ExamGecko
Login
Home / Amazon / ANS-C00 / List of questions
Ask Question

Amazon ANS-C00 Practice Test - Questions Answers, Page 19

List of questions

Question 181

Report
Export
Collapse

You are the AWS cloud architect and have been tasked with designing an appropriate subnetting design for your production VPC. Your production VPC requires secure communications back to the corporate private network. Quality of Service (QoS) is very important 24 7 for this particular connection, as real-time data is passed continually backwards and forwards between your on-prem bioinformatics enterprise application, and the number crunching servers deployed in the cloud. Any potential latency incurred on this connection will have a direct impact on the company's ability to attract investors and expansion into new markets. Select the correct network configuration that best facilitates your company's continued growth plans.

Provision a Direct Connect connection - between your service provider's data center and the AWS region that your cloud compute resources exist in. Configure just a Private Virtual Interface. As this is a Direct Connection, a Virtual Private Gateway is not required
Provision a Direct Connect connection - between your service provider's data center and the AWS region that your cloud compute resources exist in. Configure just a Private Virtual Interface. As this is a Direct Connection, a Virtual Private Gateway is not required
Configure a site-to-site layer 2 software router using OpenVPN within your VPC and ensure that QoS enabled - this is a secure and cheap option
Configure a site-to-site layer 2 software router using OpenVPN within your VPC and ensure that QoS enabled - this is a secure and cheap option
Configure a site-to-site layer 3 software router using OpenVPN within your VPC and ensure that QoS enabled - this is a secure and cheap option
Configure a site-to-site layer 3 software router using OpenVPN within your VPC and ensure that QoS enabled - this is a secure and cheap option
Provision a Direct Connect connection - between your existing service provider's data center and the AWS region that your cloud compute resources exist in. Configure a Virtual Private Gateway and Private Virtual InterfaceReference: https://aws.amazon.com/directconnect/faqs/
Provision a Direct Connect connection - between your existing service provider's data center and the AWS region that your cloud compute resources exist in. Configure a Virtual Private Gateway and Private Virtual InterfaceReference: https://aws.amazon.com/directconnect/faqs/
Suggested answer: D

Explanation:

Explanation:

Answers A, B, and C all rely on an Internet connection. An Internet connection cannot guarantee QoS and will be subject to performance fluctuations - therefore they are all incorrect options. The only difference between these options is whether a Virtual Private Gateway is required - the answer is yes and therefore the correct answer is D. Reference: https://aws.amazon.com/directconnect/faqs/

asked 16/09/2024
Nelson Mira
44 questions

Question 182

Report
Export
Collapse

What are 2 possible ALIAS records? (Choose two.)

DynamoDB
DynamoDB
Elastic Beanstalk
Elastic Beanstalk
CloudFront
CloudFront
EC2 Instance
EC2 Instance
Suggested answer: B, C

Explanation:

Explanation:

You cannot create an ALIAS record that points to an EC2 instance or DynamoDB.

asked 16/09/2024
alex aguirre
43 questions

Question 183

Report
Export
Collapse

The Web Application Development team is worried about malicious activity from 200 random IP addresses. Which action will ensure security and scalability from this type of threat?

Use inbound security group rules to block the IP addresses.
Use inbound security group rules to block the IP addresses.
Use inbound network ACL rules to block the IP addresses.
Use inbound network ACL rules to block the IP addresses.
Use AWS WAF to block the IP addresses.
Use AWS WAF to block the IP addresses.
Write iptables rules on the instance to block the IP addresses.
Write iptables rules on the instance to block the IP addresses.
Suggested answer: B
asked 16/09/2024
Velmurugan P
42 questions

Question 184

Report
Export
Collapse

You have been asked to monitor traffic flows on your Amazon EC2 instance. You will be performing deep packet inspection, looking for atypical patterns. Which tool will enable you to look at this data?

Wireshark
Wireshark
VPC Flow Logs
VPC Flow Logs
AWS CLI
AWS CLI
CloudWatch Logs
CloudWatch Logs
Suggested answer: A

Explanation:

Explanation:

References: https://www.slideshare.net/TeriRadichel/packet-capture-on-aws

asked 16/09/2024
Arash Farivarmoheb
42 questions

Question 185

Report
Export
Collapse

After setting an AWS Direct Connect, which of the following cannot be done with an AWS Direct Connect Virtual Interface?

You can delete a virtual interface; if its connection has no other virtual interfaces, you can delete the connection.
You can delete a virtual interface; if its connection has no other virtual interfaces, you can delete the connection.
You can change the region of your virtual interface.
You can change the region of your virtual interface.
You can create a hosted virtual interface.
You can create a hosted virtual interface.
You can exchange traffic between the two ports in the same region connecting to different Virtual Private Gateways (VGWs) if you have more than one virtual interface.
You can exchange traffic between the two ports in the same region connecting to different Virtual Private Gateways (VGWs) if you have more than one virtual interface.
Suggested answer: D

Explanation:

Explanation:

You must create a virtual interface to begin using your AWS Direct Connect connection. You can create a public virtual interface to connect to public resources or a private virtual interface to connect to your VPC. Also, it is possible to configure multiple virtual interfaces on a single AWS Direct Connect connection, and you'll need one private virtual interface for each VPC to connect to. Each virtual interface needs a VLAN ID, interface IP address, ASN, and BGP key. To use your AWS Direct Connect connection with another AWS account, you can create a hosted virtual interface for that account. These hosted virtual interfaces work the same as standard virtual interfaces and can connect to public resources or a VPC.

Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html

asked 16/09/2024
Chun Yin Lau
44 questions

Question 186

Report
Export
Collapse

Which of the following does not configure Amazon CloudFront cache behaviors to forward cookies to an origin for web distributions?

Origin server
Origin server
AWS CLI
AWS CLI
Amazon EMR
Amazon EMR
Amazon S3
Amazon S3
Suggested answer: D

Explanation:

Explanation:

Amazon S3 and some HTTP servers do not process cookies. Do not configure Amazon CloudFront cache behaviors toforward cookies to an origin that doesn't process cookies or you'll adversely affect cache ability and consequentlyperformance.

Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Cookies.html

asked 16/09/2024
Muhammad Imran
41 questions

Question 187

Report
Export
Collapse

A global film production company uses the AWS Cloud to encode and store its video content before distribution. The company's three global offices are connected to the us-east-1 Region through AWS Site-to-Site VPN links that terminate on a transit gateway with BGP routing activated.

The company recently started to produce content at a higher resolution to support 8K streaming. The size of the content files has increased to three times the size of the content files from the previous format. Uploads of files to Amazon EC2 instances are taking 10 times longer than they did with the previous format.

Which actions should a network engineer recommend to reduce the upload times? (Choose two.)

Create a second VPN tunnel from each office location to the transit gateway. Activate equal-cost multi-path (ECMP) routing.
Create a second VPN tunnel from each office location to the transit gateway. Activate equal-cost multi-path (ECMP) routing.
Modify the transit gateway to activate Jumbo MTU on the VPN tunnels to each office location.
Modify the transit gateway to activate Jumbo MTU on the VPN tunnels to each office location.
Replace the existing VPN tunnels with new tunnels that have acceleration activated.
Replace the existing VPN tunnels with new tunnels that have acceleration activated.
Upgrade each EC2 instance to a modern instance type. Activate Jumbo MTU in the operating system.
Upgrade each EC2 instance to a modern instance type. Activate Jumbo MTU in the operating system.
Replace the existing VPN tunnels with new tunnels that have IGMP activated.
Replace the existing VPN tunnels with new tunnels that have IGMP activated.
Suggested answer: A, D

Explanation:

Explanation:

Reference: https://aws.amazon.com/premiumsupport/knowledge-center/transit-gateway-ecmp-multiple-tunnels/ https://tutorialsdojo.com/increasing-mtu-for-your-ec2-instance/

asked 16/09/2024
Ruggero Pozza
38 questions

Question 188

Report
Export
Collapse

A company's IT Security team needs to ensure that all servers within an Amazon VPC can communicate with a list of five approved external IPs only. The team also wants to receive a notification every time any server tries to open a connection with a non-approved endpoint.

What is the MOST cost-effective solution that meets these requirements?

Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to ALL.Create an Amazon CloudWatch Logs filter on the VPC Flow Logs log group filtered by REJECT. Create an alarm for this metric to notify the security team.
Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to ALL.Create an Amazon CloudWatch Logs filter on the VPC Flow Logs log group filtered by REJECT. Create an alarm for this metric to notify the security team.
Enable Amazon GuardDuty on the account and the specific Region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty trusted IP list. Configure an Amazon CloudWatch Events rule on all GuardDuty findings to trigger an Amazon SNS notification to the security team.
Enable Amazon GuardDuty on the account and the specific Region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty trusted IP list. Configure an Amazon CloudWatch Events rule on all GuardDuty findings to trigger an Amazon SNS notification to the security team.
Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to REJECT. Set an Amazon CloudWatch Logs filter for the log group on every event. Create an alarm for this metric to notifythe security team.
Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to REJECT. Set an Amazon CloudWatch Logs filter for the log group on every event. Create an alarm for this metric to notifythe security team.
Enable Amazon GuardDuty on the account and specific Region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty threat IP list. Integrate GuardDuty with a compatible SIEM to report on every alarm fromGuardDuty.
Enable Amazon GuardDuty on the account and specific Region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty threat IP list. Integrate GuardDuty with a compatible SIEM to report on every alarm fromGuardDuty.
Suggested answer: A
asked 16/09/2024
Amine Alami
32 questions

Question 189

Report
Export
Collapse

You operate a production VPC with both a public and a private subnet. Your organization maintains a restricted Amazon S3 bucket to support this production workload. Only Amazon EC2 instances in the private subnet should access the bucket. You implement VPC endpoints (VPC-E) for Amazon S3 and remove the NAT that previously provided a network path to Amazon S3. The default VPC-E policy is applied. Neither EC2 instances in the public or private subnets are able to access the S3 bucket.

What should you do to enable Amazon S3 access from EC2 instances in the private subnet?

Add the CIDR address range of the private subnet to the S3 bucket policy.
Add the CIDR address range of the private subnet to the S3 bucket policy.
Add the VPC-E identifier to the S3 bucket policy.
Add the VPC-E identifier to the S3 bucket policy.
Add the VPC identifier for the production VPC to the S3 bucket policy.
Add the VPC identifier for the production VPC to the S3 bucket policy.
Add the VPC-E identifier for the production VPC to endpoint policy.
Add the VPC-E identifier for the production VPC to endpoint policy.
Suggested answer: A
asked 16/09/2024
federico monaco
35 questions

Question 190

Report
Export
Collapse

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use ____.

trusted signers
trusted signers
optimistic locking
optimistic locking
integrity validation
integrity validation
root credentialing
root credentialing
Suggested answer: C

Explanation:

Explanation:

The AWS CloudTrail uses log file integrity validation to determine whether the log files were changed or modified since CloudTrail delivered them to an Amazon S3 bucket. Reference: https://aws.amazon.com/cloudtrail/

asked 16/09/2024
vladimir nezgoda
34 questions
Total 414 questions
Go to page: of 42
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Which of these modes is not a configuration mode for a WAF?
Your organization runs a popular e-commerce application deployed on AWS that uses auto scaling in conjunction with an Elastic Load balancing (ELB) service with an HTTPS listener. Your security team reports that an exploitable vulnerability has been discovered in the encryption protocol and cipher that your site uses. Which step should you take to fix this problem?
You are configuring multiple Direct Connect links for your organization and need them to be in an HA Active/Passive configuration with extreme sensitivity to outages in order to encourage very quick failover times. You also need to be able to control which link is active. What two configuration changes should you implement? (Choose two.)
You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
Which service would you use to see who changed your infrastructure?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
Under increased cybersecurity concerns, a company is deploying a near real-time intrusion detection system (IDS) solution. A system must be put in place as soon as possible. The architecture consists of many AWS accounts, and all results must be delivered to a central location. Which solution will meet this requirement, while minimizing downtime and costs?