answers
B.
A NACL can't protect against a DDoS.
B.
A NACL can't protect against a DDoS.
Answers
C.
The DDoS isn't a TCP attack.
C.
The DDoS isn't a TCP attack.
Answers
D.
You need to add a deny rule outbound also since NACLs are stateful.
D.
You need to add a deny rule outbound also since NACLs are stateful.
Answers
Suggested answer: C

Explanation:

Explanation:

The DDoS isn't a TCP attack (this time.) A DDoS can use several different protocols. NACLs are stateless. The lower the rule number, the higher the priority.

Question 113

Report
Export
Collapse

Imagine you are using AWS Direct Connect with just one connection from your router to the AWS Direct Connect router. If your connection becomes unavailable, the communication with AWS cloud is lost. What is the best method to prevent this from happening?

A.
AWS Direct Connect neither provides BGP nor provides the failover.
A.
AWS Direct Connect neither provides BGP nor provides the failover.
Answers
B.
AWS Direct Connect recommends to have the same configuration set up in a multi AZ zone to prevent such loss in connections.
B.
AWS Direct Connect recommends to have the same configuration set up in a multi AZ zone to prevent such loss in connections.
Answers
C.
AWS Direct Connect recommends that you request and configure two dedicated connections to AWS either using BGP Multipath (Active/Active) connection or the failover (Active/Passive) connection.
C.
AWS Direct Connect recommends that you request and configure two dedicated connections to AWS either using BGP Multipath (Active/Active) connection or the failover (Active/Passive) connection.
Answers
D.
AWS Direct connect does not have a provision to prevent the situation but when you design the system, it is recommended to request a back-up instance to which the traffic can be re-routed.
D.
AWS Direct connect does not have a provision to prevent the situation but when you design the system, it is recommended to request a back-up instance to which the traffic can be re-routed.
Answers
Suggested answer: C

Explanation:

Explanation:

When configuring redundant connections with the AWS Direct Connect, and to provide for failover, we recommend that you request and configure two dedicated connections to the AWS. There are different configuration choices available when you provision two dedicated connections. You can either use Active/Active (BGP multipath) connection or Active/Passive (failover) connection to configure the two dedicated connections. Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/getstarted.html#RedundantConnections

Question 114

Report
Export
Collapse

A company wants to enforce a compliance requirement that its Amazon EC2 instances use only on-premises DNS servers for name resolution. Outbound DNS requests to all other name servers must be denied. A network engineer configures the following set of outbound rules for a security group:

The network engineer discovers that the EC2 instances are still able to resolve DNS requests by using Amazon DNS servers inside the VPC. Why is the solution failing to meet the compliance requirement?

A.
The security group cannot filer outbound traffic to the Amazon DNS servers.
A.
The security group cannot filer outbound traffic to the Amazon DNS servers.
Answers
B.
The security group must have inbound rules to prevent DNS requests from coming back to EC2 instances.
B.
The security group must have inbound rules to prevent DNS requests from coming back to EC2 instances.
Answers
C.
The EC2 instances are using the HTTPS port to send DNS queries to Amazon DNS servers.
C.
The EC2 instances are using the HTTPS port to send DNS queries to Amazon DNS servers.
Answers
D.
The security group cannot filter outbound traffic to destinations within the same VPC.
D.
The security group cannot filter outbound traffic to destinations within the same VPC.
Answers
Suggested answer: C

Explanation:

Explanation:

If you've set up your EC2 instance as a DNS server, you must ensure that TCP and UDP traffic can reach your DNS server over port 53. Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html

Question 115

Report
Export
Collapse

You have just peered two VPCs, and you need to improve performance for instances you plan on deploying. What are two steps you would take to do this? (Choose two.)

A.
Create two subnets in the same AZ and create a placement group.
A.
Create two subnets in the same AZ and create a placement group.
Answers
B.
Set the MTU of your instances to 1500.
B.
Set the MTU of your instances to 1500.
Answers
C.
Create two subnets in different AZs and create a placement group.
C.
Create two subnets in different AZs and create a placement group.
Answers
D.
Ensure you choose instances that use enhanced networking.
D.
Ensure you choose instances that use enhanced networking.
Answers
Suggested answer: A, D

Explanation:

Explanation:

A placement group can only be deployed in the same AZ and is only useful with enhanced networking instances.

Question 116

Report
Export
Collapse

You can use the ____ command of the AWS Config service CLI to see the compliance state of each resource that AWS Config evaluates for a specific rule.

A.
describe-compliance-by-resource
A.
describe-compliance-by-resource
Answers
B.
describe-compliance-by-config-rule
B.
describe-compliance-by-config-rule
Answers
C.
get-compliance-details-by-config-rule
C.
get-compliance-details-by-config-rule
Answers
D.
get-compliance-details-by-resource
D.
get-compliance-details-by-resource
Answers
Suggested answer: C

Explanation:

Explanation:

You can use the get-compliance-details-by-config-rule command of the AWS Config CLI to see the compliance state of each resource that AWS Config evaluates for a specific rule. Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_view-compliance.html

Question 117

Report
Export
Collapse

A company has deployed a production environment in the AWS Cloud. The environment is contained in a VPC and includes a virtual private gateway. The company has established an AWS Direct Connect connection. which includes a

private Virtual Interface (VIF), and a VPN connection to the on-premises data center.

For traffic originating in the VPC, what is the order of BGP path selection from MOST preferred to LEAST preferred?

A.
Direct Connect BGP routes, static routes, longest prefix match, VPN BGP routes.
A.
Direct Connect BGP routes, static routes, longest prefix match, VPN BGP routes.
Answers
B.
Static routes, longest prefix match, Direct Connect BGP routes, VPN BGP routes.
B.
Static routes, longest prefix match, Direct Connect BGP routes, VPN BGP routes.
Answers
C.
Longest prefix match, static routes, Direct-Connect BGP routes, VPN BGP routes.
C.
Longest prefix match, static routes, Direct-Connect BGP routes, VPN BGP routes.
Answers
D.
Longest prefix match, VPN BGP routes, static routes, Direct Connect BGP routes.
D.
Longest prefix match, VPN BGP routes, static routes, Direct Connect BGP routes.
Answers
Suggested answer: C

Question 118

Report
Export
Collapse

Your company has a 1-Gbps AWS Direct Connect connection to AWS. Your company needs to send traffic from onpremises to a VPC owned by a partner company. The connectivity must have minimal latency at the lowest price. Which of the following connectivity options should you choose?

A.
Create a new Direct Connect connection, and set up a new circuit to connect to the partner VPC using a private virtual interface.
A.
Create a new Direct Connect connection, and set up a new circuit to connect to the partner VPC using a private virtual interface.
Answers
B.
Create a new Direct Connect connection, and leverage the existing circuit to connect to the partner VPC.
B.
Create a new Direct Connect connection, and leverage the existing circuit to connect to the partner VPC.
Answers
C.
Create a new private virtual interface, and leverage the existing connection to connect to the partner VPC.
C.
Create a new private virtual interface, and leverage the existing connection to connect to the partner VPC.
Answers
D.
Enable VPC peering and use your VPC as a transitive point to reach the partner VPC.
D.
Enable VPC peering and use your VPC as a transitive point to reach the partner VPC.
Answers
Suggested answer: D

Question 119

Report
Export
Collapse

In the context of Amazon CloudFront Actions, you use the _____ when specifying APIs in IAM policies.

A.
object names
A.
object names
Answers
B.
class names
B.
class names
Answers
C.
entity names
C.
entity names
Answers
D.
action names
D.
action names
Answers
Suggested answer: D

Explanation:

Explanation:

In an AWS IAM policy, you can specify any and all API actions that Amazon CloudFront offers. The action name must be prefixed with the lowercase string cloudfront. For example: cloudfront:GetDistributionConfig cloudfront:ListInvalidations cloudfront:* (for all CloudFront actions).

In the reference link, there are tables that list the canonical names for all CloudFront actions. Use these canonical names when specifying APIs in IAM policies. Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/UsingWithIAM.html

Question 120

Report
Export
Collapse

What port and protocol is used by DNS?

A.
80/TCP
A.
80/TCP
Answers
B.
22/TCP
B.
22/TCP
Answers
C.
80/TCP and UDP
C.
80/TCP and UDP
Answers
D.
53/TCP and UDP
D.
53/TCP and UDP
Answers
Suggested answer: D

Explanation:

Explanation:

DNS uses port 53 and either TCP or UDP depending on what type of DNS message is being sent.

Total 414 questions
Go to page: of 42
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms