Amazon ANS-C00 Exam Practice Test Instant Access

Question 1

You have a three-tier web application with separate subnets for Web, Applications, and Database tiers. Your CISO suspects your application will be the target of malicious activity. You are tasked with notifying the security team in the event your application is port scanned by external systems.

Which two AWS Services cloud you leverage to build an automated notification system? (Select two.)

AInternet gateway

BVPC Flow Logs

CAWS CloudTrail

DLambda

EAWS Inspector

Answer : B, D

Question 2

The Payment Card Industry Data Security Standard (PCI DSS) merchants that handle credit card data must use strong cryptography. These merchants must also use security protocols to protect sensitive data during transmission over public networks.

You are migrating your PCI DSS application from on-premises SSL appliance and Apache to a VPC behind Amazon CloudFront.

How should you configure CloudFront to meet this requirement?

AConfigure the CloudFront Cache Behavior to require HTTPS and the CloudFront Origin's Protocol Policy to 'Match Viewer'.

BConfigure the CloudFront Cache Behavior to allow TCP connections and to forward all requests to the origin without TLS termination at the edge.

CConfigure the CloudFront Cache Behavior to require HTTPS and to forward requests to the origin via AWS Direct Connect.

DConfigure the CloudFront Cache Behavior to redirect HTTP requests to HTTPS and to forward request to the origin via the Amazon private network.

Answer : A

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginProtocolPolicy

Question 3

You are configuring a virtual interface for access to your VPC on a newly provisioned 1-Gbps AWS Direct Connect connection. Which two configuration values do you need to provide? (Select two.)

APublic AS number

BVLAN ID

CIP prefixes to advertise

DDirect Connect location

EVirtual private gateway

Answer : B, E

Question 4

You are preparing to launch Amazon WorkSpaces and need to configure the appropriate networking resources. What must be configured to meet this requirement?

AAt least two subnets in different Availability Zones.

BA dedicated VPC with Active Directory Services.

CAn IPsec VPN to on-premises Active Directory

DNetwork address translation for outbound traffic.

Answer : A, D

Question 5

Your organization uses a VPN to connect to your VPC but must upgrade to a 1-G AWS Direct Connect connection for stability and performance. Your telecommunications provider has provisioned the circuit from your data center to an AWS Direct Connect facility and needs information on how to cross-connect (e.g., which rack/port to connect).

What is the AWS-recommended procedure for providing this information?

ACreate a support ticket. Provide your AWS account number and telecommunications company's name and where you need the Direct Connect connection to terminate.

BCreate a new connection through your AWS Management Console and wait for an email from AWS with information.

CAsk your telecommunications provider to contact AWS through an AWS Partner Channel. Provide your AWS account number.

DContact an AWS Account Manager and provide your AWS account number, telecommunications company's name, and where you need the Direct Connect connection to terminate.

Answer : B

https://aws.amazon.com/premiumsupport/knowledge-center/provision-direct-connection/ https://docs.aws.amazon.com/directconnect/latest/UserGuide/getting_started.html

Question 6

Your organization needs to resolve DNS entries stored in an Amazon Route 53 private zone ''awscloud:internal'' from the corporate network. An AWS Direct Connect connection with a private virtual interface is configured to provide access to a VPC with the CIDR block 192.168.0.0/16. A DNS Resolver (BIND) is configured on an Amazon Elastic Compute Cloud (EC2) instance with the IP address 192.168.10.5 within the VPC. The DNS Resolver has standard root server hints configured and conditional forwarding for ''awscloud.internal'' to the IP address 192.168.0.2.

From your PC on the corporate network, you query the DNS server at 192.168.10.5 for www.amazon.com. The query is successful and returns the appropriate response. When you query for ''server.awscloud.internal'', the query times out. You receive no response.

How should you enable successful queries for ''server.awscloud.internal''?

AAttach an internet gateway to the VPC and create a default route.

BConfigure the VPC settings for enableDnsHostnames and enableDnsSupport as True

CRelocate the BIND DNS Resolver to the corporate network.

DUpdate the security group for the EC2 instance at 192.168.10.5 to allow UDP Port 53 outbound.

Answer : B

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-creating.html

the 'AmazonProvideDNS' server reserved by each VPC. Also it mentioned the PHZ (Privated Hosted Zone) is hosted in Route 53, thus you need to make sure both 'enableDNS' and 'enableHostName' are enabled in your VPC

Question 7

You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URL, the instances should be able to access any Amazon S3 bucket in the same region via any URL.

Which of the following solutions should you deploy? (Select two.)

AInclude s3.amazonaws.com in the whitelist.

BCreate a VPC endpoint for S3.

CRun Squid proxy on a NAT instance.

DDeploy a NAT gateway into your VPC.

EUtilize a security group to restrict access.

Answer : B, C

https://aws.amazon.com/blogs/security/how-to-set-up-an-outbound-vpc-proxy-with-domain-whitelisting-and-content-filtering/

Amazon ANS-C00 AWS Advanced Networking Specialty Exam Practice Test