ExamGecko
Search Search Login
Home Home / Amazon / ANS-C00

Amazon ANS-C00 Practice Test - Questions Answers, Page 6

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URLs, the instances should be able to access any Amazon S3 bucket in the same region via any URL. Which of the following solutions should you deploy? (Choose two.)
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)
Which element of AWS Config can be used to help maintain internal and external compliance controls?
A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their onpremises version of the application to serve a small portion of the customers who haven't yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?
A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy. What is the MOST cost-effective solution to meet these requirements?

Question 51

Report
Export
Collapse

Your security team implements a host-based firewall on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. Until you request a new rule, you cannot access the instance metadata service. Which firewall rule should you request to be added to your instances to allow instance metadata access?

A.
Inbound; Protocol tcp; Source [Instance's EIP]; Destination 169.254.169.254
A.
Inbound; Protocol tcp; Source [Instance's EIP]; Destination 169.254.169.254
Answers
B.
Inbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
B.
Inbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
Answers
C.
Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
C.
Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
Answers
D.
Outbound; Protocol tcp; Destination 169 .254.169.254; Destination port 443
D.
Outbound; Protocol tcp; Destination 169 .254.169.254; Destination port 443
Answers
Suggested answer: C

Question 52

Report
Export
Collapse

A VPC is deployed with a 10.0.0.0/16 CIDR block. The engineering team is reviewing DHCP options, and there is disagreement about the valid DNS addresses available for the VPC.

Which addresses are valid IP addresses provided by Amazon for this subnet? (Choose two.)

A.
8.8.8.8
A.
8.8.8.8
Answers
B.
10.0.0.2
B.
10.0.0.2
Answers
C.
10.1.0.2
C.
10.1.0.2
Answers
D.
169.254.169.253
D.
169.254.169.253
Answers
E.
169.254.169.254
E.
169.254.169.254
Answers
Suggested answer: B, D

Explanation:

Explanation:

Reference: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html

Question 53

Report
Export
Collapse

Your company has decided to use AWS WorkSpaces for its hosted desktop solution. Your company has an existing AD of about 57,000 users, and you want to minimize authentication traffic from AWS to your datacenter. Your company has a lot of personnel changes, and it is crucial that these changes are reflected reliably. What two steps should you take? (Choose two.)

A.
Deploy Hosted AD in AWS.
A.
Deploy Hosted AD in AWS.
Answers
B.
Deploy an AD Connector in AWS.
B.
Deploy an AD Connector in AWS.
Answers
C.
Create a DX connection between the datacenter and AWS.
C.
Create a DX connection between the datacenter and AWS.
Answers
D.
Create a VPN between the datacenter AWS.
D.
Create a VPN between the datacenter AWS.
Answers
Suggested answer: A, C

Explanation:

Explanation:

A VPN is not reliable enough, and an AD connector will cause too much authentication traffic.

Question 54

Report
Export
Collapse

You have a hybrid infrastructure and you have configured your own DNS server on an EC2 instance in your 10.1.3.0/24 subnet. This subnet resides on the VPC 10.1.0.0/16. You need your data center to be able to resolve Route 53 queries in your private hosted zone. What do you need to do to accomplish this?

A.
Disable the source/destination check flag for the DNS instance.
A.
Disable the source/destination check flag for the DNS instance.
Answers
B.
Configure your DNS server to forward queries for the private hosted zone to 10.1.3.2.
B.
Configure your DNS server to forward queries for the private hosted zone to 10.1.3.2.
Answers
C.
Configure your DNS server to forward queries for the private hosted zone to 10.1.0.2.
C.
Configure your DNS server to forward queries for the private hosted zone to 10.1.0.2.
Answers
D.
Configure the VPC DHCP option set in the VPC to point to the EC2 DNS server.
D.
Configure the VPC DHCP option set in the VPC to point to the EC2 DNS server.
Answers
Suggested answer: C

Explanation:

Explanation:

10.1.3.2 is not the DNS server. A DHCP option set is not needed since you are resolving AWS resources from on-premises not from a VPC and those instances are already configured to look to Route 53 DNS.

Question 55

Report
Export
Collapse

Which ports must you allow for HTTP and HTTPS traffic?

A.
25/465
A.
25/465
Answers
B.
21/22
B.
21/22
Answers
C.
3389/3306
C.
3389/3306
Answers
D.
80/443
D.
80/443
Answers
Suggested answer: D

Explanation:

Explanation:

80 and 443 are the ports for HTTP and HTTPS, respectively.

Question 56

Report
Export
Collapse

Which element of AWS Config can be used to help maintain internal and external compliance controls?

A.
Configuration Item
A.
Configuration Item
Answers
B.
Configuration Recorder
B.
Configuration Recorder
Answers
C.
Configuration Streams
C.
Configuration Streams
Answers
D.
Config Rules
D.
Config Rules
Answers
Suggested answer: D

Explanation:

Explanation:

AWS Config allows you to utilise Config Rules to help you manage and organise this compliance which acts as an automatic resource compliance checker. When a change is made to a resource, AWS Config will check to see if the resource matches a rule, and if so it will check the compliance of that resource against the rule following the changes made. Reference: https://aws.amazon.com/config/

Question 57

Report
Export
Collapse

A company has a message queue application that is based on Apache Kafka. The company runs the application across a fleet of Amazon EC2 instances in a VPC. The EC2 instances are deployed across multiple Availability Zones. A network engineer must ensure that the application is highly available and scalable. Additionally, the load on the EC2 instances must be automatically distributed. For security compliance, application clients must be able to create an allow list of the IP addresses for the application.

Which solution meets these requirements?

A.
Add an Application Load Balancer (ALB) in front of the EC2 instances. Provide the ALB IP addresses to the application clients to create an allow list.
A.
Add an Application Load Balancer (ALB) in front of the EC2 instances. Provide the ALB IP addresses to the application clients to create an allow list.
Answers
B.
Add a Network Load Balancer (NLB) in front of the EC2 instances. Provide the NLB IP addresses to the application clients to create an allow list.
B.
Add a Network Load Balancer (NLB) in front of the EC2 instances. Provide the NLB IP addresses to the application clients to create an allow list.
Answers
C.
Add an Application Load Balancer in front of the EC2 instances. Provide the CNAME to the application clients to create an allow list.
C.
Add an Application Load Balancer in front of the EC2 instances. Provide the CNAME to the application clients to create an allow list.
Answers
D.
Add a Network Load Balancer (NLB) in front of the EC2 instances. Provide the NLB's default alias to the application clients to create an allow list.
D.
Add a Network Load Balancer (NLB) in front of the EC2 instances. Provide the NLB's default alias to the application clients to create an allow list.
Answers
Suggested answer: D

Explanation:

Explanation:

Reference: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html

Question 58

Report
Export
Collapse

You have two placement groups in a VPC. What communication speed can be expected between the two placement groups?

A.
5Gbps
A.
5Gbps
Answers
B.
10Gbps
B.
10Gbps
Answers
C.
20Gbps
C.
20Gbps
Answers
D.
You cannot communicate between two placement groups.
D.
You cannot communicate between two placement groups.
Answers
Suggested answer: A

Explanation:

Explanation:

5Gbps is the maximum speed for traffic outside of a placement group.

Question 59

Report
Export
Collapse

What are two features of an Application Load Balancer? (Choose two.)

A.
Scales to handle any amount of traffic without interference
A.
Scales to handle any amount of traffic without interference
Answers
B.
Can distribute traffic over multiple Availability Zones
B.
Can distribute traffic over multiple Availability Zones
Answers
C.
Can receive a static IP address
C.
Can receive a static IP address
Answers
D.
Can support SSLs
D.
Can support SSLs
Answers
Suggested answer: B, D

Explanation:

Explanation:

The network load balancer can scale larger and receive a static IP address, but not the Application load balancer.

Question 60

Report
Export
Collapse

An organization has three AWS accounts with each containing VPCs in Virginia, Canada and the Sydney regions. The organization wants to determine whether all available Elastic IP addresses (EIPs) in these accounts are attached to Amazon EC2 instances or in use elastic network interfaces (ENIs) in all of the specified regions for compliance and cost-optimization purposes. Which of the following meets the requirements with the LEAST management overhead?

A.
Use an Amazon CloudWatch Events rule to schedule an AWS Lambda function in each account in all three regions to find the unattached and unused EIPs.
A.
Use an Amazon CloudWatch Events rule to schedule an AWS Lambda function in each account in all three regions to find the unattached and unused EIPs.
Answers
B.
Use a CloudWatch event bus to schedule Lambda functions in each account in all three regions to find the unattached and unused EIPs.
B.
Use a CloudWatch event bus to schedule Lambda functions in each account in all three regions to find the unattached and unused EIPs.
Answers
C.
Add an AWS managed, EIP-attached AWS Config rule in each region in all three accounts to find unattached and unused EIPs.
C.
Add an AWS managed, EIP-attached AWS Config rule in each region in all three accounts to find unattached and unused EIPs.
Answers
D.
Use AWS CloudFormation StackSets to deploy an AWS Config EIP-attached rule in all accounts and regions to find the unattached and unused EIPs.
D.
Use AWS CloudFormation StackSets to deploy an AWS Config EIP-attached rule in all accounts and regions to find the unattached and unused EIPs.
Answers
Suggested answer: C
Total 414 questions
Go to page: of 42
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms