ExamGecko
Search Search Login
Home Home / Amazon / ANS-C00

Amazon ANS-C00 Practice Test - Questions Answers, Page 30

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URLs, the instances should be able to access any Amazon S3 bucket in the same region via any URL. Which of the following solutions should you deploy? (Choose two.)
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)
Which element of AWS Config can be used to help maintain internal and external compliance controls?
A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their onpremises version of the application to serve a small portion of the customers who haven't yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?
A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy. What is the MOST cost-effective solution to meet these requirements?

Question 291

Report
Export
Collapse

Your company has a high-availability hybrid solution that utilizes a two Direct Connect connections and a backup VPN connection. For some reason, traffic is preferring the VPN connection instead of the direct connection. You have prepended a longer AS_PATH on the VPN connection, but AWS still prefers it over the Direct Connect connections.

What might you be able to do to fix this issue?

A.
Advertise a less specific prefix on the VPN.
A.
Advertise a less specific prefix on the VPN.
Answers
B.
Remove the prepended AS_PATH.
B.
Remove the prepended AS_PATH.
Answers
C.
Reconfigure the VPN as a static VPN instead of dynamic.
C.
Reconfigure the VPN as a static VPN instead of dynamic.
Answers
D.
Increase the MED on the VPN.
D.
Increase the MED on the VPN.
Answers
Suggested answer: A

Explanation:

Explanation:

The only reason a VPN would be preferred over Direct Connect is if it has a more specific prefix. This was not discussed in the question but is assumed since it is the only criteria in the path selection process that supersedes Direct Connect.

Question 292

Report
Export
Collapse

You have set up an S3 endpoint, and you want to restrict some instances from being able to access it. These instances are all in the same subnet, so you cannot simply remove the prefix list from the route table.

What two approaches can you take to solve this? (Choose two.)

A.
Remove any access to the PL in the security group attached to the instances.
A.
Remove any access to the PL in the security group attached to the instances.
Answers
B.
Add A rule in the NACL to block the prefix list ID outbound.
B.
Add A rule in the NACL to block the prefix list ID outbound.
Answers
C.
This is not possible.
C.
This is not possible.
Answers
D.
Modify the endpoint policy.
D.
Modify the endpoint policy.
Answers
Suggested answer: A, D

Explanation:

Explanation:

You cannot add a prefix list ID to a NACL.

Question 293

Report
Export
Collapse

You have 99 routes in your dynamic BGP propagated route table and you wish to add 2 more: 10.1.0.0 and 10.3.0.0. You cannot modify or remove routes that have already been announced. What should you do?

A.
Summarize the two routes to combine them into one and advertise it.
A.
Summarize the two routes to combine them into one and advertise it.
Answers
B.
Just advertise them, the 100 route limit is a "soft limit" and will be expanded automatically.
B.
Just advertise them, the 100 route limit is a "soft limit" and will be expanded automatically.
Answers
C.
You cannot add these routes.
C.
You cannot add these routes.
Answers
D.
Call AWS support to increase your route limit.
D.
Call AWS support to increase your route limit.
Answers
Suggested answer: A

Explanation:

Explanation:

You cannot add these routes. If you try to summarize them, that would create a 10.0.0.0/14, which is too low of a CIDR to advertise to AWS. AWS has a minimum of /16. You cannot have the 100 route limit modified in any way. It is a hard 100 route limit.

Question 294

Report
Export
Collapse

A company needs to allow its remote users to access company resources in the AWS Cloud. The company has two VPCs that are connected through VPC peering. The remote users must be able to access resources in both VPCs by using secure connections from their laptop computers. The company does not want to implement an access management solution that requires additional costs or effort. Which solution meets these requirements?

A.
Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule to authorize client access to the target VPC, and add a rule to authorize client access to the peered VP
A.
Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule to authorize client access to the target VPC, and add a rule to authorize client access to the peered VP
Answers
B.
Update resourcesecurity groups in both VPCs to allow traffic from the security group for the subnet association. Instruct the users to sign in to the AWS Management Console and navigate to Client VPN to connect to the Client VPN endpoint.
B.
Update resourcesecurity groups in both VPCs to allow traffic from the security group for the subnet association. Instruct the users to sign in to the AWS Management Console and navigate to Client VPN to connect to the Client VPN endpoint.
Answers
C.
Deploy an AWS Client VPN endpoint in both VPCs, associate subnets, and define a target network. Add a rule to authorize client access to each target VP
C.
Deploy an AWS Client VPN endpoint in both VPCs, associate subnets, and define a target network. Add a rule to authorize client access to each target VP
Answers
D.
Update resource security groups in both VPCs to allow traffic from the securitygroups of each VPC for the subnet associations. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptops. Instruct the users to connect to both Client VPN endpoints at the same time to gain access to the resources.
D.
Update resource security groups in both VPCs to allow traffic from the securitygroups of each VPC for the subnet associations. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptops. Instruct the users to connect to both Client VPN endpoints at the same time to gain access to the resources.
Answers
E.
Deploy a Network Load Balancer in front of the company resources. Set up security groups that contain the IP addresses of each of the user laptops. Instruct the users to connect to the application securely over TCP.
E.
Deploy a Network Load Balancer in front of the company resources. Set up security groups that contain the IP addresses of each of the user laptops. Instruct the users to connect to the application securely over TCP.
Answers
F.
Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule to authorize client access to the target VPC, and add a rule to authorize client access to the peered VPC. Update resourcesecurity groups in both VPCs to allow traffic from the security group for the subnet association. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptops. Instruct the users to connect to the Client VPN endpoint to gain access to the resources.
F.
Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule to authorize client access to the target VPC, and add a rule to authorize client access to the peered VPC. Update resourcesecurity groups in both VPCs to allow traffic from the security group for the subnet association. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptops. Instruct the users to connect to the Client VPN endpoint to gain access to the resources.
Answers
Suggested answer: B

Question 295

Report
Export
Collapse

What is the name of the label applied to packets to allow routers to know where to forward in an MPLS network?

A.
BFD
A.
BFD
Answers
B.
BGP
B.
BGP
Answers
C.
FEC
C.
FEC
Answers
D.
ABC
D.
ABC
Answers
Suggested answer: C

Explanation:

Explanation:

Forward Equivalency Class is how routers know where to send packets.

Question 296

Report
Export
Collapse

What number does the binary number 10101000 correspond to?

A.
168
A.
168
Answers
B.
128 C. 192
B.
128 C. 192
Answers
C.
160
C.
160
Answers
Suggested answer: A

Explanation:

Explanation:

128 + 0 + 32 + 0 + 8 + 0 + 0 + 0 = 168

Question 297

Report
Export
Collapse

Which other AWS service is used to track `Related Events' within the Configuration Item?

A.
AWS WAF
A.
AWS WAF
Answers
B.
SQS
B.
SQS
Answers
C.
AWS CloudTrail
C.
AWS CloudTrail
Answers
D.
S3
D.
S3
Answers
Suggested answer: C

Explanation:

Explanation:

`Related Events' displays the AWS CloudTrail event ID that is related to the change that triggered the creation of the CI.

There is a new CI made for every change made against a resource. As a result a different CloudTrail event IDs will be created. This allows you you to deep-dive into who or what and when made the change that triggered this CI. A great feature allowing for some great analysis to be taken, specifically when this affects security resources.

Reference: http://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html#config-item-table

Question 298

Report
Export
Collapse

With respect to Amazon CloudFront, which one of the following statements is correct?

A.
For HTTPS web distributions, you cannot forward cookies to your origin.
A.
For HTTPS web distributions, you cannot forward cookies to your origin.
Answers
B.
For both HTTP and HTTPS web distributions, you can choose to forward cookies to your origin.
B.
For both HTTP and HTTPS web distributions, you can choose to forward cookies to your origin.
Answers
C.
For HTTP web distributions, you cannot forward cookies to your origin.
C.
For HTTP web distributions, you cannot forward cookies to your origin.
Answers
D.
For Real Time Messaging Protocol (RTMP) distributions, you can configure CloudFront to process cookies.
D.
For Real Time Messaging Protocol (RTMP) distributions, you can configure CloudFront to process cookies.
Answers
Suggested answer: B

Explanation:

Explanation:

With respect to Amazon CloudFront, for HTTP and HTTPS web distributions, you can choose whether you want CloudFrontto forward cookies to your origin. For RTMP distributions, you cannot configure CloudFront to process cookies.

Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Cookies.html

Question 299

Report
Export
Collapse

You have multiple Amazon Elastic Compute Cloud (EC2) instances running a web server in a VPC configured with security groups and NACL. You need to ensure layer 7 protocol level logging of all network traffic (ACCEPT/REJECT) on the instances. What should be enabled to complete this task?

A.
CloudWatch Logs at the VPC level
A.
CloudWatch Logs at the VPC level
Answers
B.
Packet sniffing at the instance level
B.
Packet sniffing at the instance level
Answers
C.
VPC flow logs at the subnet level
C.
VPC flow logs at the subnet level
Answers
D.
Packet sniffing at the VPC level
D.
Packet sniffing at the VPC level
Answers
Suggested answer: A

Question 300

Report
Export
Collapse

A company's network engineering team is solely responsible for deploying VPC infrastructure using AWS CloudFormation.

The company wants to give its developers the ability to launch applications using CloudFormation templates so that subnets can be created using available CIDR ranges. What should be done to meet these requirements?

A.
Create a CloudFormation template with Amazon EC2 resources that rely on cfn-init and cfn-signals to inform the stack of available CIDR ranges.
A.
Create a CloudFormation template with Amazon EC2 resources that rely on cfn-init and cfn-signals to inform the stack of available CIDR ranges.
Answers
B.
Create a CloudFormation template with a custom resource that analyzes traffic activity in VPC Flow Logs and reports on available CIDR ranges.
B.
Create a CloudFormation template with a custom resource that analyzes traffic activity in VPC Flow Logs and reports on available CIDR ranges.
Answers
C.
Create a CloudFormation template that references the Fn::Cidr intrinsic function within a subnet resource to select an available CIDR range.
C.
Create a CloudFormation template that references the Fn::Cidr intrinsic function within a subnet resource to select an available CIDR range.
Answers
D.
Create a CloudFormation template with a custom resource that uses AWS Lambda and Amazon DynamoDB to manage available CIDR ranges.
D.
Create a CloudFormation template with a custom resource that uses AWS Lambda and Amazon DynamoDB to manage available CIDR ranges.
Answers
Suggested answer: C
Total 414 questions
Go to page: of 42
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms