ExamGecko
Login
Home / Amazon / ANS-C00 / List of questions
Ask Question

Amazon ANS-C00 Practice Test - Questions Answers, Page 31

List of questions

Question 301

Report
Export
Collapse

An organization is deploying an application in a VPC that requires SSL mutual authentication with a client-side certificate, as that is the primary method of identifying clients. The Network Engineer has been tasked with defining the mechanism used within AWS to provide the SSL mutual authentication. Which of the following options meets the organization's requirements?

Use a Classic Load Balancer and upload the client certificate private keys to it. Perform SSL mutual authentication of the client-side certificate there.
Use a Classic Load Balancer and upload the client certificate private keys to it. Perform SSL mutual authentication of the client-side certificate there.
Use a Network Load Balancer with a TCP listener on port 443, and pass the request through for the SSL mutual authentication to be handled by a backend instance.
Use a Network Load Balancer with a TCP listener on port 443, and pass the request through for the SSL mutual authentication to be handled by a backend instance.
Use an Application Load Balancer and upload the client certificate private keys to it by using the native server name indication (SNI) features with smart certificate selection to handle multiple calling applications.
Use an Application Load Balancer and upload the client certificate private keys to it by using the native server name indication (SNI) features with smart certificate selection to handle multiple calling applications.
Front the application with Amazon API Gateway, and use its client-side SSL mutual authentication feature that uses the backend instances to verify the source of the request.
Front the application with Amazon API Gateway, and use its client-side SSL mutual authentication feature that uses the backend instances to verify the source of the request.
Suggested answer: C

Explanation:

Explanation:

Reference: https://aws.amazon.com/about-aws/whats-new/2017/10/elastic-load-balancing-application-load-balancers-nowsupport-multiple-ssl-certificates-and-smart-certificate-selection-using-servername-indication-sni/

asked 16/09/2024
Alain Bijl
40 questions

Question 302

Report
Export
Collapse

An AWS CloudTrail log file provides the identity and source IP address of the API caller, and a time of the API call, request parameters, and ____.

response elements
response elements
event selectors
event selectors
port alarms
port alarms
destination buckets
destination buckets
Suggested answer: A

Explanation:

Explanation:

An AWS CloudTrail log file provide the following details.

Identity of the API caller

Time of the API call

Source IP address of the API caller

Request parameters

Response elements

Reference: https://aws.amazon.com/cloudtrail/

asked 16/09/2024
Nicoleta Moglan
37 questions

Question 303

Report
Export
Collapse

A network architect is designing a website. It has web, application, and database tiers that will run in AWS. The website uses Amazon DynamoDB. Which architecture will minimize public exposure of the backend instances?

A VPC with public subnets for the NLB, public subnets for the web tier, private subnets for the application tier, and private subnets for DynamoDB.
A VPC with public subnets for the NLB, public subnets for the web tier, private subnets for the application tier, and private subnets for DynamoDB.
A VPC with public subnets for the ALB, private subnets for the web tier, and private subnets for the application tier. The application tier connects DynamoDB through a VPC endpoint.
A VPC with public subnets for the ALB, private subnets for the web tier, and private subnets for the application tier. The application tier connects DynamoDB through a VPC endpoint.
A VPC with public subnets for the ALB, public subnets for the web tier, private subnets for the application tier, and private subnets for DynamoDB.
A VPC with public subnets for the ALB, public subnets for the web tier, private subnets for the application tier, and private subnets for DynamoDB.
A VPC with public subnets for the NLB, private subnets for the web tier, and public subnets for the application tier. The application tier connects DynamoDB through a VPC endpoint.
A VPC with public subnets for the NLB, private subnets for the web tier, and public subnets for the application tier. The application tier connects DynamoDB through a VPC endpoint.
Suggested answer: D
asked 16/09/2024
Maheshkumar Karuppaiah
34 questions

Question 304

Report
Export
Collapse

Which service would you use to see who changed your infrastructure?

Config
Config
CloudTrail
CloudTrail
Flow Logs
Flow Logs
Suggested answer: B
asked 16/09/2024
Jason Wang
40 questions

Question 305

Report
Export
Collapse

Your company has installed an AWS Direct Connect connection in an ap-southeast-1 Direct Connect location. A public virtual interface is configured through a router to a dedicated firewall. You advertise your company's public /24 CIDR block to AWS with AS 65500. The company maintains a separate, corporate Internet firewall to map all outbound traffic to a single IP.

This firewall maintains a BGP relationship with an upstream Internet provider that has delegated the public IP block your company uses. When the BGP session for the public virtual interface is up, corporate network users cannot access Amazon S3 resources in the ap-southeast-1 region.

Which step should you take to provide concurrent AWS and Internet access?

Configure AS-PATH prepending for the public virtual interface.
Configure AS-PATH prepending for the public virtual interface.
Advertise a host route for the corporate firewall on the public virtual interface.
Advertise a host route for the corporate firewall on the public virtual interface.
Advertise a host route for the corporate firewall to the upstream Internet provider.
Advertise a host route for the corporate firewall to the upstream Internet provider.
NAT the traffic destined for AWS from the dedicated firewall using the public virtual interface.
NAT the traffic destined for AWS from the dedicated firewall using the public virtual interface.
Suggested answer: D

Explanation:

Explanation:

When outgoing traffic is routed via the corporate firewall, its return path is via the Direct Connect public virtual interface and therefore through the dedicated firewall. This dedicated firewall does not track the original NAT session and subsequently drops the traffic. Answer A is incorrect because AWS will always prefer Direct Connect over Internet routing. Answer B is incorrect because return traffic is still processed by the dedicated firewall. Answer C is incorrect because it does not change the traffic flow.

asked 16/09/2024
Joshua Paffen
32 questions

Question 306

Report
Export
Collapse

Which of the following is true when you don't configure Amazon CloudFront to forward cookies to your origin?

CloudFront removes the Cookie header from requests that it forwards to your origin.
CloudFront removes the Cookie header from requests that it forwards to your origin.
CloudFront disables viewer requests to your origin, including all cookies.
CloudFront disables viewer requests to your origin, including all cookies.
CloudFront caches your objects based on cookie values.
CloudFront caches your objects based on cookie values.
CloudFront automates code deployments to any instance.
CloudFront automates code deployments to any instance.
Suggested answer: A

Explanation:

Explanation:

If you don't configure CloudFront to forward cookies to your origin, CloudFront removes the Cookie header from requests that it forwards to your origin and removes the Set-Cookie header from responses that it returns to your clients.

Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Cookies.html

asked 16/09/2024
MIGUEL PARADA VAZQUEZ
34 questions

Question 307

Report
Export
Collapse

To connect to public AWS products such as Amazon EC2 and Amazon S3 through the AWS Direct Link, which step is NOT required?

Provide public IP address (/31) for each Border Gateway Protocol (BGP) session.
Provide public IP address (/31) for each Border Gateway Protocol (BGP) session.
Allocate a Private IP address to your network in 172.x.x.x range.
Allocate a Private IP address to your network in 172.x.x.x range.
Provide the public routes that you will advertise over Border Gateway Protocol (BGP).
Provide the public routes that you will advertise over Border Gateway Protocol (BGP).
Provide a public Autonomous System Number (ASN) that you own or a private one to identify your network on the Internet.
Provide a public Autonomous System Number (ASN) that you own or a private one to identify your network on the Internet.
Suggested answer: B

Explanation:

Explanation:

To connect to public AWS products such as Amazon EC2 and Amazon S3 through the AWS Direct Connect, you need to provide the following:

A public Autonomous System Number (ASN) that you own (preferred) or a private ASN. Public IP addresses (/30) (that is, one for each end of the BGP session) for each BGP session. The public routes that you will advertise over BGP.

Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html

asked 16/09/2024
Kristian Michael Matias
44 questions

Question 308

Report
Export
Collapse

Your company currently has a LAG to AWS with two 1Gbps connections. What is the best way to increase throughput on this LAG?

Add three 1Gbps connections to the LAG.
Add three 1Gbps connections to the LAG.
Add one 10Gbps connections to the LAG.
Add one 10Gbps connections to the LAG.
Configure your router to use "jumbo frames" with an MTU of 9001.
Configure your router to use "jumbo frames" with an MTU of 9001.
Add two 1Gbps connections to the LAG.
Add two 1Gbps connections to the LAG.
Suggested answer: D

Explanation:

Explanation:

Add two 1Gbps connections to the LAG. DX does not support jumbo frames, a LAG only supports 4 connections, and adding a 10Gbps connection will be limited to the lowest speed of 1Gbps.

asked 16/09/2024
DIPESH JAISWAL
35 questions

Question 309

Report
Export
Collapse

Your company needs to directly update an S3 bucket that serves as a CloudFront origin with the most reliability possible.

Your company also has a set of private EC2 servers that it needs to access with the same reliability. Which combination will provide the best solution?

A Virtual Gateway and a Public VIF
A Virtual Gateway and a Public VIF
A Private VIF is all you need to access all AWS resources.
A Private VIF is all you need to access all AWS resources.
A Hosted VIF and a Private VIF
A Hosted VIF and a Private VIF
A Public VIF and a Private VIF
A Public VIF and a Private VIF
Suggested answer: D

Explanation:

Explanation:

The Public VIF will allow access to the S3 bucket, and the Private VIF will allow access to the EC2 instances.

asked 16/09/2024
Thao Nguyen
46 questions

Question 310

Report
Export
Collapse

You have several VPCs that are peered. Each VPC has several routes to different subnets. Over the years, your company has acquired many companies. You find that traffic destined for one VPC ends up going to another. What is the best way to remedy this?

Become a Premium Member for full access
  Unlock Premium Member
Total 414 questions
Go to page: of 42
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Which of these modes is not a configuration mode for a WAF?
Your organization runs a popular e-commerce application deployed on AWS that uses auto scaling in conjunction with an Elastic Load balancing (ELB) service with an HTTPS listener. Your security team reports that an exploitable vulnerability has been discovered in the encryption protocol and cipher that your site uses. Which step should you take to fix this problem?
You are configuring multiple Direct Connect links for your organization and need them to be in an HA Active/Passive configuration with extreme sensitivity to outages in order to encourage very quick failover times. You also need to be able to control which link is active. What two configuration changes should you implement? (Choose two.)
You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
Which service would you use to see who changed your infrastructure?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
Under increased cybersecurity concerns, a company is deploying a near real-time intrusion detection system (IDS) solution. A system must be put in place as soon as possible. The architecture consists of many AWS accounts, and all results must be delivered to a central location. Which solution will meet this requirement, while minimizing downtime and costs?