ExamGecko
Login
Home / Amazon / ANS-C00 / List of questions
Ask Question

Amazon ANS-C00 Practice Test - Questions Answers, Page 12

List of questions

Question 111

Report
Export
Collapse

You can turn on the AWS Config service from the AWS CLI by running the subscribe command and passing as parameters a valid IAM role, SNS topic, and ____.

EBS volume
EBS volume
EC2 instance
EC2 instance
S3 bucket
S3 bucket
Kinesis stream
Kinesis stream
Suggested answer: C

Explanation:

Explanation:

You can use the AWS CLI to turn on AWS Config. All it takes is the subscribe command and a few additional parameters.

The parameters are -s3-bucket, which specifies the S3 bucket to which AWS Config data will be saved, -sns-topic, which specifies to which SNS topic messages from AWS Config will be sent, and -iam-role, which is an IAM role containing appropriate permissions for AWS Config to access the resources it monitors.

Reference: http://docs.aws.amazon.com/config/latest/developerguide/gs-cli-subscribe.html

asked 16/09/2024
Wessel Beulink
39 questions

Question 112

Report
Export
Collapse

You are under a DDoS attack and you have added a deny all TCP rule to your NACL, but traffic is still coming. What did you do wrong?

You configured the rule number to be too low.
You configured the rule number to be too low.
A NACL can't protect against a DDoS.
A NACL can't protect against a DDoS.
The DDoS isn't a TCP attack.
The DDoS isn't a TCP attack.
You need to add a deny rule outbound also since NACLs are stateful.
You need to add a deny rule outbound also since NACLs are stateful.
Suggested answer: C

Explanation:

Explanation:

The DDoS isn't a TCP attack (this time.) A DDoS can use several different protocols. NACLs are stateless. The lower the rule number, the higher the priority.

asked 16/09/2024
Ehsan Ali
40 questions

Question 113

Report
Export
Collapse

Imagine you are using AWS Direct Connect with just one connection from your router to the AWS Direct Connect router. If your connection becomes unavailable, the communication with AWS cloud is lost. What is the best method to prevent this from happening?

AWS Direct Connect neither provides BGP nor provides the failover.
AWS Direct Connect neither provides BGP nor provides the failover.
AWS Direct Connect recommends to have the same configuration set up in a multi AZ zone to prevent such loss in connections.
AWS Direct Connect recommends to have the same configuration set up in a multi AZ zone to prevent such loss in connections.
AWS Direct Connect recommends that you request and configure two dedicated connections to AWS either using BGP Multipath (Active/Active) connection or the failover (Active/Passive) connection.
AWS Direct Connect recommends that you request and configure two dedicated connections to AWS either using BGP Multipath (Active/Active) connection or the failover (Active/Passive) connection.
AWS Direct connect does not have a provision to prevent the situation but when you design the system, it is recommended to request a back-up instance to which the traffic can be re-routed.
AWS Direct connect does not have a provision to prevent the situation but when you design the system, it is recommended to request a back-up instance to which the traffic can be re-routed.
Suggested answer: C

Explanation:

Explanation:

When configuring redundant connections with the AWS Direct Connect, and to provide for failover, we recommend that you request and configure two dedicated connections to the AWS. There are different configuration choices available when you provision two dedicated connections. You can either use Active/Active (BGP multipath) connection or Active/Passive (failover) connection to configure the two dedicated connections. Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/getstarted.html#RedundantConnections

asked 16/09/2024
manuele groppi
30 questions

Question 114

Report
Export
Collapse

A company wants to enforce a compliance requirement that its Amazon EC2 instances use only on-premises DNS servers for name resolution. Outbound DNS requests to all other name servers must be denied. A network engineer configures the following set of outbound rules for a security group:

Amazon ANS-C00 image Question 114 201 09162024005350000000

The network engineer discovers that the EC2 instances are still able to resolve DNS requests by using Amazon DNS servers inside the VPC. Why is the solution failing to meet the compliance requirement?

The security group cannot filer outbound traffic to the Amazon DNS servers.
The security group cannot filer outbound traffic to the Amazon DNS servers.
The security group must have inbound rules to prevent DNS requests from coming back to EC2 instances.
The security group must have inbound rules to prevent DNS requests from coming back to EC2 instances.
The EC2 instances are using the HTTPS port to send DNS queries to Amazon DNS servers.
The EC2 instances are using the HTTPS port to send DNS queries to Amazon DNS servers.
The security group cannot filter outbound traffic to destinations within the same VPC.
The security group cannot filter outbound traffic to destinations within the same VPC.
Suggested answer: C

Explanation:

Explanation:

If you've set up your EC2 instance as a DNS server, you must ensure that TCP and UDP traffic can reach your DNS server over port 53. Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html

asked 16/09/2024
S Muchobor
37 questions

Question 115

Report
Export
Collapse

You have just peered two VPCs, and you need to improve performance for instances you plan on deploying. What are two steps you would take to do this? (Choose two.)

Create two subnets in the same AZ and create a placement group.
Create two subnets in the same AZ and create a placement group.
Set the MTU of your instances to 1500.
Set the MTU of your instances to 1500.
Create two subnets in different AZs and create a placement group.
Create two subnets in different AZs and create a placement group.
Ensure you choose instances that use enhanced networking.
Ensure you choose instances that use enhanced networking.
Suggested answer: A, D

Explanation:

Explanation:

A placement group can only be deployed in the same AZ and is only useful with enhanced networking instances.

asked 16/09/2024
HAO KANG SUNG
36 questions

Question 116

Report
Export
Collapse

You can use the ____ command of the AWS Config service CLI to see the compliance state of each resource that AWS Config evaluates for a specific rule.

describe-compliance-by-resource
describe-compliance-by-resource
describe-compliance-by-config-rule
describe-compliance-by-config-rule
get-compliance-details-by-config-rule
get-compliance-details-by-config-rule
get-compliance-details-by-resource
get-compliance-details-by-resource
Suggested answer: C

Explanation:

Explanation:

You can use the get-compliance-details-by-config-rule command of the AWS Config CLI to see the compliance state of each resource that AWS Config evaluates for a specific rule. Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_view-compliance.html

asked 16/09/2024
Yasser Mohamed Mohamed
45 questions

Question 117

Report
Export
Collapse

A company has deployed a production environment in the AWS Cloud. The environment is contained in a VPC and includes a virtual private gateway. The company has established an AWS Direct Connect connection. which includes a

private Virtual Interface (VIF), and a VPN connection to the on-premises data center.

For traffic originating in the VPC, what is the order of BGP path selection from MOST preferred to LEAST preferred?

Direct Connect BGP routes, static routes, longest prefix match, VPN BGP routes.
Direct Connect BGP routes, static routes, longest prefix match, VPN BGP routes.
Static routes, longest prefix match, Direct Connect BGP routes, VPN BGP routes.
Static routes, longest prefix match, Direct Connect BGP routes, VPN BGP routes.
Longest prefix match, static routes, Direct-Connect BGP routes, VPN BGP routes.
Longest prefix match, static routes, Direct-Connect BGP routes, VPN BGP routes.
Longest prefix match, VPN BGP routes, static routes, Direct Connect BGP routes.
Longest prefix match, VPN BGP routes, static routes, Direct Connect BGP routes.
Suggested answer: C
asked 16/09/2024
Sneh Fields
37 questions

Question 118

Report
Export
Collapse

Your company has a 1-Gbps AWS Direct Connect connection to AWS. Your company needs to send traffic from onpremises to a VPC owned by a partner company. The connectivity must have minimal latency at the lowest price. Which of the following connectivity options should you choose?

Create a new Direct Connect connection, and set up a new circuit to connect to the partner VPC using a private virtual interface.
Create a new Direct Connect connection, and set up a new circuit to connect to the partner VPC using a private virtual interface.
Create a new Direct Connect connection, and leverage the existing circuit to connect to the partner VPC.
Create a new Direct Connect connection, and leverage the existing circuit to connect to the partner VPC.
Create a new private virtual interface, and leverage the existing connection to connect to the partner VPC.
Create a new private virtual interface, and leverage the existing connection to connect to the partner VPC.
Enable VPC peering and use your VPC as a transitive point to reach the partner VPC.
Enable VPC peering and use your VPC as a transitive point to reach the partner VPC.
Suggested answer: D
asked 16/09/2024
Jorge Pinto
30 questions

Question 119

Report
Export
Collapse

In the context of Amazon CloudFront Actions, you use the _____ when specifying APIs in IAM policies.

object names
object names
class names
class names
entity names
entity names
action names
action names
Suggested answer: D

Explanation:

Explanation:

In an AWS IAM policy, you can specify any and all API actions that Amazon CloudFront offers. The action name must be prefixed with the lowercase string cloudfront. For example: cloudfront:GetDistributionConfig cloudfront:ListInvalidations cloudfront:* (for all CloudFront actions).

In the reference link, there are tables that list the canonical names for all CloudFront actions. Use these canonical names when specifying APIs in IAM policies. Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/UsingWithIAM.html

asked 16/09/2024
Slawomir Marcjanski
28 questions

Question 120

Report
Export
Collapse

What port and protocol is used by DNS?

80/TCP
80/TCP
22/TCP
22/TCP
80/TCP and UDP
80/TCP and UDP
53/TCP and UDP
53/TCP and UDP
Suggested answer: D

Explanation:

Explanation:

DNS uses port 53 and either TCP or UDP depending on what type of DNS message is being sent.

asked 16/09/2024
Adam Beke
40 questions
Total 414 questions
Go to page: of 42
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Which of these modes is not a configuration mode for a WAF?
Your organization runs a popular e-commerce application deployed on AWS that uses auto scaling in conjunction with an Elastic Load balancing (ELB) service with an HTTPS listener. Your security team reports that an exploitable vulnerability has been discovered in the encryption protocol and cipher that your site uses. Which step should you take to fix this problem?
You are configuring multiple Direct Connect links for your organization and need them to be in an HA Active/Passive configuration with extreme sensitivity to outages in order to encourage very quick failover times. You also need to be able to control which link is active. What two configuration changes should you implement? (Choose two.)
You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
Which service would you use to see who changed your infrastructure?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
Under increased cybersecurity concerns, a company is deploying a near real-time intrusion detection system (IDS) solution. A system must be put in place as soon as possible. The architecture consists of many AWS accounts, and all results must be delivered to a central location. Which solution will meet this requirement, while minimizing downtime and costs?