ANS-C01 Online Practice Questions and Answers

A company has created three VPCs: a production VPC, a nonproduction VPC, and a shared services VPC. The production VPC and thenonproduction VPC must each have communication with the shared services VPC. There must be no communication between the productionVPC and the nonproduction VPC. A transit gateway is deployed to facilitate communication between VPCs.Which route table configurations on the transit gateway will meet these requirements?

A. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for only the sharedservices VPC. Create an additional route table with only the shared services VPC attachment associated with propagated routes from theproduction and nonproduction VPCs.

B. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for each VPC.Create an additional route table with only the shared services VPC attachment associated with propagated routes from each VPC.

C. Configure a route table with all the VPC attachments associated with propagated routes for only the shared services VPCreate anadditional route table with only the shared services VPC attachment associated with propagated routes from the production andnonproduction VPCs.

D. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes disabled. Create anadditional route table with only the shared services VPC attachment associated with propagated routes from the production andnonproduction VPCs.

A company is in the early stage of AWS Cloud adoption. The company has an application that is running in an on-premises data center in Asia.The company needs to deploy new applications in the us-east-1 Region. The applications in the cloud need connectivity to the on-premisesdata center.The company needs to set up a communication channel between AWS and the data center. The solution must improve latency, minimize thepossibility of performance impact from transcontinental routing over the public internet, and encrypt data in transit.Which solution will meet these requirements in the LEAST amount of time?

A. Create an AWS Site-to-Site VPN connection with acceleration turned on. Create a virtual private gateway. Attach the Site-to-Site VPNconnection to the virtual private gateway. Attach the virtual private gateway to the VPC where the applications will be deployed.

B. Create an AWS Site-to-Site VPN connection with acceleration turned on. Create a transit gateway. Attach the Site-to-Site VPNconnection to the transit gateway. Create a transit gateway attachment to the VPC where the applications will be deployed.

C. Create an AWS Direct Connect connection. Create a virtual private gateway. Create a public VIF and a private VIF that use the virtualprivate gateway. Create an AWS Site-to-Site VPN connection over the public VIF.

D. Create an AWS Site-to-Site VPN connection with acceleration turned off. Create a transit gateway. Attach the Site-to-Site VPNconnection to the transit gateway. Create a transit gateway attachment to the VPC where the applications will be deployed.

A company's application is deployed on Amazon EC2 instances in a single VPC in an AWS Region. The EC2 instances are running in twoAvailability Zones. The company decides to use a fleet of traffic inspection instances from AWS Marketplace to inspect traffic between the VPCand the internet. The company is performing tests before the company deploys the architecture into production.The fleet is located in a shared inspection VPC behind a Gateway Load Balancer (GWLB). To minimize the cost of the solution, the companydeployed only one inspection instance in each Availability Zone that the application uses.During tests, a network engineer notices that traffic inspection works as expected when the network is stable. However, during maintenance ofthe inspection instances, the internet sessions time out for some application instances. The application instances are not able to establishnew sessions.Which combination of steps will remediate these issues? (Choose two.)

A. Deploy one inspection instance in the Availability Zones that do not have inspection instances deployed.

B. Deploy one additional inspection instance in each Availability Zone where the inspection instances are deployed.

C. Enable the cross-zone load balancing attribute for the GWLB.

D. Deploy inspection instances in an Auto Scaling group. Define a scaling policy that is based on CPU load.

E. Attach the GWLB to all Availability Zones in the Region.

A company wants to analyze TCP traffic to the internet. The traffic originates from Amazon EC2 instances in the company's VPC. The EC2instances initiate connections through a NAT gateway. The required information includes source and destination IP addresses, ports, and thefirst 8 bytes of payload of TCP segments. The company needs to collect, store, and analyze all the required data points.Which solution will meet these requirements?

A. Set up the EC2 instances as VPC traffic mirror sources. Deploy software on the traffic mirror target to forward the data to AmazonCloudWatch Logs. Analyze the data by using CloudWatch Logs Insights.

B. Set up the NAT gateway as a VPC traffic mirror source. Deploy software on the traffic mirror target to forward the data to an AmazonOpenSearch Service cluster. Analyze the data by using OpenSearch Dashboards.

C. Turn on VPC Flow Logs on the EC2 instances. Specify the default format and a log destination of Amazon CloudWatch Logs. Analyzethe flow log data by using CloudWatch Logs Insights.

D. Turn on VPC Flow Logs on the EC2 instances. Specify a custom format and a log destination of Amazon S3. Analyze the flow log data byusing Amazon Athena.

A company has an order processing system that needs to keep credit card numbers encrypted. The company's customer-facing applicationruns as an Amazon Elastic Container Service (Amazon ECS) service behind an Application Load Balancer (ALB) in the us-west-2 Region. AnAmazon CloudFront distribution is configured with the ALB as the origin. The company uses a third-party trusted certificate authority toprovision its certificates.The company is using HTTPS for encryption in transit. The company needs additional field-level encryption to keep sensitive data encryptedduring processing so that only certain application components can decrypt the sensitive data.Which combination of steps will meet these requirements? (Choose two.)

A. Import the third-party certificate for the ALB. Associate the certificate with the ALB. Upload the certificate for the CloudFrontdistribution into AWS Certificate Manager (ACM) in us-west-2.

B. Import the third-party certificate for the ALB into AWS Certificate Manager (ACM) in us-west-2. Associate the certificate with theALUpload the certificate for the CloudFront distribution into ACM in the us-east-1 Region.

C. Upload the private key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryptionprofile and specify the fields that contain sensitive information. Create a field-level encryption configuration, and choose the newlycreated profile. Link the configuration to the appropriate cache behavior that is associated with sensitive POST requests.

D. Upload the public key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryptionconfiguration, and specify the fields that contain sensitive information. Create a field-level encryption profile, and choose the newlycreated configuration. Link the profile to the appropriate cache behavior that is associated with sensitive GET requests.

E. Upload the public key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryptionprofile and specify the fields that contain sensitive information. Create a field-level encryption configuration, and choose the newlycreated profile. Link the configuration to the appropriate cache behavior that is associated with sensitive POST requests.

A company has a public application. The application uses an Application Load Balancer (ALB) that has a target group of Amazon EC2 instances.

The company wants to protect the application from security issues in web requests. The traffic to the application must have end-to-end encryption. Which solution will meet these requirements?

A. Configure a Network Load Balancer (NLB) that has a target group of the existing EC2 instances. Configure TLS connections to terminate on the EC2 instances that use a public certificate. Configure an AWS WAF web ACL. Associate the web ACL with the NLB.

B. Configure TLS connections to terminate at the ALB that uses a public certificate. Configure AWS Certificate Manager (ACM) certificates for the communication between the ALB and the EC2 instances. Configure an AWS WAF web ACL. Associate the web ACL with the ALB.

C. Configure a Network Load Balancer (NLB) that has a target group of the existing EC2 instances. Configure TLS connections to terminate at the EC2 instances by creating a TLS listener. Configure self-signed certificates on the EC2 instances for the communication between the NLB and the EC2 instances. Configure an AWS WAF web ACL. Associate the web ACL with the NLB.

D. Configure a third-party certificate on the EC2 instances for the communication between the ALB and the EC2 instances. Import the third-party certificate into AWS Certificate Manager (ACM). Associate the imported certificate with the ALB. Configure TLS connections to terminate at the ALB. Configure an AWS WAF web ACL. Associate the web ACL with the ALB.

An education agency is preparing for its annual competition between schools. In the competition, students at schools from around the country solve math problems, complete puzzles, and write essays.

The IP addressing plan of all the schools is well-known and is administered centrally. The competition is hosted in the AWS Cloud and is not publicly available. All competition traffic must be encrypted in transit. Only authorized endpoints can access the competition. All the schools have firewall policies that block ICMP traffic.

A network engineer builds a solution in which all the schools access the competition through AWS Site-to-Site VPN connections. The network engineer uses BGP as the routing protocol. The network engineer must implement a solution that notifies schools when they lose connectivity and need to take action on their premises to address the issue.

Which combination of steps will meet these requirements MOST cost-effectively? (Choose two.)

A. Monitor the state of the VPN tunnels by using Amazon CloudWatch. Create a CloudWatch alarm that uses Amazon Simple Notification Service (Amazon SNS) to notify people at the affected school if the tunnels are down.

B. Create a scheduled AWS Lambda function that pings each school's on-premises customer gateway device. Configure the Lambda function to send an Amazon Simple Notification Service (Amazon SNS) notification to people at the affected school if the ping fails.

C. Create a scheduled AWS Lambda function that uses the VPC Reachability Analyzer API to verify the connectivity. Configure the Lambda function to send an Amazon Simple Notification Service (Amazon SNS) notification to people at the affected school if failure occurs.

D. Create an Amazon CloudWatch dashboard for each school to show all CloudWatch metrics for each school's Site-to-Site VPN connection. Share each dashboard with the appropriate school.

E. Create a scheduled AWS Lambda function to monitor the existence of each school's routes in the VPC route table where VPN routes are propagated. Configure the Lambda function to send an Amazon Simple Notification Service (Amazon SNS) notification to people at the affected school if failure occurs.

A company securely connects resources that are in its VPC to a software as a service (SaaS) solution from a SaaS provider. The SaaS solution is hosted in the AWS Cloud and is powered by AWS PrivateLink. The company uses a PrivateLink endpoint to access the SaaS solution behind the SaaS provider's Network Load Balancer (NLB).

The company recently added a new Availability Zone and new subnets to its VPC. A network engineer is unable to deploy a new interface VPC endpoint for the SaaS solution in the new Availability Zone.

What is the cause of this problem?

A. The CIDR block of the new subnets conflicts with the SaaS provider's CIDR block.

B. The enableDnsHostnames attribute and enableDnsSupport attribute were not configured on the new subnets in the new Availability Zone.

C. The SaaS provider does not offer the solution in the new Availability Zone and has not configured cross-zone load balancing for the NLB.

D. The new subnets are missing a route to the VPC internet gateway.

A company needs to protect against potential botnet command and control traffic from any Amazon EC2 instances that is in in the company's AWS Environment.

Which solution will meet these requirements?

A. Use AWS Shield Advanced. Activate Shield Advanced protections on the EC2 instances to filter and block botnet traffic.

B. Use Amazon Route 53 Resolver DNS Firewall. Add a rule to a rule group to use the AWSManagedDomainsBotnetCommandandControl managed domain list with an action to block botnet traffic.

C. Use AWS WAF Bot Control. Configure a managed rule group that uses an AWS managed rule set to block botnet traffic.

D. Use AWS Systems Manager. Run a Systems Manager Automation runbook on the EC2 instances to configure the instances to block botnet traffic.

A company is using third-party firewall appliances to monitor and inspect traffic on premises. The company wants to use the same model on AWS. The Company has a single VPC with an internet gateway. The VPC has a fleet of web servers that run on Amazon EC2 instances that are managed by an Auto Scaling group.

The company's network team needs to work with the security team to establish inline inspection of all packets that are sent to and from the web servers. The solution must scale as the fleet of virtual firewall appliances scales

Which combination of steps should the network team take to implement this solution? (Choose three.)

A. Create a new VPC, and deploy a fleet of firewall appliances. Create a Gateway Load Balancer. Add the firewall appliances as targets.

B. Create a security group for use with the firewall appliances, and allow port 443. Allow a port for the Galeway Load Balancer to perform health checks.

C. Create a security group for use with the firewall appliances, and allow port 6081. Allow a port for the Gateway Load Balancer to perform health checks.

D. Deploy a fleet of firewall appliances to the existing VPC. Create a Gateway Load Balancer. Add the firewall appliances as targets.

E. Update the internet gateway route table and the web server route table to send traffic to and from the internet to the VPC endpoint ID of the Gateway Load Balancer. Update the subnet route table that is associated with the Gateway Load Balancer endpoint to direct internet traffic to the internet gateway.

F. Create a new route table inside the web server VPC. Create a new edge association with the internet gateway. Update the internet gateway route table and the web server route table to send traffic to and from the internet to the VPC endpoint ID of the Gateway Load Balancer. Update the subnet route table that is associated with the Gateway Load Balancer endpoint to direct internet traffic to the internet gateway.