ExamGecko
Search Search Login
Home Home / Amazon / ANS-C00

Amazon ANS-C00 Practice Test - Questions Answers, Page 33

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URLs, the instances should be able to access any Amazon S3 bucket in the same region via any URL. Which of the following solutions should you deploy? (Choose two.)
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)
Which element of AWS Config can be used to help maintain internal and external compliance controls?
A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their onpremises version of the application to serve a small portion of the customers who haven't yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?
A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy. What is the MOST cost-effective solution to meet these requirements?

Question 321

Report
Export
Collapse

You wish to host a mailserver on an EC2 instance. What two steps must you take to ensure utmost reliability?

A.
Create an EIP for the instance.
A.
Create an EIP for the instance.
Answers
B.
Configure the mail service to serve as an open relay.
B.
Configure the mail service to serve as an open relay.
Answers
C.
Contact AWS to have a Reverse DNS record configured and to help keep your domain from SPAM blacklists.
C.
Contact AWS to have a Reverse DNS record configured and to help keep your domain from SPAM blacklists.
Answers
D.
Provide open security group access to your instance on ports 25, 3389 and 22.
D.
Provide open security group access to your instance on ports 25, 3389 and 22.
Answers
Suggested answer: A, C

Explanation:

Explanation:

Using an open relay is bad. Your security group does not require 3389 or 22 to be open.

Question 322

Report
Export
Collapse

You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway is attached, and the main route table has a default route (0.0.0.0/0) configured with a target of the Internet gateway. The instance has a security group configured to allow as follows:

Protocol: TCP

Port: 80 inbound and nothing outbound

The Network ACL for the subnet is configured to allow as follows:

Protocol: TCP

Port: 80 inbound and nothing outbound

When you try to browse to the web server, you receive no response.

Which additional step should you take to receive a successful response?

A.
Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80
A.
Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80
Answers
B.
Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535
B.
Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535
Answers
C.
Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80
C.
Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80
Answers
D.
Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535
D.
Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535
Answers
Suggested answer: C

Question 323

Report
Export
Collapse

An organization processes consumer information submitted through its website. The organization's security policy requires that personally identifiable information (PII) elements are specifically encrypted at all times and as soon as feasible when received. The front-end Amazon EC2 instances should not have access to decrypted PII. A single service within the production VPC must decrypt the PII by leveraging an IAM role.

Which combination of services will support these requirements? (Choose two.)

A.
Amazon Aurora in a private subnet
A.
Amazon Aurora in a private subnet
Answers
B.
Amazon CloudFront using AWS Lambda@Edge
B.
Amazon CloudFront using AWS Lambda@Edge
Answers
C.
Customer-managed MySQL with Transparent Data Encryption
C.
Customer-managed MySQL with Transparent Data Encryption
Answers
D.
Application Load Balancer using HTTPS listeners and targets
D.
Application Load Balancer using HTTPS listeners and targets
Answers
E.
AWS Key Management Services
E.
AWS Key Management Services
Answers
Suggested answer: C, E

Explanation:

Explanation:

References: https://noise.getoto.net/tag/aws-kms/

Question 324

Report
Export
Collapse

Your boss decides to assign an Elastic IP to a production instance. Once he does this, access to the URL for that website fails. What happened?

A.
The original IP address was released back to AWS when the Elastic IP was assigned.
A.
The original IP address was released back to AWS when the Elastic IP was assigned.
Answers
B.
Your boss only needs to restart the Apache service.
B.
Your boss only needs to restart the Apache service.
Answers
C.
Your boss should have turned off the server before assigning the IP address.
C.
Your boss should have turned off the server before assigning the IP address.
Answers
D.
Your boss needs to restart the server.
D.
Your boss needs to restart the server.
Answers
Suggested answer: A

Explanation:

Explanation:

The original IP address was released back to AWS when the Elastic IP was assigned. If you attach an EIP, you lose the address originally assigned to the instance unless you add it to another interface.

Question 325

Report
Export
Collapse

You can use the ____ command of the AWS Config service CLI to see the compliance state of each of your rules.

A.
get-compliance-details-by-resource
A.
get-compliance-details-by-resource
Answers
B.
describe-compliance-by-config-rule
B.
describe-compliance-by-config-rule
Answers
C.
get-compliance-details-by-config-rule
C.
get-compliance-details-by-config-rule
Answers
D.
describe-compliance-by-resource
D.
describe-compliance-by-resource
Answers
Suggested answer: B

Explanation:

Explanation:

You can use the describe-compliance-by-config-rule command of the AWS Config CLI to see the compliance state of each of your rules. For each rule that has a compliance type of NON_COMPLIANT, AWS Config returns the number of noncompliant resources for the CappedCount parameter.

Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_view-compliance.html

Question 326

Report
Export
Collapse

A company has a hybrid environment across its on-premises network and the AWS Cloud. The company wants to use Amazon Elastic File System (Amazon EFS) to store and share data between onpremises services that are required to resolve DNS queries through on-premises DNS servers. The company wants to use a custom domain name to connect to Amazon EFS. The company also wants to avoid using the Amazon EFS target IP address. What should a network engineer do to meet these requirements?

A.
Create an Amazon Route 53 Resolver outbound endpoint, and configure it for the VPC where Amazon EFS resides.Create a Route 53 public hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name.Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 public hosted zone.
A.
Create an Amazon Route 53 Resolver outbound endpoint, and configure it for the VPC where Amazon EFS resides.Create a Route 53 public hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name.Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 public hosted zone.
Answers
B.
Create an Amazon Route 53 Resolver inbound endpoint, and configure it for the VPC where Amazon EFS resides. Create a Route 53 private hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name.Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 Resolver.
B.
Create an Amazon Route 53 Resolver inbound endpoint, and configure it for the VPC where Amazon EFS resides. Create a Route 53 private hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name.Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 Resolver.
Answers
C.
Create an Amazon Route 53 Resolver outbound endpoint, and configure it for the VPC where Amazon EFS resides.Create a Route 53 private hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name.Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 Resolver.
C.
Create an Amazon Route 53 Resolver outbound endpoint, and configure it for the VPC where Amazon EFS resides.Create a Route 53 private hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name.Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 Resolver.
Answers
D.
Create an Amazon Route 53 Resolver inbound endpoint, and configure it for the VPC where Amazon EFS resides. Create a Route 53 private hosted zone, and add a new PTR record with the value of the Amazon EFS DNS name.Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 private hosted zone.
D.
Create an Amazon Route 53 Resolver inbound endpoint, and configure it for the VPC where Amazon EFS resides. Create a Route 53 private hosted zone, and add a new PTR record with the value of the Amazon EFS DNS name.Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 private hosted zone.
Answers
Suggested answer: A

Question 327

Report
Export
Collapse

A network engineer is using the AWS CLI to provision a VPC and Amazon EC2 instances that use IPv6 addresses. An application that runs on the instances requires access to the internet to pull updates from a software vendor. The VPC ID is vpc-3c02b675. The network engineer uses the following command to provision an egress-only internet gateway: aws ac2 create-egress-only-internet-gateway --vpc-id vpc-3c02b675 What else must the network engineer do so that the EC2 instances can pull the updates?

A.
Replace the egress-only internet gateway with a NAT gateway. Create a route with destination 0.0.0.0/0 and the NAT gateway ID as the target.
A.
Replace the egress-only internet gateway with a NAT gateway. Create a route with destination 0.0.0.0/0 and the NAT gateway ID as the target.
Answers
B.
Replace the egress-only internet gateway with a NAT gateway. Create a route with destination ::/0 and the NAT gateway ID as the target.
B.
Replace the egress-only internet gateway with a NAT gateway. Create a route with destination ::/0 and the NAT gateway ID as the target.
Answers
C.
Create a route with destination 0.0.0.0/0 and the egress-only internet gateway ID as the target.
C.
Create a route with destination 0.0.0.0/0 and the egress-only internet gateway ID as the target.
Answers
D.
Create a route with destination ::/0 and the egress-only internet gateway ID as the target.
D.
Create a route with destination ::/0 and the egress-only internet gateway ID as the target.
Answers
Suggested answer: C

Explanation:

Explanation:

Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-subnets-commands-example-ipv6.html

Question 328

Report
Export
Collapse

True or false: A VPC contains multiple subnets, where each subnet can span multiple Availability Zones.

A.
This is true only for US regions.
A.
This is true only for US regions.
Answers
B.
This is false.
B.
This is false.
Answers
C.
This is true.
C.
This is true.
Answers
D.
This is true only if requested during the set-up of VPC.
D.
This is true only if requested during the set-up of VPC.
Answers
Suggested answer: B

Explanation:

Explanation:

A VPC can span several Availability Zones. In contrast, a subnet must reside within a single Availability Zone. Reference:

https://aws.amazon.com/vpc/faqs/

Question 329

Report
Export
Collapse

Which of these is not required when setting up a VIF?

A.
BGP Key
A.
BGP Key
Answers
B.
VLAN ID
B.
VLAN ID
Answers
C.
ASN
C.
ASN
Answers
D.
BGP MED
D.
BGP MED
Answers
Suggested answer: D

Explanation:

Explanation:

BGP MED is used to steer traffic and not for requesting a VIF.

Question 330

Report
Export
Collapse

You wish to access all European regions using your Direct Connect connection. How should you accomplish this?

A.
Peer VPCs in the different regions and connect DX to one of the regions to communicate with the other.
A.
Peer VPCs in the different regions and connect DX to one of the regions to communicate with the other.
Answers
B.
Use a DX Gateway.
B.
Use a DX Gateway.
Answers
C.
Find the prefix list for the other region and add it to your route table.
C.
Find the prefix list for the other region and add it to your route table.
Answers
D.
One DX connection will connect you to all regions.
D.
One DX connection will connect you to all regions.
Answers
Suggested answer: B

Explanation:

Explanation:

The DX Gateway will allow access to multiple regions.

Total 414 questions
Go to page: of 42
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms