ANS-C00 Online Practice Questions and Answers

A multinational organization has applications deployed in three different AWS regions. These applications must securely communicate with each other by VPN. According to the organization's security team, the VPN must meet the following requirements:

1.

AES 128-bit encryption

2.

SHA-1 hashing

3.

User access via SSL VPN

4.

PFS using DH Group 2

5.

Ability to maintain/rotate keys and passwords

6.

Certificate-based authentication

Which solution should you recommend so that the organization meets the requirements?

A. AWS hardware VPN between the virtual private gateway and customer gateway

B. A third-party VPN solution deployed from AWS Marketplace

C. A private MPLS solution from an international carrier

D. AWS hardware VPN between the virtual private gateways in each region

You operate a production VPC with both a public and a private subnet. Your organization maintains a restricted Amazon S3 bucket to support this production workload. Only Amazon EC2 instances in the private subnet should access the bucket. You implement VPC endpoints(VPC-E) for Amazon S3 and remove the NAT that previously provided a network path to Amazon S3. The default VPC-E policy is applied. Neither EC2 instances in the public or private subnets are able to access the S3 bucket.

What should you do to enable Amazon S3 access from EC2 instances in the private subnet?

A. Add the CIDR address range of the private subnet to the S3 bucket policy.

B. Add the VPC-E identified to the S3 bucket policy.

C. Add the VPC identifier for the production VPC to the S3 bucket policy.

D. Add the VPC-E identifier for the production VPC to endpoint policy.

What are 2 possible ALIAS records? (Choose two.)

A. DynamoDB

B. Elastic Beanstalk

C. CloudFront

D. EC2 Instance

You need to create a baseline of normal traffic flow in order to implement some security changes to your organization.

What two items would be best to use? (Choose two.)

A. Wireshark

B. CloudTrail

C. An IDS

D. CloudWatch

Your VPC has a DX connection that is advertising 99 routes. You have two more prefixes to add: 10.223.1.0/24 and 10.223.2.0/24. You have several locations, so you need to be as exact as possible with your routing.

How would you do this?

A. Add the prefixes; AWS allows for as many BGP routes as you need but not static.

B. Contact AWS to extend the number of prefixes you are allowed to advertise.

C. Summarize the routes into a 10.223.0.0/22 and advertise that route instead.

D. Summarize the routes into a 10.223.0.0/12 and advertise that route instead.

You need to create a subnet in a VPC that supports 1000 hosts. You need to be as accurate as possible since you run a very large company. What CIDR should you use?

A. /16

B. /24

C. /7

D. /22

Which service parses large Flow Logs for consumption by other programs such as Kibana?

A. S3

B. ElasticSearch

C. Elastic Beanstalk

D. Kinesis

What is the maximum number of CloudTrails that you can create per AWS region?

A. 10

B. 2

C. 16

D. 5

A company has deployed a production environment in the AWS Cloud. The environment is contained in a VPC and includes a virtual private gateway. The company has established an AWS Direct Connect connection. which includes a private Virtual Interface (VIF), and a VPN connection to the on-premises data center.

For traffic originating in the VPC, what is the order of BGP path selection from MOST preferred to LEAST preferred?

A. Direct Connect BGP routes; static routes; longest prefix match; VPN BGP routes.

B. Static routes; longest prefix match; Direct Connect BGP routes; VPN BGP routes.

C. Longest prefix match; static routes; Direct-Connect BGP routes; VPN BGP routes.

D. Longest prefix match; VPN BGP routes; static routes; Direct Connect BGP routes.

A financial services company that has on-premises infrastructure has acquired a startup company that has an API that is deployed in the AWS Cloud. As part of the acquisition, the financial services company has deployed an AWS Direct Connect private VIF to establish IP connectivity between the on-premises data center and the AWS environment.

Initial IP connectivity testing and bidirectional DNS resolution testing are successful. However, when business users attempt to connect to the API. a network administrator discovers IP subnet overlap between the financial services company's existing network and the startup company's AWS deployment.

A network architect receives the following diagram that summarizes the situation: What is the MOST operationally efficient solution to enable the connectivity?

A. Provision additional subnets with a non-overlapping IP range in the VPC. Deploy NAT gateways. Configure the virtual private gateway's next hop to be the NAT gateway. Advertise the new subnet IP address ranges through Direct Connect. Configure the on-premises hosts to target the API endpoint through the API servers.

B. Provision additional subnets with a non-overlapping IP range in the VPC. Deploy a Network Load Balancer (NLB) across the subnets. Configure the API endpoints in a target group that is associated with the NLB. Advertise the new subnet IP address ranges through Direct Connect. Configure the on-

premises hosts to target the API endpoint through the NLB.

C. Provision additional subnets with a non-overlapping IP range in a new VPC. Deploy a Network Load Balancer (NLB) across the subnets. Configure the API endpoints as targets by IP address in a target group that is associated with the NLB. Peer the two VPCs together, and relocate the virtual private gateway into the new VPC. Advertise the new subnet IP address ranges through Direct Connect. Configure the on-premises hosts to target the API endpoint through the NLB.

D. Provision additional subnets with a non-overlapping IP range in the VPC. Deploy a Network Load Balancer (NLB) across the existing subnets. Configure the API endpoints in a target group that is associated with the NLB. Configure a VPC endpoint service that targets the newly created NLB, and deploy VPC endpoints into the new subnet. Advertise the new subnet IP address ranges through Direct Connect. Configure the on-premises hosts to target the API endpoint through the VPC endpoints.