ANS-C00 Online Practice Questions and Answers

The Web Application Development team is worried about malicious activity from 200 random IP addresses. Which action will ensure security and scalability from this type of threat?

A. Use inbound security group rules to block the IP addresses.

B. Use inbound network ACL rules to block the IP addresses.

C. Use AWS WAF to block the IP addresses.

D. Write iptables rules on the instance to block the IP addresses.

Your hybrid networking environment consists of two application VPCs, a shared services VPC, and your corporate network. The corporate network is connected to the shared services VPC via an IPsec VPN with dynamic (BGP) routing enabled.

The applications require access to a common authentication service in the shared services VPC. You need to enable native network access from the corporate network to both application VPCs.

Which step should you take to meet the requirements?

A. Use VPC peering to peer the application VPCs with the shared services VPC, and enable associated routing in the shared services VPC via the corporate VPN.

B. Configure an IPsec VPN between the virtual private gateway in each application VPC to the virtual private gateway in the shared services VPC.

C. Configure additional IPsec VPNs for each application VPC back to the corporate network, and enable VPC peering to the shared services VPC.

D. Enable CloudHub functionality to route traffic between the three VPCs and the corporate network using dynamic BGP routing.

Your organization requires strict adherence to a change control process for its Amazon Elastic Compute Cloud (EC2) and VPC environments. The organization uses AWS CloudFormation as the AWS service to control and implement changes. Which combination of three services provides an alert for changes made outside of AWS CloudFormation? (Choose three.)

A. AWS Config

B. AWS Simple Notification Service

C. AWS CloudWatch metrics

D. AWS Lambda

E. AWS CloudFormation

F. AWS Identify and Access Management

The Payment Card Industry Data Security Standard (PCI DSS) merchants that handle credit card data must use strong cryptography. These merchants must also use security protocols to protect sensitive data during transmission over public networks.

You are migrating your PCI DSS application from on-premises SSL appliance and Apache to a VPC behind Amazon CloudFront.

How should you configure CloudFront to meet this requirement?

A. Configure the CloudFront Cache Behavior to require HTTPS and the CloudFront Origin's Protocol Policy to ‘Match Viewer’.

B. Configure the CloudFront Cache Behavior to allow TCP connections and to forward all requests to the origin without TLS termination at the edge.

C. Configure the CloudFront Cache Behavior to require HTTPS and to forward requests to the origin via AWS Direct Connect.

D. Configure the CloudFront Cache Behavior to redirect HTTP requests to HTTPS and to forward request to the origin via the Amazon private network.

A user is trying to understand the detailed CloudWatch monitoring concept. Which of the below mentioned services does not provide detailed monitoring with CloudWatch?

A. AWS Route53

B. AWS EMR

C. AWS ELB

D. AWS RDS

You have just deployed a website that utilizes CloudFront, ELB, and S3 to serve content. When users access your site, they are seeing broken image links. You know you configured CloudFront to use cdn.yourdomain.com. What is the most likely reason why your users not seeing the images?

A. There is no rule in your bucket policy allowing public access.

B. The images in S3 are saved as .png instead of .jpg.

C. There is no record in Route 53 pointing cdn.yourdomain.com to the ALIAS.

D. The users are using Internet Explorer.

You want to ensure you have the absolute best transmission rates inside and outside your VPC. You are concerned about the MTU settings. What is the best way to configure your T2 instances to ensure the best compatibility?

A. Set all MTU to 1500 as that is the best way to ensure compatibility.

B. Leave everything as is.

C. Configure two ENIs, one for internal traffic and one for external traffic. Configure the external ENI with an MTU of 1500 and the internal ENI with an MTU of 9001.

D. Set all MTU to 9001 as that is the best way to ensure the best speed. The packets will be fragmented if they have to be.

Which of these metrics cannot help detect a DDoS?

A. EC2 CPUUtilization

B. ELB SurgeQueueLength

C. EMR EMRspersecond

D. CloudFront Requests

In AWS, which tool records API calls for a specific AWS account and also delivers the log files for that account?

A. CloudTrail

B. Redshift

C. Beanstalk

D. Cognito

A company has a hybrid architecture with dual AWS Direct Connect connections and applications running in the AWS Cloud and on premises. The company uses its on-premises DNS servers to provide name resolution for is internal domain company.com. The company uses an Amazon Route 53 private hosted zone, aws.company.com, for resolution of AWS resource records.

A new application that runs on Amazon EC2 in the company's VPC needs to resolve records in the company.com domain and on other AWS resources.

What should the company do to meet these requirements?

A. Create a new DHCP options set. Configure the DHCP options set name servers to be the on-premises DNS servers, and configure the domain name to be company.com. Assign the DHCP options set to the VPC with the EC2 instances.

B. Create Route 53 Resolver outbound endpoints in each subnet in the VPC. Configure a Route 53 forwarding rule with a rule type of Forward for company.com that points to the on-premises DNS servers. Configure a Route 53 forwarding rule with a rule type of System for aws.company.com.

C. Create Route 53 Resolver outbound endpoints in each subnet in the VPC. Configure conditional forwarding rules on the on-premises DNS servers to forward queries for the domain aws.company.com to the Route 53 Resolver endpoints. Modify the DHCP options set to configure instances to resolve hostnames using the on-premises DNS servers.

D. Create a private hosted zone for company.com within the AWS account. Create Route 53 Resolver inbound endpoints in each subnet in the VPC. Configure the on-premises DNS servers to send outbound zone transfers for company.com to the Route 53 Resolver endpoints.