Amazon ANS-C00 Practice Test - Questions Answers, Page 12
List of questions
Question 111
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
You can turn on the AWS Config service from the AWS CLI by running the subscribe command and passing as parameters a valid IAM role, SNS topic, and ____.
Explanation:
Explanation:
You can use the AWS CLI to turn on AWS Config. All it takes is the subscribe command and a few additional parameters.
The parameters are -s3-bucket, which specifies the S3 bucket to which AWS Config data will be saved, -sns-topic, which specifies to which SNS topic messages from AWS Config will be sent, and -iam-role, which is an IAM role containing appropriate permissions for AWS Config to access the resources it monitors.
Reference: http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-subscribe.html
Question 112
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
You are under a DDoS attack and you have added a deny all TCP rule to your NACL, but traffic is still coming. What did you do wrong?
Explanation:
Explanation:
The DDoS isn't a TCP attack (this time.) A DDoS can use several different protocols. NACLs are stateless. The lower the rule number, the higher the priority.
Question 113
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Imagine you are using AWS Direct Connect with just one connection from your router to the AWS Direct Connect router. If your connection becomes unavailable, the communication with AWS cloud is lost. What is the best method to prevent this from happening?
Explanation:
Explanation:
When configuring redundant connections with the AWS Direct Connect, and to provide for failover, we recommend that you request and configure two dedicated connections to the AWS. There are different configuration choices available when you provision two dedicated connections. You can either use Active/Active (BGP multipath) connection or Active/Passive (failover) connection to configure the two dedicated connections. Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/getstarted.html#RedundantConnections
Question 114
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company wants to enforce a compliance requirement that its Amazon EC2 instances use only on-premises DNS servers for name resolution. Outbound DNS requests to all other name servers must be denied. A network engineer configures the following set of outbound rules for a security group:
The network engineer discovers that the EC2 instances are still able to resolve DNS requests by using Amazon DNS servers inside the VPC. Why is the solution failing to meet the compliance requirement?
Explanation:
Explanation:
If you've set up your EC2 instance as a DNS server, you must ensure that TCP and UDP traffic can reach your DNS server over port 53. Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
Question 115
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
You have just peered two VPCs, and you need to improve performance for instances you plan on deploying. What are two steps you would take to do this? (Choose two.)
Explanation:
Explanation:
A placement group can only be deployed in the same AZ and is only useful with enhanced networking instances.
Question 116
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
You can use the ____ command of the AWS Config service CLI to see the compliance state of each resource that AWS Config evaluates for a specific rule.
Explanation:
Explanation:
You can use the get-compliance-details-by-config-rule command of the AWS Config CLI to see the compliance state of each resource that AWS Config evaluates for a specific rule. Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_view-compliance.html
Question 117
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company has deployed a production environment in the AWS Cloud. The environment is contained in a VPC and includes a virtual private gateway. The company has established an AWS Direct Connect connection. which includes a
private Virtual Interface (VIF), and a VPN connection to the on-premises data center.
For traffic originating in the VPC, what is the order of BGP path selection from MOST preferred to LEAST preferred?
Question 118
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Your company has a 1-Gbps AWS Direct Connect connection to AWS. Your company needs to send traffic from onpremises to a VPC owned by a partner company. The connectivity must have minimal latency at the lowest price. Which of the following connectivity options should you choose?
Question 119
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
In the context of Amazon CloudFront Actions, you use the _____ when specifying APIs in IAM policies.
Explanation:
Explanation:
In an AWS IAM policy, you can specify any and all API actions that Amazon CloudFront offers. The action name must be prefixed with the lowercase string cloudfront. For example: cloudfront:GetDistributionConfig cloudfront:ListInvalidations cloudfront:* (for all CloudFront actions).
In the reference link, there are tables that list the canonical names for all CloudFront actions. Use these canonical names when specifying APIs in IAM policies. Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/UsingWithIAM.html
Question 120
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
What port and protocol is used by DNS?
Explanation:
Explanation:
DNS uses port 53 and either TCP or UDP depending on what type of DNS message is being sent.
Question