ExamGecko
Login
Home / Amazon / ANS-C00 / List of questions
Ask Question

Amazon ANS-C00 Practice Test - Questions Answers, Page 3

List of questions

Question 21

Report
Export
Collapse

A company runs its applications on Amazon EC2 instances. A network engineer must deny specific ports for all applications and must allow only approved ports for each application. All outbound traffic from the instances must be allowed. Which solution will meet these requirements?

Create a network ACL for each application to allow the application's approved ports. Associate the network ACL with the appropriate instances. Create a security group that denies the required specific ports. Associate the security groupwith the appropriate subnets.
Create a network ACL for each application to allow the application's approved ports. Associate the network ACL with the appropriate instances. Create a security group that denies the required specific ports. Associate the security groupwith the appropriate subnets.
Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create a network ACL that denies the required specific ports. Associate the network ACLwith the appropriate subnets.
Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create a network ACL that denies the required specific ports. Associate the network ACLwith the appropriate subnets.
Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create a network ACL that denies the required specific ports inbound and denies all portsoutbound. Associate the network ACL with the appropriate subnets.
Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create a network ACL that denies the required specific ports inbound and denies all portsoutbound. Associate the network ACL with the appropriate subnets.
Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create an additional security group that denies the required specific ports. Associate theadditional security group with the appropriate instances.
Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create an additional security group that denies the required specific ports. Associate theadditional security group with the appropriate instances.
Suggested answer: C

Explanation:

Explanation:

You can create a custom network ACL and associate it with a subnet. By default, each custom network ACL denies all inbound and outbound traffic until you add rules. Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

asked 16/09/2024
saud ahmed
38 questions

Question 22

Report
Export
Collapse

Your AWS WorkSpaces users are unable to authenticate. What could be one reason for this?

Your AD server is running Windows Server 2016
Your AD server is running Windows Server 2016
Port 3389 is not open to your AD server.
Port 3389 is not open to your AD server.
Port 389 is not open to your AD server.
Port 389 is not open to your AD server.
Your AD server is running Windows Server 2012 Core Edition.
Your AD server is running Windows Server 2012 Core Edition.
Suggested answer: C

Explanation:

Explanation:

AD requires port 389.

asked 16/09/2024
MYKEL PERRY
38 questions

Question 23

Report
Export
Collapse

Your organization requires strict adherence to a change control process for its Amazon Elastic Compute Cloud (EC2) and VPC environments. The organization uses AWS CloudFormation as the AWS service to control and implement changes.

Which combination of three services provides an alert for changes made outside of AWS CloudFormation? (Choose three.)

AWS Config
AWS Config
AWS Simple Notification Service
AWS Simple Notification Service
AWS CloudWatch metrics
AWS CloudWatch metrics
AWS Lambda
AWS Lambda
AWS CloudFormation
AWS CloudFormation
AWS Identify and Access Management
AWS Identify and Access Management
Suggested answer: B, C, D
asked 16/09/2024
luis lozano
40 questions

Question 24

Report
Export
Collapse

A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their onpremises version of the application to serve a small portion of the customers who haven't yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?

Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the on-premises application version and the rest of the traffic to the new AWS based version.
Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the on-premises application version and the rest of the traffic to the new AWS based version.
Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients tothe on-premises application.
Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients tothe on-premises application.
Use an Application Load Balancer for the new application. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.
Use an Application Load Balancer for the new application. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.
Use an Application Load Balancer for the new application. Register both the new and earlier application backends as separate target groups. Use host header-based routing to route traffic based on the application version.
Use an Application Load Balancer for the new application. Register both the new and earlier application backends as separate target groups. Use host header-based routing to route traffic based on the application version.
Suggested answer: B
asked 16/09/2024
Tomasz Woloszczak
36 questions

Question 25

Report
Export
Collapse

You have two Direct Connect connections and two VPN connections to your network. Site A is VPN 10.1.0.0/24 AS 65000 65000, Site B is VPN 10.1.0.252/30 AS 65000, Site C is DX 10.0.0.0/8 AS 65000 and Site D is DX 10.0.0.0/16 AS 65000 65000 65000. Which site will AWS choose to reach your network?

Site A: VPN 10.0.1.0/24 AS 65000 65000
Site A: VPN 10.0.1.0/24 AS 65000 65000
Site B: VPN 10.0.1.252/30 AS 65000 65000 65000
Site B: VPN 10.0.1.252/30 AS 65000 65000 65000
Site C: DX 10.0.0.0/8 AS 65000
Site C: DX 10.0.0.0/8 AS 65000
Site D: DX 10.0.0.0/16
Site D: DX 10.0.0.0/16
Suggested answer: B

Explanation:

Explanation:

Site B, the most specific prefix always wins.

asked 16/09/2024
Chakravarthy Sankaranarayanan
34 questions

Question 26

Report
Export
Collapse

Fill in the blanks: One of the basic characteristics of security groups for your VPC is that you ______ .

can specify allow rules, but not deny rules
can specify allow rules, but not deny rules
can specify deny rules, but not allow rules
can specify deny rules, but not allow rules
can specify allow rules as well as deny rules
can specify allow rules as well as deny rules
can neither specify allow rules nor deny rules
can neither specify allow rules nor deny rules
Suggested answer: A

Explanation:

Explanation:

Security Groups in VPC allow you to specify rules with reference to the protocols and ports through which communications with your instances can be established. One such rule is that you can specify allow rules, but not deny rules.

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

asked 16/09/2024
Diego Beltran
39 questions

Question 27

Report
Export
Collapse

You are configuring a VPN to AWS for your company. You have configured the VGW and CGW. You have created the VPN.

You have also run the necessary commands on your router. You allowed all TCP and UDP traffic between your datacenter and your VPC. The tunnel still doesn't come up. What is the most likely reason?

You forgot to turn on route propagation in the route table.
You forgot to turn on route propagation in the route table.
You do not have a public ASN.
You do not have a public ASN.
Your advertised subnet is too large.
Your advertised subnet is too large.
You haven't added protocol 50 to your firewall.
You haven't added protocol 50 to your firewall.
Suggested answer: D

Explanation:

Explanation:

You haven't allowed protocol 50 through the firewall. Protocol 50 is different from UDP (17) and TCP (6) and requires a rule in your firewall for your VPN tunnel to come up.

asked 16/09/2024
Joseph Mwaura
29 questions

Question 28

Report
Export
Collapse

An organization with a growing ecommerce presence uses the AWS CloudHSM to offload the SSL/TLS processing of its web server fleet. The company leverages Amazon EC2 Auto Scaling for web servers to handle the growth. What architectural approach is optimal to scale the encryption operation?

Use multiple CloudHSM instances, and load balance them using a Network Load Balancer.
Use multiple CloudHSM instances, and load balance them using a Network Load Balancer.
Use multiple CloudHSM instances to the cluster; request to it will automatically load balance.
Use multiple CloudHSM instances to the cluster; request to it will automatically load balance.
Enable Auto Scaling on the CloudHSM instance, with similar configuration to the web tier Auto Scaling group.
Enable Auto Scaling on the CloudHSM instance, with similar configuration to the web tier Auto Scaling group.
Use multiple CloudHSM instances, and load balance them using an Application Load Balancer.
Use multiple CloudHSM instances, and load balance them using an Application Load Balancer.
Suggested answer: A
asked 16/09/2024
Artur Sierszen
48 questions

Question 29

Report
Export
Collapse

A user has created a VPC with CIDR 20.0.0.0/16 with only a private subnet and VPN connection using the VPC wizard. The user wants to connect to the instance in a private subnet over SSH. How should the user define the security rule for SSH?

The user can connect to a instance in a private subnet using the NAT instance
The user can connect to a instance in a private subnet using the NAT instance
The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP
The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP
Allow Inbound traffic on port 22 from the user's network
Allow Inbound traffic on port 22 from the user's network
Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the internet
Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the internet
Suggested answer: C

Explanation:

Explanation:

The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data centre, the user can setup a case with a VPN only subnet (private) which uses VPN access to connect with his data centre.

When the user has configured this setup with Wizard, all network connections to the instances in the subnet will come from his data centre. The user has to configure the security group of the private subnet which allows the inbound traffic on SSH (port 22) from the data centre's network range.

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario4.html

asked 16/09/2024
Chun Yin Lau
44 questions

Question 30

Report
Export
Collapse

Which statement about placement groups is incorrect?

A placement group is a logical grouping of instances in a single AZ.
A placement group is a logical grouping of instances in a single AZ.
If you stop an instance and restart it, it will always return to the same placement group.
If you stop an instance and restart it, it will always return to the same placement group.
To help ensure capacity in a placement group, deploy all instances at once.
To help ensure capacity in a placement group, deploy all instances at once.
There is no charge for creating a placement group.
There is no charge for creating a placement group.
Suggested answer: B

Explanation:

Explanation:

There may not be sufficient capacity in the placement group.

asked 16/09/2024
DOMINIC FERNANDEZ
40 questions
Total 414 questions
Go to page: of 42
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Which of these modes is not a configuration mode for a WAF?
Your organization runs a popular e-commerce application deployed on AWS that uses auto scaling in conjunction with an Elastic Load balancing (ELB) service with an HTTPS listener. Your security team reports that an exploitable vulnerability has been discovered in the encryption protocol and cipher that your site uses. Which step should you take to fix this problem?
You are configuring multiple Direct Connect links for your organization and need them to be in an HA Active/Passive configuration with extreme sensitivity to outages in order to encourage very quick failover times. You also need to be able to control which link is active. What two configuration changes should you implement? (Choose two.)
You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
Which service would you use to see who changed your infrastructure?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
Under increased cybersecurity concerns, a company is deploying a near real-time intrusion detection system (IDS) solution. A system must be put in place as soon as possible. The architecture consists of many AWS accounts, and all results must be delivered to a central location. Which solution will meet this requirement, while minimizing downtime and costs?