ANS-C00 Online Practice Questions and Answers

Under increased cybersecurity concerns, a company is deploying a near real-time intrusion detection system (IDS) solution. A system must be put in place as soon as possible. The architecture consists of many AWS accounts, and all results must be delivered to a central location.

Which solution will meet this requirement, while minimizing downtime and costs?

A. Deploy a third-party vendor solution to perform deep packet inspection in a transit VPC.

B. Enable VPC Flow Logs on each VPC. Set up a stream of the flow logs to a central Amazon Elasticsearch cluster.

C. Enable Amazon Macie on each AWS account and configure central reporting.

D. Enable Amazon GuardDuty on each account as members of a central account.

A network engineer is deploying an application on an Amazon EC2 instance. The instance is reachable within the VPC through its private IP address and from the internet using an elastic IP address. Clients are connecting to the instance over the Internet and within the VPC, and the application needs to be identified by a single custom Fully Qualified Domain Name that is publicly resolvable -‘app.example.com’.

Instances within the VPC should always connect to the private IP to minimize data transfer costs.

How should the engineer configure DNS to support these requirements?

A. Use Amazon Route 53 to create a geo-based routing entry for the hostname ‘app’ in the DNS zone ‘example.com’.

B. Create two A record entries for ‘app’ in the DNS zone ‘example.com’ - one for the public IP and one for the private IP.

C. Use Route 53 to create an ALIAS record to the public DNS name for the instance.

D. Create a CNAME for ‘app’ in the DNS zone ‘example.com’ to the public DNS name for the Amazon EC2 instance.

A company has two redundant AWS Direct Connect connections to a VPC. The VPC is configured using BGP metrics so that one Direct Connect connection is used as the primary traffic path. The company wants the primary Direct Connect connection to fail to the secondary in less than one second.

What should be done to meet this requirement?

A. Configure BGP on the company's router with a keep-alive to 300 ms and the BGP hold timer to 900 ms.

B. Enable Bidirectional Forwarding Detection (BFD) on the company's router with a detection minimum interval of 300 ms and a BFD liveness detection multiplier of 3.

C. Enable Dead Peer Detection (DPD) on the company's router with a detection minimum interval of 300 ms and a DPD liveliness detection multiplier of 3.

D. Enable Bidirectional Forwarding Detection (BFD) echo mode on the company's router and disable sending the Internet Control Message Protocol (ICMP) IP packet requests.

When an AWS Config rule is triggered a JSON object known as an AWS Config Event is created. This object contains another JSON string in its ____ parameter, which describes the event that triggered the rule.

A. resultToken

B. eventLeftScope

C. invokingEvent

D. configRuleName

When configuring Active/Passive HA on VPN tunnels, choose the two best ways to configure this. (Choose two.)

A. Keep both tunnels up.

B. Configure AS_PATH prepending on one of the paths.

C. Turn off one of the paths until you need it.

D. Configure MED on one of the tunnels.

Your company is expanding its cloud infrastructure and moving many of its flat files and static assets to S3. You currently use a VPN to access your compute infrastructure, but you require more reliability for your static files as you are offloading all of your important data to AWS. What is your best course of action while keeping costs low?

A. Create a Direct Connect connection using a Private VIF to access both compute and S3 resources.

B. Create an S3 endpoint and create a route to the endpoint prefix list for your VPN to allow access to your S3 resources.

C. Create two Direct Connect connections. Each connected to a Private VIF to ensure maximum resiliency.

D. Create a Direct Connect connection using a Public VIF and route your VPN over the DX connection to your VPN endpoint.

You are a network engineer at a company that just purchased a DX connection. You ensured your equipment met all of the technical requirements, you have verified with your AWS account manager and your colocation provider that everything is connected, and all of your information is correct. For some reason, the link does not operate correctly.

What could be the problem?

A. The CAT6 cable is frayed.

B. Autonegotiation is enabled.

C. You are using 802.1q VLANs instead of 802.1w.

D. BFD is disabled.

To connect to public AWS products such as Amazon EC2 and Amazon S3 through the AWS Direct Link, which step is NOT required?

A. Provide public IP address (/31) for each Border Gateway Protocol (BGP) session.

B. Allocate a Private IP address to your network in 172.x.x.x range.

C. Provide the public routes that you will advertise over Border Gateway Protocol (BGP).

D. Provide a public Autonomous System Number (ASN) that you own or a private one to identify your network on the Internet.

In the context of CloudFront RTMP Distribution, the Adobe Flash Media Server _________ file specifies which domains can access media files in a particular domain.

A. accessdomain.JSON

B. crossdomain.xml

C. accessdomain.xml

D. crossdomain.JSON

A company needs to allow its remote users to access company resources in the AWS Cloud. The company has two VPCs that are connected through VPC peering. The remote users must be able to access resources in both VPCs by using secure connections from their laptop computers. The company does not want to implement an access management solution that requires additional costs or effort.

Which solution meets these requirements?

A. Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule to authorize client access to the target VPC, and add a rule to authorize client access to the peered VPC. Update resource security groups in both VPCs to allow traffic from the security group for the subnet association. Instruct the users to sign in to the AWS Management Console and navigate to Client VPN to connect to the Client VPN endpoint.

B. Deploy an AWS Client VPN endpoint in both VPCs, associate subnets, and define a target network. Add a rule to authorize client access to each target VPC. Update resource security groups in both VPCs to allow traffic from the security groups of each VPC for the subnet associations. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptops. Instruct the users to connect to both Client VPN endpoints at the same time to gain access to the resources.

C. Deploy a Network Load Balancer in front of the company resources. Set up security groups that contain the IP addresses of each of the user laptops. Instruct the users to connect to the application securely over TCP.

D. Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule to authorize client access to the target VPC, and add a rule to authorize client access to the peered VPC. Update resource security groups in both VPCs to allow traffic from the security group for the subnet association. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptops. Instruct the users to connect to the Client VPN endpoint to gain access to the resources.