ExamGecko
Login
Home / Amazon / ANS-C00 / List of questions
Ask Question

Amazon ANS-C00 Practice Test - Questions Answers, Page 10

List of questions

Question 91

Report
Export
Collapse

You need to find the public IP address of an instance that you're logged in to. What command would you use?

curl ftp://169.254.169.254/latest/meta-data/public-ipv4
curl ftp://169.254.169.254/latest/meta-data/public-ipv4
scp localhost/latest/meta-data/public-ipv4
scp localhost/latest/meta-data/public-ipv4
curl http://127.0.0.1/latest/meta-data/public-ipv4
curl http://127.0.0.1/latest/meta-data/public-ipv4
curl http://169.254.169.254/latest/meta-data/public-ipv4
curl http://169.254.169.254/latest/meta-data/public-ipv4
Suggested answer: D

Explanation:

Explanation: curl http://169.254.169.254/latest/meta-data/public-ipv4

asked 16/09/2024
Dario Esposito
35 questions

Question 92

Report
Export
Collapse

A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy. What is the MOST cost-effective solution to meet these requirements?

Move the EC2 instances to a dedicated VP
Move the EC2 instances to a dedicated VP
Enable VPC Flow Logs with a filter on the deny action. Publish the flow logs to Amazon CloudWatch Logs.
Enable VPC Flow Logs with a filter on the deny action. Publish the flow logs to Amazon CloudWatch Logs.
Move the EC2 instances to a dedicated VPC subnet. Enable VPC Flow Logs for the subnet with a filter on the reject action. Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket.
Move the EC2 instances to a dedicated VPC subnet. Enable VPC Flow Logs for the subnet with a filter on the reject action. Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket.
Enable VPC Flow Logs, filtered for rejected traffic, for the elastic network interfaces associated with the instances. Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket.
Enable VPC Flow Logs, filtered for rejected traffic, for the elastic network interfaces associated with the instances. Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket.
Enable VPC Flow Logs, filtered for rejected traffic, for the elastic network interfaces associated with the instances. Publish the flow logs to Amazon CloudWatch Logs.
Enable VPC Flow Logs, filtered for rejected traffic, for the elastic network interfaces associated with the instances. Publish the flow logs to Amazon CloudWatch Logs.
Suggested answer: A
asked 16/09/2024
IGNACIO CHICO TORRES
37 questions

Question 93

Report
Export
Collapse

AWS CloudTrail can be configured to ____ log files across multiple accounts and regions so that log files are delivered to a single bucket.

aggregate
aggregate
disperse
disperse
replicate
replicate
encrypt
encrypt
Suggested answer: A

Explanation:

Explanation:

You can configure CloudTrail to aggregate log files from multiple regions and deliver them to a single S3 bucket for a single account. Reference: https://aws.amazon.com/cloudtrail/

asked 16/09/2024
EMELINE LE QUENTREC
29 questions

Question 94

Report
Export
Collapse

You need to find the subnet, the security group and the VPC that your instance is associated with. You only have access to the terminal of an instance with an admin role attached. What is the first part of the command you would use?

aws ec2 describe-network-acl
aws ec2 describe-network-acl
aws ec2 describe-instances
aws ec2 describe-instances
aws vpc describe-all
aws vpc describe-all
aws ec2 describe-security-groups
aws ec2 describe-security-groups
Suggested answer: B

Explanation:

Explanation: aws ec2 describe-instances will tell a significant amount of information about the instances in your account. Apply a filter to be able to see information about your instance. Describe-security-groups and describe-network-acl would not allow you to see which group is associated with your instance and aws vpc describe-all doesn't exist.

asked 16/09/2024
Kingsley Tibs
43 questions

Question 95

Report
Export
Collapse

Your company runs an application for the US market in the us-east-1 AWS region. This application uses proprietary TCP and UDP protocols on Amazon Elastic Compute Cloud (EC2) instances. End users run a real-time, front-end application on their local PCs. This front-end application knows the DNS hostname of the service.

You must prepare the system for global expansion. The end users must access the application with lowest latency. How should you use AWS services to meet these requirements?

Register the IP addresses of the service hosts as "A" records with latency-based routing policy in Amazon Route 53, and set a Route 53 health check for these hosts.
Register the IP addresses of the service hosts as "A" records with latency-based routing policy in Amazon Route 53, and set a Route 53 health check for these hosts.
Set the Elastic Load Balancing (ELB) load balancer in front of the hosts of the service, and register the ELB name of the main service host as an ALIAS record with a latency-based routing policy in Route 53.
Set the Elastic Load Balancing (ELB) load balancer in front of the hosts of the service, and register the ELB name of the main service host as an ALIAS record with a latency-based routing policy in Route 53.
Set Amazon CloudFront in front of the host of the service, and register the CloudFront name of the main service as an ALIAS record in Route 53.
Set Amazon CloudFront in front of the host of the service, and register the CloudFront name of the main service as an ALIAS record in Route 53.
Set the Amazon API gateway in front of the service, and register the API gateway name of the main service as an ALIAS record in Route 53.
Set the Amazon API gateway in front of the service, and register the API gateway name of the main service as an ALIAS record in Route 53.
Suggested answer: B
asked 16/09/2024
Sam Krupesh
38 questions

Question 96

Report
Export
Collapse

Which of these is not a requirement to set up a DX connection?

Support for 802.1q VLANs
Support for 802.1q VLANs
BGP MD5 Authentication
BGP MD5 Authentication
Autonegotiation enabled
Autonegotiation enabled
Single mode fiber capability
Single mode fiber capability
Suggested answer: C

Explanation:

Explanation:

Autonegotiation must be disabled.

asked 16/09/2024
Jeff Fazio
43 questions

Question 97

Report
Export
Collapse

A legacy, on-premises web application cannot be load balanced effectively. There are both planned and unplanned events that cause usage spikes to millions of concurrent users. The existing infrastructure cannot handle the usage spikes. The CIO has mandated that the application be moved to the cloud to avoid further disruptions, with the additional requirement that source IP addresses be unaltered to support network traffic-monitoring needs. Which of the following designs will meet these requirements?

Use an Auto Scaling group of Amazon EC2 instances behind a Classic Load Balancer.
Use an Auto Scaling group of Amazon EC2 instances behind a Classic Load Balancer.
Use an Auto Scaling group of EC2 instances in a target group behind an Application Load Balancer.
Use an Auto Scaling group of EC2 instances in a target group behind an Application Load Balancer.
Use an Auto Scaling group of EC2 instances in a target group behind a Classic Load Balancer.
Use an Auto Scaling group of EC2 instances in a target group behind a Classic Load Balancer.
Use an Auto Scaling group of EC2 instances in a target group behind a Network Load Balancer.
Use an Auto Scaling group of EC2 instances in a target group behind a Network Load Balancer.
Suggested answer: D
asked 16/09/2024
Duc Hai
40 questions

Question 98

Report
Export
Collapse

You have a DX connection and a VPN connection as backup for your 10.0.0.0/16 network. You just received a letter indicating that the colocation provider hosting the DX connection will be undergoing maintenance soon. It is critical that you do not experience any downtime or latency during this period. What is the best course of action?

Configure the VPN as a static VPN instead of dynamic.
Configure the VPN as a static VPN instead of dynamic.
Configure AS_PATH Prepending on the DX connection to make it the less preferred path.
Configure AS_PATH Prepending on the DX connection to make it the less preferred path.
Advertise 10.0.0.0/9 and 10.128.0.0/9 over your VPN connection.
Advertise 10.0.0.0/9 and 10.128.0.0/9 over your VPN connection.
None of the above.
None of the above.
Suggested answer: D

Explanation:

Explanation:

A more specific route is the only way to force AWS to prefer a VPN connection over a DX connection. A /9 is not more specific than a /16.

asked 16/09/2024
Vageesh Shanmukha
48 questions

Question 99

Report
Export
Collapse

You are your company's AWS cloud architect. You have created a VPC topology that consists of 3 VPCs. You have a centralised VPC (VPC-Shared) that provides shared services to the remaining 2 departmental dedicated VPCs (VPCDept1 and VPC-Dept2). The centralised VPC is VPC peered to both of the departmental VPCs, that is a VPC peering connection exists between VPC-Shared and VPCDept1, and a VPC peering connection exists between VPC-Shared and VPC-Dept2.

Select the correct option from the list below.

Network traffic is possible between VPC-Shared instances and VPC-Dept1 and VPC-Dept2 instances as long as the appropriate routes and security groups are in place, but only for communication that is initiated from VPC1-Sharedinstances as the default peering bi-directional communication flag has been disabled.
Network traffic is possible between VPC-Shared instances and VPC-Dept1 and VPC-Dept2 instances as long as the appropriate routes and security groups are in place, but only for communication that is initiated from VPC1-Sharedinstances as the default peering bi-directional communication flag has been disabled.
Instances within VPC-Dept1 can communicate directly with instances in VPC-Shared, as long as the appropriate routes and security groups are in place, and vice versa regardless of who initiates communication
Instances within VPC-Dept1 can communicate directly with instances in VPC-Shared, as long as the appropriate routes and security groups are in place, and vice versa regardless of who initiates communication
All network communication remains blocked between all VPCs until the respective peering bi-directional communication flags are set to the appropriate setting that allows traffic to flow.
All network communication remains blocked between all VPCs until the respective peering bi-directional communication flags are set to the appropriate setting that allows traffic to flow.
Network traffic is possible between VPC-Shared instances and VPC-Dept1 and VPC-Dept2 instances as long as the appropriate routes and security groups are in place, but only for communication that is initiated from VPC1-Sharedinstances as the default peering bi-directional communication flag has been enabled.
Network traffic is possible between VPC-Shared instances and VPC-Dept1 and VPC-Dept2 instances as long as the appropriate routes and security groups are in place, but only for communication that is initiated from VPC1-Sharedinstances as the default peering bi-directional communication flag has been enabled.
Suggested answer: B

Explanation:

Explanation:

Answers A, C and D are incorrect answers as they reference a non-existing setting - there is no such thing as a "default peering bi-directional communication flag".

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html#oneto-two-vpcs-instances

asked 16/09/2024
TONG CHEE LOONG
35 questions

Question 100

Report
Export
Collapse

You have a hybrid environment in which your VPC queries your on-premises DNS server for up resources in your environment. The EC2 instances in your VPC are unable to resolve on-premises resources. What are two possible reasons for this problem? (Choose two.)

Your NACL is blocking UDP port 53 outbound
Your NACL is blocking UDP port 53 outbound
Your security group is blocking port 53 inbound
Your security group is blocking port 53 inbound
Your NACL is blocking TCP port 53 outbound.
Your NACL is blocking TCP port 53 outbound.
Your on-premises firewall is blocking port 443
Your on-premises firewall is blocking port 443
Suggested answer: A, C

Explanation:

Explanation:

DNS requires TCP and UDP port 53.

asked 16/09/2024
Andrea Ciovati
41 questions
Total 414 questions
Go to page: of 42
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Which of these modes is not a configuration mode for a WAF?
Your organization runs a popular e-commerce application deployed on AWS that uses auto scaling in conjunction with an Elastic Load balancing (ELB) service with an HTTPS listener. Your security team reports that an exploitable vulnerability has been discovered in the encryption protocol and cipher that your site uses. Which step should you take to fix this problem?
You are configuring multiple Direct Connect links for your organization and need them to be in an HA Active/Passive configuration with extreme sensitivity to outages in order to encourage very quick failover times. You also need to be able to control which link is active. What two configuration changes should you implement? (Choose two.)
You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
Which service would you use to see who changed your infrastructure?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
Under increased cybersecurity concerns, a company is deploying a near real-time intrusion detection system (IDS) solution. A system must be put in place as soon as possible. The architecture consists of many AWS accounts, and all results must be delivered to a central location. Which solution will meet this requirement, while minimizing downtime and costs?