ExamGecko
Login
Home / Amazon / ANS-C00 / List of questions
Ask Question

Amazon ANS-C00 Practice Test - Questions Answers, Page 5

List of questions

Question 41

Report
Export
Collapse

A Network Engineer is designing a new system on AWS that will take advantage of Amazon CloudFront for both content caching and for protecting the underlying origin. There is concern that an external agency might be able to access the IP addresses for the application's origin and then attack the origin despite it being served by CloudFront. Which of the following solutions provides the strongest level of protection to the origin?

Use an IP whitelist rule in AWS WAF within CloudFront to ensure that only known-client IPs are able to access the application.
Use an IP whitelist rule in AWS WAF within CloudFront to ensure that only known-client IPs are able to access the application.
Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin's Application Load Balancer to accept only traffic that contains that header.
Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin's Application Load Balancer to accept only traffic that contains that header.
Configure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront.
Configure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront.
Attach an origin access identity to the CloudFront origin that allows traffic to the origin that originates from only CloudFront.
Attach an origin access identity to the CloudFront origin that allows traffic to the origin that originates from only CloudFront.
Suggested answer: A
asked 16/09/2024
Wilson Geneblazo
33 questions

Question 42

Report
Export
Collapse

Your hybrid networking environment consists of two application VPCs, a shared services VPC, and your corporate network.

The corporate network is connected to the shared services VPC via an IPsec VPN with dynamic (BGP) routing enabled.

The applications require access to a common authentication service in the shared services VPC. You need to enable native network access from the corporate network to both application VPCs. Which step should you take to meet the requirements?

Use VPC peering to peer the application VPCs with the shared services VPC, and enable associated routing in the shared services VPC via the corporate VPN.
Use VPC peering to peer the application VPCs with the shared services VPC, and enable associated routing in the shared services VPC via the corporate VPN.
Configure an IPsec VPN between the virtual private gateway in each application VPC to the virtual private gateway in the shared services VPC.
Configure an IPsec VPN between the virtual private gateway in each application VPC to the virtual private gateway in the shared services VPC.
Configure additional IPsec VPNs for each application VPC back to the corporate network, and enable VPC peering to the shared services VPC.
Configure additional IPsec VPNs for each application VPC back to the corporate network, and enable VPC peering to the shared services VPC.
Enable CloudHub functionality to route traffic between the three VPCs and the corporate network using dynamic BGP routing.
Enable CloudHub functionality to route traffic between the three VPCs and the corporate network using dynamic BGP routing.
Suggested answer: C
asked 16/09/2024
Sandesh Somaiah
39 questions

Question 43

Report
Export
Collapse

Your company's policy requires that all VPCs peer with a "common services: VPC. This VPC contains a fleet of layer 7 proxies and an Internet gateway. No other VPC is allowed to provision an Internet gateway. You configure a new VPC and peer with the common service VPC as required by policy. You launch an Amazon EC2. Windows instance configured to forward all traffic to the layer 7 proxies in the common services VPC. The application on this server should successfully interact with Amazon S3 using its properly configured AWS Identity and Access Management (IAM) role. However, Amazon S3 is returning 403 errors to the application. Which step should you take to enable access to Amazon S3?

Update the S3 bucket policy with the private IP address of the instance.
Update the S3 bucket policy with the private IP address of the instance.
Exclude 169.254.169.0/24 from the instance's proxy configuration.
Exclude 169.254.169.0/24 from the instance's proxy configuration.
Configure a VPC endpoint for Amazon S3 in the same subnet as the instance.
Configure a VPC endpoint for Amazon S3 in the same subnet as the instance.
Update the CORS configuration for Amazon S3 to allow traffic from the proxy.
Update the CORS configuration for Amazon S3 to allow traffic from the proxy.
Suggested answer: D
asked 16/09/2024
Robert Thompson
45 questions

Question 44

Report
Export
Collapse

What is the maximum size of a response body that Amazon CloudFront will return to the viewer?

Unlimited
Unlimited
5 GB
5 GB
100 MB
100 MB
20 GB
20 GB
Suggested answer: D

Explanation:

Explanation:

The maximum size of a response body that CloudFront will return to the viewer is 20 GB.

Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorS3Origin.html#Resp onseBehaviorS3Origin

asked 16/09/2024
John Kaye
29 questions

Question 45

Report
Export
Collapse

Which path will be chosen first?

192.168.0.0/16 AS 65000 over Direct Connect
192.168.0.0/16 AS 65000 over Direct Connect
192.0.0.0/8 AS 65000 over Direct Connect
192.0.0.0/8 AS 65000 over Direct Connect
192.168.1.0/24 AS 65000 65000 65000 over a Dynamic VPN
192.168.1.0/24 AS 65000 65000 65000 over a Dynamic VPN
192.168.0.0/16 AS 65000 over a Static VPN
192.168.0.0/16 AS 65000 over a Static VPN
Suggested answer: C

Explanation:

Explanation:

The path selection process always chooses the most specific prefix first.

asked 16/09/2024
HAO KANG SUNG
36 questions

Question 46

Report
Export
Collapse

You have just deployed a website that utilizes CloudFront, ELB, and S3 to serve content. When users access your site, they are seeing broken image links. What is most likely the problem?

There is no record in Route 53 pointing cdn.yourdomain.com to the CloudFront ALIAS.
There is no record in Route 53 pointing cdn.yourdomain.com to the CloudFront ALIAS.
You need to create Origin Access Identity for CloudFront and add it to your bucket policy.
You need to create Origin Access Identity for CloudFront and add it to your bucket policy.
The images in S3 are saved as .png instead of .jpg.
The images in S3 are saved as .png instead of .jpg.
There is no rule in your bucket policy allowing public access.
There is no rule in your bucket policy allowing public access.
Suggested answer: B

Explanation:

Explanation:

You must have an OAI if the bucket policy does not allow public access, which is bad practice.

asked 16/09/2024
Jonathan McGurgan
34 questions

Question 47

Report
Export
Collapse

A team implements a highly available solution using Amazon AppStream 2.0. The AppStream 2.0 fleet needs to communicate with resources both in an existing VPC and on-premises. The VPC is connected to the on-premises environment using an AWS Direct Connect private virtual interface.

What implementation enables on-premises users to connect to AppStream and existing VPC resources?

Deploy two subnets into the existing VP
Deploy two subnets into the existing VP
Add a public virtual interface to the Direct Connect connection for users to access the AppStream endpoint
Add a public virtual interface to the Direct Connect connection for users to access the AppStream endpoint
Deploy two subnets into the existing VPC. Add a private virtual interface on the Direct Connect connection for users to access the AppStream endpoint.
Deploy two subnets into the existing VPC. Add a private virtual interface on the Direct Connect connection for users to access the AppStream endpoint.
Deploy a new VPC with two subnets. Create a VPC peering connection between the two VPCs for users to access the AppStream endpoint.
Deploy a new VPC with two subnets. Create a VPC peering connection between the two VPCs for users to access the AppStream endpoint.
Deploy one subnet into the existing VPC. Add a private virtual interface on the Direct Connect connection for users to access the AppStream endpoint.
Deploy one subnet into the existing VPC. Add a private virtual interface on the Direct Connect connection for users to access the AppStream endpoint.
Suggested answer: A
asked 16/09/2024
Bassem Louati
31 questions

Question 48

Report
Export
Collapse

What value in a packet dictates the priority of the packet in a QoS enabled network?

BFD
BFD
IPv6
IPv6
NAT
NAT
DSCP
DSCP
Suggested answer: D

Explanation:

Explanation:

The Differentiated Services Code Point value, or DSCP, is used to label packets on QoS enabled networks for prioritization.

asked 16/09/2024
ONWUDIWE NYENKE
36 questions

Question 49

Report
Export
Collapse

You wish to have a sub-1G connection to AWS to save on costs. How can you achieve this?

Just set your router to the speed you want and AWS will charge you based on the actual speed of the port.
Just set your router to the speed you want and AWS will charge you based on the actual speed of the port.
Contact AWS, they will put you in contact with a technical account manager who can help you get this setup.
Contact AWS, they will put you in contact with a technical account manager who can help you get this setup.
You can't. The only speeds available for Direct Connect are 1G and 10G.
You can't. The only speeds available for Direct Connect are 1G and 10G.
Contact an AWS partner, AWS does not provide sub-1G connection speeds.
Contact an AWS partner, AWS does not provide sub-1G connection speeds.
Suggested answer: D

Explanation:

Explanation:

Sub-1G service is only available through AWS partners.

asked 16/09/2024
Vangelis Gouloutis
38 questions

Question 50

Report
Export
Collapse

Your organization has a newly installed 1-Gbps AWS Direct Connect connection. You order the cross-connect from the Direct Connect location provider to the port on your router in the same facility. To enable the use of your first virtual interface, your router must be configured appropriately. What are the minimum requirements for your router?

1-Gbps Multi Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.
1-Gbps Multi Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.
1-Gbps Single Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.
1-Gbps Single Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.
IPsec Parameters, Pre-Shared key, Peer IP Address, BGP Session with MD5
IPsec Parameters, Pre-Shared key, Peer IP Address, BGP Session with MD5
BGP Session with MD5, 802.1Q VLAN, Route-Map, Prefix List, IPsec encrypted GRE Tunnel
BGP Session with MD5, 802.1Q VLAN, Route-Map, Prefix List, IPsec encrypted GRE Tunnel
Suggested answer: B
asked 16/09/2024
Bill Skadden
31 questions
Total 414 questions
Go to page: of 42
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Which of these modes is not a configuration mode for a WAF?
Your organization runs a popular e-commerce application deployed on AWS that uses auto scaling in conjunction with an Elastic Load balancing (ELB) service with an HTTPS listener. Your security team reports that an exploitable vulnerability has been discovered in the encryption protocol and cipher that your site uses. Which step should you take to fix this problem?
You are configuring multiple Direct Connect links for your organization and need them to be in an HA Active/Passive configuration with extreme sensitivity to outages in order to encourage very quick failover times. You also need to be able to control which link is active. What two configuration changes should you implement? (Choose two.)
You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
Which service would you use to see who changed your infrastructure?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
Under increased cybersecurity concerns, a company is deploying a near real-time intrusion detection system (IDS) solution. A system must be put in place as soon as possible. The architecture consists of many AWS accounts, and all results must be delivered to a central location. Which solution will meet this requirement, while minimizing downtime and costs?