ExamGecko
Search Search Login
Home Home / Amazon / ANS-C00

Amazon ANS-C00 Practice Test - Questions Answers, Page 17

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URLs, the instances should be able to access any Amazon S3 bucket in the same region via any URL. Which of the following solutions should you deploy? (Choose two.)
Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)
Which element of AWS Config can be used to help maintain internal and external compliance controls?
A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their onpremises version of the application to serve a small portion of the customers who haven't yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?
You are configuring multiple Direct Connect links for your organization and need them to be in an HA Active/Passive configuration with extreme sensitivity to outages in order to encourage very quick failover times. You also need to be able to control which link is active. What two configuration changes should you implement? (Choose two.)

Question 161

Report
Export
Collapse

A company needs to set up a VPN between AWS VPC and its on-premises network. A team creates a VPN connection in the AWS Management Console, downloads the configuration file, and installs it on the on-premises router. The tunnel is not coming up because of firewall restrictions on the router. Which two network traffic options should you allow through the firewall? (Choose two.)

A.
UDP port 500
A.
UDP port 500
Answers
B.
IP protocol 50
B.
IP protocol 50
Answers
C.
IP protocol 5
C.
IP protocol 5
Answers
D.
TCP port 50
D.
TCP port 50
Answers
E.
TCP port 500
E.
TCP port 500
Answers
Suggested answer: A, B

Explanation:

Explanation:

References: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_VPN.html

Question 162

Report
Export
Collapse

Your company has just completed a transition to IPv6 and has deployed a website on a server. You were able to download software on the instance without an issue. This website is deployed using IPv6, but the public is not able to access it. What should you do to fix this problem?

A.
Add an internet gateway for the instance.
A.
Add an internet gateway for the instance.
Answers
B.
Add an egress-only internet gateway.
B.
Add an egress-only internet gateway.
Answers
C.
Add an inbound rule to your security group that allows inbound traffic on port 80 for ::/0.
C.
Add an inbound rule to your security group that allows inbound traffic on port 80 for ::/0.
Answers
D.
Add an inbound rule to your security group that allows inbound traffic on port 80 for 0.0.0.0/0.
D.
Add an inbound rule to your security group that allows inbound traffic on port 80 for 0.0.0.0/0.
Answers
Suggested answer: C

Explanation:

Explanation:

Your instance can reach the internet if it was able to download sofftware, so an IGW is not needed. 0.0.0.0/0 is for IPv4.

Question 163

Report
Export
Collapse

A company provisions an AWS Direct Connect connection to permit access to Amazon EC2 resources in several Amazon VPCs and to data stored in private Amazon S3 buckets. The Network Engineer needs to configure the company's onpremises router for this Direct Connect connection.

Which of the following actions will require the LEAST amount of configuration overhead on the customer router?

A.
Configure private virtual interfaces for the VPC resources and for Amazon S3.
A.
Configure private virtual interfaces for the VPC resources and for Amazon S3.
Answers
B.
Configure private virtual interfaces for the VPC resources and a public virtual interface for Amazon S3.
B.
Configure private virtual interfaces for the VPC resources and a public virtual interface for Amazon S3.
Answers
C.
Configure a private virtual interface to a Direct Connect gateway for the VPC resources and for Amazon S3.
C.
Configure a private virtual interface to a Direct Connect gateway for the VPC resources and for Amazon S3.
Answers
D.
Configure a private virtual interface to a Direct Connect gateway for the VPC resources and a public virtual interface for Amazon S3.
D.
Configure a private virtual interface to a Direct Connect gateway for the VPC resources and a public virtual interface for Amazon S3.
Answers
Suggested answer: A

Question 164

Report
Export
Collapse

You are a holdings company that buys many businesses and must integrate their VPCs into your network. You are constantly encountering networks with similar or overlapping subnets. What is the best way to manage this.

A.
BFD
A.
BFD
Answers
B.
VRF
B.
VRF
Answers
C.
A standby router for the overlapping subnets.
C.
A standby router for the overlapping subnets.
Answers
D.
A strict IP addressing policy that forces new companies to change the IP addresses of their VPCs.
D.
A strict IP addressing policy that forces new companies to change the IP addresses of their VPCs.
Answers
Suggested answer: B

Explanation:

Explanation:

VRF, or Virtual Routing and Forwarding will allow you to have multiple routing tables on your router.

Question 165

Report
Export
Collapse

Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)

A.
aws ec2 delete-network-acl-entry -network-acl-id acl-5fb84d47 -ingress -rule-number 32768
A.
aws ec2 delete-network-acl-entry -network-acl-id acl-5fb84d47 -ingress -rule-number 32768
Answers
B.
aws ec2 delete-network-acl-entry -network-acl-id acl-5fb84d47 -egress rule-number 100
B.
aws ec2 delete-network-acl-entry -network-acl-id acl-5fb84d47 -egress rule-number 100
Answers
C.
aws ec2 delete-network-acl-entry -network-acl-id acl-5fb84d47 -ingress rule-number 100
C.
aws ec2 delete-network-acl-entry -network-acl-id acl-5fb84d47 -ingress rule-number 100
Answers
D.
aws ec2 create-network-acl-entry -network-acl-id acl-5fb84d47 -ingress rule-number 100 -protocol -1 -port-range From =- 1,To =-1 -cidr-block 0.0.0.0/0 -rule-action deny
D.
aws ec2 create-network-acl-entry -network-acl-id acl-5fb84d47 -ingress rule-number 100 -protocol -1 -port-range From =- 1,To =-1 -cidr-block 0.0.0.0/0 -rule-action deny
Answers
Suggested answer: B, C

Explanation:

Explanation:

You should remove the default allow rules in your NACL and a default deny will be the only rule left for inbound and outbound. If you attempt to create a rule number 100, it will encounter an error as there is already a rule 100.

Question 166

Report
Export
Collapse

Your company has a highly-available Direct Connect solution that utilizes two datacenters. Each datacenter was initially configured with one four-connection LAG and one standard DX connection. How many LOA documents have been requested and completed for this configuration?

A.
1
A.
1
Answers
B.
4
B.
4
Answers
C.
2
C.
2
Answers
D.
10
D.
10
Answers
Suggested answer: B

Explanation:

Explanation:

Only one LOA document is required for each physical connection. The logical connections in the LAG do not need separate LOAs, but they do have separate pages.

Question 167

Report
Export
Collapse

You manage a webserver that serves a webpage on AWS infrastructure. You utilize an Application Load Balancer, CloudFront, S3, and some other AWS services for this site. You are only responsible for the server and you don't have access to the AWS console or API.

You need to find out what IPs are accessing your website. What is the best way to achieve this?

A.
Ask someone with IAM permissions to view the Flow Logs to give you access.
A.
Ask someone with IAM permissions to view the Flow Logs to give you access.
Answers
B.
View the access logs. They already show this information.
B.
View the access logs. They already show this information.
Answers
C.
Run "curl http://169.254.169.254/latest/meta-data/access_log
C.
Run "curl http://169.254.169.254/latest/meta-data/access_log
Answers
D.
Add "X-Forwarded For" to the access logs and view the access logs.
D.
Add "X-Forwarded For" to the access logs and view the access logs.
Answers
Suggested answer: D

Explanation:

Explanation:

Add "X-Forwarded For" to the access logs and view the access logs is the best answer here. IAM permissions could work, but not necessary, the curl command queries metadata, not access logs.

Question 168

Report
Export
Collapse

Which endpoint is considered to be best practice when analyzing data within a Configuration Stream of AWS Config?

A.
SNS
A.
SNS
Answers
B.
E-Mail
B.
E-Mail
Answers
C.
SQS
C.
SQS
Answers
D.
Kinesis
D.
Kinesis
Answers
Suggested answer: C

Explanation:

Explanation:

The Simple Queue Service can be subscribed to the AWS Config topic (the Configuration Stream) which gives you a highly available and decoupled environment for the data within your Configuration Streams. By using SQS it allows you to create and use your own applications to extract only information and data that is pertinent to you. There can be vast amounts of data coming into the Configuration Stream, but you might only want to be notified and made away of any changes that may relate to any potential security issues. As a result, you may want to pull information from the queue that only relate to Security Groups/NACLs/IAM Roles or any other resource type that could affect the security of your environment.

Reference: http://docs.aws.amazon.com/config/latest/developerguide/monitor-resource-changes.html

Question 169

Report
Export
Collapse

An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC. Which solution will fix the connectivity failures with the LEAST amount of effort?

A.
Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.
A.
Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.
Answers
B.
Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.
B.
Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.
Answers
C.
Update the application server's outbound security group to use the prefix-list for Amazon S3 in the same region.
C.
Update the application server's outbound security group to use the prefix-list for Amazon S3 in the same region.
Answers
D.
Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon S3.
D.
Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon S3.
Answers
Suggested answer: C

Question 170

Report
Export
Collapse

What number does the binary number 11000000 correspond to?

A.
128
A.
128
Answers
B.
192
B.
192
Answers
C.
64
C.
64
Answers
D.
117
D.
117
Answers
Suggested answer: B

Explanation:

Explanation:

128 + 64 + 0 + 0 + 0 + 0 + 0 + 0 = 192

Total 414 questions
Go to page: of 42
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms