ExamGecko
Search Search Login
Home Home / Amazon / ANS-C00

Amazon ANS-C00 Practice Test - Questions Answers, Page 3

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URLs, the instances should be able to access any Amazon S3 bucket in the same region via any URL. Which of the following solutions should you deploy? (Choose two.)
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)
Which element of AWS Config can be used to help maintain internal and external compliance controls?
A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their onpremises version of the application to serve a small portion of the customers who haven't yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?
A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy. What is the MOST cost-effective solution to meet these requirements?

Question 21

Report
Export
Collapse

A company runs its applications on Amazon EC2 instances. A network engineer must deny specific ports for all applications and must allow only approved ports for each application. All outbound traffic from the instances must be allowed. Which solution will meet these requirements?

A.
Create a network ACL for each application to allow the application's approved ports. Associate the network ACL with the appropriate instances. Create a security group that denies the required specific ports. Associate the security groupwith the appropriate subnets.
A.
Create a network ACL for each application to allow the application's approved ports. Associate the network ACL with the appropriate instances. Create a security group that denies the required specific ports. Associate the security groupwith the appropriate subnets.
Answers
B.
Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create a network ACL that denies the required specific ports. Associate the network ACLwith the appropriate subnets.
B.
Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create a network ACL that denies the required specific ports. Associate the network ACLwith the appropriate subnets.
Answers
C.
Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create a network ACL that denies the required specific ports inbound and denies all portsoutbound. Associate the network ACL with the appropriate subnets.
C.
Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create a network ACL that denies the required specific ports inbound and denies all portsoutbound. Associate the network ACL with the appropriate subnets.
Answers
D.
Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create an additional security group that denies the required specific ports. Associate theadditional security group with the appropriate instances.
D.
Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create an additional security group that denies the required specific ports. Associate theadditional security group with the appropriate instances.
Answers
Suggested answer: C

Explanation:

Explanation:

You can create a custom network ACL and associate it with a subnet. By default, each custom network ACL denies all inbound and outbound traffic until you add rules. Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

Question 22

Report
Export
Collapse

Your AWS WorkSpaces users are unable to authenticate. What could be one reason for this?

A.
Your AD server is running Windows Server 2016
A.
Your AD server is running Windows Server 2016
Answers
B.
Port 3389 is not open to your AD server.
B.
Port 3389 is not open to your AD server.
Answers
C.
Port 389 is not open to your AD server.
C.
Port 389 is not open to your AD server.
Answers
D.
Your AD server is running Windows Server 2012 Core Edition.
D.
Your AD server is running Windows Server 2012 Core Edition.
Answers
Suggested answer: C

Explanation:

Explanation:

AD requires port 389.

Question 23

Report
Export
Collapse

Your organization requires strict adherence to a change control process for its Amazon Elastic Compute Cloud (EC2) and VPC environments. The organization uses AWS CloudFormation as the AWS service to control and implement changes.

Which combination of three services provides an alert for changes made outside of AWS CloudFormation? (Choose three.)

A.
AWS Config
A.
AWS Config
Answers
B.
AWS Simple Notification Service
B.
AWS Simple Notification Service
Answers
C.
AWS CloudWatch metrics
C.
AWS CloudWatch metrics
Answers
D.
AWS Lambda
D.
AWS Lambda
Answers
E.
AWS CloudFormation
E.
AWS CloudFormation
Answers
F.
AWS Identify and Access Management
F.
AWS Identify and Access Management
Answers
Suggested answer: B, C, D

Question 24

Report
Export
Collapse

A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their onpremises version of the application to serve a small portion of the customers who haven't yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?

A.
Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the on-premises application version and the rest of the traffic to the new AWS based version.
A.
Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the on-premises application version and the rest of the traffic to the new AWS based version.
Answers
B.
Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients tothe on-premises application.
B.
Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients tothe on-premises application.
Answers
C.
Use an Application Load Balancer for the new application. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.
C.
Use an Application Load Balancer for the new application. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.
Answers
D.
Use an Application Load Balancer for the new application. Register both the new and earlier application backends as separate target groups. Use host header-based routing to route traffic based on the application version.
D.
Use an Application Load Balancer for the new application. Register both the new and earlier application backends as separate target groups. Use host header-based routing to route traffic based on the application version.
Answers
Suggested answer: B

Question 25

Report
Export
Collapse

You have two Direct Connect connections and two VPN connections to your network. Site A is VPN 10.1.0.0/24 AS 65000 65000, Site B is VPN 10.1.0.252/30 AS 65000, Site C is DX 10.0.0.0/8 AS 65000 and Site D is DX 10.0.0.0/16 AS 65000 65000 65000. Which site will AWS choose to reach your network?

A.
Site A: VPN 10.0.1.0/24 AS 65000 65000
A.
Site A: VPN 10.0.1.0/24 AS 65000 65000
Answers
B.
Site B: VPN 10.0.1.252/30 AS 65000 65000 65000
B.
Site B: VPN 10.0.1.252/30 AS 65000 65000 65000
Answers
C.
Site C: DX 10.0.0.0/8 AS 65000
C.
Site C: DX 10.0.0.0/8 AS 65000
Answers
D.
Site D: DX 10.0.0.0/16
D.
Site D: DX 10.0.0.0/16
Answers
Suggested answer: B

Explanation:

Explanation:

Site B, the most specific prefix always wins.

Question 26

Report
Export
Collapse

Fill in the blanks: One of the basic characteristics of security groups for your VPC is that you ______ .

A.
can specify allow rules, but not deny rules
A.
can specify allow rules, but not deny rules
Answers
B.
can specify deny rules, but not allow rules
B.
can specify deny rules, but not allow rules
Answers
C.
can specify allow rules as well as deny rules
C.
can specify allow rules as well as deny rules
Answers
D.
can neither specify allow rules nor deny rules
D.
can neither specify allow rules nor deny rules
Answers
Suggested answer: A

Explanation:

Explanation:

Security Groups in VPC allow you to specify rules with reference to the protocols and ports through which communications with your instances can be established. One such rule is that you can specify allow rules, but not deny rules.

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

Question 27

Report
Export
Collapse

You are configuring a VPN to AWS for your company. You have configured the VGW and CGW. You have created the VPN.

You have also run the necessary commands on your router. You allowed all TCP and UDP traffic between your datacenter and your VPC. The tunnel still doesn't come up. What is the most likely reason?

A.
You forgot to turn on route propagation in the route table.
A.
You forgot to turn on route propagation in the route table.
Answers
B.
You do not have a public ASN.
B.
You do not have a public ASN.
Answers
C.
Your advertised subnet is too large.
C.
Your advertised subnet is too large.
Answers
D.
You haven't added protocol 50 to your firewall.
D.
You haven't added protocol 50 to your firewall.
Answers
Suggested answer: D

Explanation:

Explanation:

You haven't allowed protocol 50 through the firewall. Protocol 50 is different from UDP (17) and TCP (6) and requires a rule in your firewall for your VPN tunnel to come up.

Question 28

Report
Export
Collapse

An organization with a growing ecommerce presence uses the AWS CloudHSM to offload the SSL/TLS processing of its web server fleet. The company leverages Amazon EC2 Auto Scaling for web servers to handle the growth. What architectural approach is optimal to scale the encryption operation?

A.
Use multiple CloudHSM instances, and load balance them using a Network Load Balancer.
A.
Use multiple CloudHSM instances, and load balance them using a Network Load Balancer.
Answers
B.
Use multiple CloudHSM instances to the cluster; request to it will automatically load balance.
B.
Use multiple CloudHSM instances to the cluster; request to it will automatically load balance.
Answers
C.
Enable Auto Scaling on the CloudHSM instance, with similar configuration to the web tier Auto Scaling group.
C.
Enable Auto Scaling on the CloudHSM instance, with similar configuration to the web tier Auto Scaling group.
Answers
D.
Use multiple CloudHSM instances, and load balance them using an Application Load Balancer.
D.
Use multiple CloudHSM instances, and load balance them using an Application Load Balancer.
Answers
Suggested answer: A

Question 29

Report
Export
Collapse

A user has created a VPC with CIDR 20.0.0.0/16 with only a private subnet and VPN connection using the VPC wizard. The user wants to connect to the instance in a private subnet over SSH. How should the user define the security rule for SSH?

A.
The user can connect to a instance in a private subnet using the NAT instance
A.
The user can connect to a instance in a private subnet using the NAT instance
Answers
B.
The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP
B.
The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP
Answers
C.
Allow Inbound traffic on port 22 from the user's network
C.
Allow Inbound traffic on port 22 from the user's network
Answers
D.
Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the internet
D.
Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the internet
Answers
Suggested answer: C

Explanation:

Explanation:

The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data centre, the user can setup a case with a VPN only subnet (private) which uses VPN access to connect with his data centre.

When the user has configured this setup with Wizard, all network connections to the instances in the subnet will come from his data centre. The user has to configure the security group of the private subnet which allows the inbound traffic on SSH (port 22) from the data centre's network range.

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario4.html

Question 30

Report
Export
Collapse

Which statement about placement groups is incorrect?

A.
A placement group is a logical grouping of instances in a single AZ.
A.
A placement group is a logical grouping of instances in a single AZ.
Answers
B.
If you stop an instance and restart it, it will always return to the same placement group.
B.
If you stop an instance and restart it, it will always return to the same placement group.
Answers
C.
To help ensure capacity in a placement group, deploy all instances at once.
C.
To help ensure capacity in a placement group, deploy all instances at once.
Answers
D.
There is no charge for creating a placement group.
D.
There is no charge for creating a placement group.
Answers
Suggested answer: B

Explanation:

Explanation:

There may not be sufficient capacity in the placement group.

Total 414 questions
Go to page: of 42
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms