ExamGecko
Search Search Login
Home Home / Amazon / ANS-C00

Amazon ANS-C00 Practice Test - Questions Answers, Page 31

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URLs, the instances should be able to access any Amazon S3 bucket in the same region via any URL. Which of the following solutions should you deploy? (Choose two.)
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)
Which element of AWS Config can be used to help maintain internal and external compliance controls?
A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their onpremises version of the application to serve a small portion of the customers who haven't yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?
A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy. What is the MOST cost-effective solution to meet these requirements?

Question 301

Report
Export
Collapse

An organization is deploying an application in a VPC that requires SSL mutual authentication with a client-side certificate, as that is the primary method of identifying clients. The Network Engineer has been tasked with defining the mechanism used within AWS to provide the SSL mutual authentication. Which of the following options meets the organization's requirements?

A.
Use a Classic Load Balancer and upload the client certificate private keys to it. Perform SSL mutual authentication of the client-side certificate there.
A.
Use a Classic Load Balancer and upload the client certificate private keys to it. Perform SSL mutual authentication of the client-side certificate there.
Answers
B.
Use a Network Load Balancer with a TCP listener on port 443, and pass the request through for the SSL mutual authentication to be handled by a backend instance.
B.
Use a Network Load Balancer with a TCP listener on port 443, and pass the request through for the SSL mutual authentication to be handled by a backend instance.
Answers
C.
Use an Application Load Balancer and upload the client certificate private keys to it by using the native server name indication (SNI) features with smart certificate selection to handle multiple calling applications.
C.
Use an Application Load Balancer and upload the client certificate private keys to it by using the native server name indication (SNI) features with smart certificate selection to handle multiple calling applications.
Answers
D.
Front the application with Amazon API Gateway, and use its client-side SSL mutual authentication feature that uses the backend instances to verify the source of the request.
D.
Front the application with Amazon API Gateway, and use its client-side SSL mutual authentication feature that uses the backend instances to verify the source of the request.
Answers
Suggested answer: C

Explanation:

Explanation:

Reference: https://aws.amazon.com/about-aws/whats-new/2017/10/elastic-load-balancing-application-load-balancers-nowsupport-multiple-ssl-certificates-and-smart-certificate-selection-using-servername-indication-sni/

Question 302

Report
Export
Collapse

An AWS CloudTrail log file provides the identity and source IP address of the API caller, and a time of the API call, request parameters, and ____.

A.
response elements
A.
response elements
Answers
B.
event selectors
B.
event selectors
Answers
C.
port alarms
C.
port alarms
Answers
D.
destination buckets
D.
destination buckets
Answers
Suggested answer: A

Explanation:

Explanation:

An AWS CloudTrail log file provide the following details.

Identity of the API caller

Time of the API call

Source IP address of the API caller

Request parameters

Response elements

Reference: https://aws.amazon.com/cloudtrail/

Question 303

Report
Export
Collapse

A network architect is designing a website. It has web, application, and database tiers that will run in AWS. The website uses Amazon DynamoDB. Which architecture will minimize public exposure of the backend instances?

A.
A VPC with public subnets for the NLB, public subnets for the web tier, private subnets for the application tier, and private subnets for DynamoDB.
A.
A VPC with public subnets for the NLB, public subnets for the web tier, private subnets for the application tier, and private subnets for DynamoDB.
Answers
B.
A VPC with public subnets for the ALB, private subnets for the web tier, and private subnets for the application tier. The application tier connects DynamoDB through a VPC endpoint.
B.
A VPC with public subnets for the ALB, private subnets for the web tier, and private subnets for the application tier. The application tier connects DynamoDB through a VPC endpoint.
Answers
C.
A VPC with public subnets for the ALB, public subnets for the web tier, private subnets for the application tier, and private subnets for DynamoDB.
C.
A VPC with public subnets for the ALB, public subnets for the web tier, private subnets for the application tier, and private subnets for DynamoDB.
Answers
D.
A VPC with public subnets for the NLB, private subnets for the web tier, and public subnets for the application tier. The application tier connects DynamoDB through a VPC endpoint.
D.
A VPC with public subnets for the NLB, private subnets for the web tier, and public subnets for the application tier. The application tier connects DynamoDB through a VPC endpoint.
Answers
Suggested answer: D

Question 304

Report
Export
Collapse

Which service would you use to see who changed your infrastructure?

A.
Config
A.
Config
Answers
B.
CloudTrail
B.
CloudTrail
Answers
C.
Flow Logs
C.
Flow Logs
Answers
Suggested answer: B

Question 305

Report
Export
Collapse

Your company has installed an AWS Direct Connect connection in an ap-southeast-1 Direct Connect location. A public virtual interface is configured through a router to a dedicated firewall. You advertise your company's public /24 CIDR block to AWS with AS 65500. The company maintains a separate, corporate Internet firewall to map all outbound traffic to a single IP.

This firewall maintains a BGP relationship with an upstream Internet provider that has delegated the public IP block your company uses. When the BGP session for the public virtual interface is up, corporate network users cannot access Amazon S3 resources in the ap-southeast-1 region.

Which step should you take to provide concurrent AWS and Internet access?

A.
Configure AS-PATH prepending for the public virtual interface.
A.
Configure AS-PATH prepending for the public virtual interface.
Answers
B.
Advertise a host route for the corporate firewall on the public virtual interface.
B.
Advertise a host route for the corporate firewall on the public virtual interface.
Answers
C.
Advertise a host route for the corporate firewall to the upstream Internet provider.
C.
Advertise a host route for the corporate firewall to the upstream Internet provider.
Answers
D.
NAT the traffic destined for AWS from the dedicated firewall using the public virtual interface.
D.
NAT the traffic destined for AWS from the dedicated firewall using the public virtual interface.
Answers
Suggested answer: D

Explanation:

Explanation:

When outgoing traffic is routed via the corporate firewall, its return path is via the Direct Connect public virtual interface and therefore through the dedicated firewall. This dedicated firewall does not track the original NAT session and subsequently drops the traffic. Answer A is incorrect because AWS will always prefer Direct Connect over Internet routing. Answer B is incorrect because return traffic is still processed by the dedicated firewall. Answer C is incorrect because it does not change the traffic flow.

Question 306

Report
Export
Collapse

Which of the following is true when you don't configure Amazon CloudFront to forward cookies to your origin?

A.
CloudFront removes the Cookie header from requests that it forwards to your origin.
A.
CloudFront removes the Cookie header from requests that it forwards to your origin.
Answers
B.
CloudFront disables viewer requests to your origin, including all cookies.
B.
CloudFront disables viewer requests to your origin, including all cookies.
Answers
C.
CloudFront caches your objects based on cookie values.
C.
CloudFront caches your objects based on cookie values.
Answers
D.
CloudFront automates code deployments to any instance.
D.
CloudFront automates code deployments to any instance.
Answers
Suggested answer: A

Explanation:

Explanation:

If you don't configure CloudFront to forward cookies to your origin, CloudFront removes the Cookie header from requests that it forwards to your origin and removes the Set-Cookie header from responses that it returns to your clients.

Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Cookies.html

Question 307

Report
Export
Collapse

To connect to public AWS products such as Amazon EC2 and Amazon S3 through the AWS Direct Link, which step is NOT required?

A.
Provide public IP address (/31) for each Border Gateway Protocol (BGP) session.
A.
Provide public IP address (/31) for each Border Gateway Protocol (BGP) session.
Answers
B.
Allocate a Private IP address to your network in 172.x.x.x range.
B.
Allocate a Private IP address to your network in 172.x.x.x range.
Answers
C.
Provide the public routes that you will advertise over Border Gateway Protocol (BGP).
C.
Provide the public routes that you will advertise over Border Gateway Protocol (BGP).
Answers
D.
Provide a public Autonomous System Number (ASN) that you own or a private one to identify your network on the Internet.
D.
Provide a public Autonomous System Number (ASN) that you own or a private one to identify your network on the Internet.
Answers
Suggested answer: B

Explanation:

Explanation:

To connect to public AWS products such as Amazon EC2 and Amazon S3 through the AWS Direct Connect, you need to provide the following:

A public Autonomous System Number (ASN) that you own (preferred) or a private ASN. Public IP addresses (/30) (that is, one for each end of the BGP session) for each BGP session. The public routes that you will advertise over BGP.

Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html

Question 308

Report
Export
Collapse

Your company currently has a LAG to AWS with two 1Gbps connections. What is the best way to increase throughput on this LAG?

A.
Add three 1Gbps connections to the LAG.
A.
Add three 1Gbps connections to the LAG.
Answers
B.
Add one 10Gbps connections to the LAG.
B.
Add one 10Gbps connections to the LAG.
Answers
C.
Configure your router to use "jumbo frames" with an MTU of 9001.
C.
Configure your router to use "jumbo frames" with an MTU of 9001.
Answers
D.
Add two 1Gbps connections to the LAG.
D.
Add two 1Gbps connections to the LAG.
Answers
Suggested answer: D

Explanation:

Explanation:

Add two 1Gbps connections to the LAG. DX does not support jumbo frames, a LAG only supports 4 connections, and adding a 10Gbps connection will be limited to the lowest speed of 1Gbps.

Question 309

Report
Export
Collapse

Your company needs to directly update an S3 bucket that serves as a CloudFront origin with the most reliability possible.

Your company also has a set of private EC2 servers that it needs to access with the same reliability. Which combination will provide the best solution?

A.
A Virtual Gateway and a Public VIF
A.
A Virtual Gateway and a Public VIF
Answers
B.
A Private VIF is all you need to access all AWS resources.
B.
A Private VIF is all you need to access all AWS resources.
Answers
C.
A Hosted VIF and a Private VIF
C.
A Hosted VIF and a Private VIF
Answers
D.
A Public VIF and a Private VIF
D.
A Public VIF and a Private VIF
Answers
Suggested answer: D

Explanation:

Explanation:

The Public VIF will allow access to the S3 bucket, and the Private VIF will allow access to the EC2 instances.

Question 310

Report
Export
Collapse

You have several VPCs that are peered. Each VPC has several routes to different subnets. Over the years, your company has acquired many companies. You find that traffic destined for one VPC ends up going to another. What is the best way to remedy this?

A.
Move the route table entry for the proper VPC higher in the list.
A.
Move the route table entry for the proper VPC higher in the list.
Answers
B.
Adjust your routes so the proper VPC has a higher CIDR.
B.
Adjust your routes so the proper VPC has a higher CIDR.
Answers
C.
Move the route table entry for the proper VPC lower in the list.
C.
Move the route table entry for the proper VPC lower in the list.
Answers
D.
Adjust your routes so the proper VPC has a lower CIDR.
D.
Adjust your routes so the proper VPC has a lower CIDR.
Answers
Suggested answer: B

Explanation:

Explanation:

The higher CIDR or more specific route will always take precedence.

Total 414 questions
Go to page: of 42
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms