ANS-C01 Online Practice Questions and Answers

A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company recently experienced anetwork security breach. A network engineer must collect and analyze logs that include the client IP address, target IP address, target port,and user agent of each user that accesses the application.What is the MOST operationally efficient solution that meets these requirements?

A. Configure the ALB to store logs in an Amazon S3 bucket. Download the files from Amazon S3, and use a spreadsheet application toanalyze the logs.

B. Configure the ALB to push logs to Amazon Kinesis Data Streams. Use Amazon Kinesis Data Analytics to analyze the logs.

C. Configure Amazon Kinesis Data Streams to stream data from the ALB to Amazon OpenSearch Service (Amazon Elasticsearch Service).Use search operations in Amazon OpenSearch Service (Amazon Elasticsearch Service) to analyze the data.

D. Configure the ALB to store logs in an Amazon S3 bucket. Use Amazon Athena to analyze the logs in Amazon S3.

A company is deploying an application. The application is implemented in a series of containers in an Amazon Elastic Container Service(Amazon ECS) cluster. The company will use the Fargate launch type for its tasks. The containers will run workloads that require connectivityinitiated over an SSL connection. Traffic must be able to flow to the application from other AWS accounts over private connectivity. Theapplication must scale in a manageable way as more consumers use the application.Which solution will meet these requirements?

A. Choose a Gateway Load Balancer (GLB) as the type of load balancer for the ECS service. Create a lifecycle hook to add new tasks to thetarget group from Amazon ECS as required to handle scaling. Specify the GLB in the service definition. Create a VPC peer for external AWSaccounts. Update the route tables so that the AWS accounts can reach the GLB.

B. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service. Create path-based routing rules to allowthe application to target the containers that are registered in the target group. Specify the ALB in the service definition. Create a VPCendpoint service for the ALB Share the VPC endpoint service with other AWS accounts.

C. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service. Create path-based routing rules to allowthe application to target the containers that are registered in the target group. Specify the ALB in the service definition. Create a VPCpeer for the external AWS accounts. Update the route tables so that the AWS accounts can reach the ALB.

D. Choose a Network Load Balancer (NLB) as the type of load balancer for the ECS service. Specify the NLB in the service definition.Create a VPC endpoint service for the NLB. Share the VPC endpoint service with other AWS accounts.

A company has stateful security appliances that are deployed to multiple Availability Zones in a centralized shared services VPC. The AWSenvironment includes a transit gateway that is attached to application VPCs and the shared services VPC. The application VPCs haveworkloads that are deployed in private subnets across multiple Availability Zones. The stateful appliances in the shared services VPC inspectall east west (VPC-to-VPC) traffic.Users report that inter-VPC traffic to different Availability Zones is dropping. A network engineer verified this claim by issuing Internet ControlMessage Protocol (ICMP) pings between workloads in different Availability Zones across the application VPCs. The network engineer hasruled out security groups, stateful device configurations and network ACLs as the cause of the dropped traffic.What is causing the traffic to drop?

A. The stateful appliances and the transit gateway attachments are deployed in a separate subnet in the shared services VPC.

B. Appliance mode is not enabled on the transit gateway attachment to the shared services VPC.

C. The stateful appliances and the transit gateway attachments are deployed in the same subnet in the shared services VPC.

D. Appliance mode is not enabled on the transit gateway attachment to the application VPCs.

A security team is performing an audit of a company's AWS deployment. The security team is concerned that two applications might beaccessing resources that should be blocked by network ACLs and security groups. The applications are deployed across two Amazon ElasticKubernetes Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes. The clustersare in separate subnets within the same VPC and have a Cluster Autoscaler configured.The security team needs to determine which POD IP addresses are communicating with which services throughout the VPC. The security teamwants to limit the number of flow logs and wants to examine the traffic from only the two applications.Which solution will meet these requirements with the LEAST operational overhead?

A. Create VPC flow logs in the default format. Create a filter to gather flow logs only from the EKS nodes. Include the srcaddr field and thedstaddr field in the flow logs.

B. Create VPC flow logs in a custom format. Set the EKS nodes as the resource Include the pkt-srcaddr field and the pkt-dstaddr field in theflow logs.

C. Create VPC flow logs in a custom format. Set the application subnets as resources. Include the pkt-srcaddr field and the pkt-dstaddrfield in the flow logs.

D. Create VPC flow logs in a custom format. Create a filter to gather flow logs only from the EKS nodes. Include the pkt-srcaddr field andthe pkt-dstaddr field in the flow logs.

A company is planning to use Amazon S3 to archive financial data. The data is currently stored in an on-premises data center. The companyuses AWS Direct Connect with a Direct Connect gateway and a transit gateway to connect to the on-premises data center. The data cannot betransported over the public internet and must be encrypted in transit.Which solution will meet these requirements?

A. Create a Direct Connect public VIF. Set up an IPsec VPN connection over the public VIF to access Amazon S3. Use HTTPS forcommunication.

B. Create an IPsec VPN connection over the transit VIF. Create a VPC and attach the VPC to the transit gateway. In the VPC, provision aninterface VPC endpoint for Amazon S3. Use HTTPS for communication.

C. Create a VPC and attach the VPC to the transit gateway. In the VPC, provision an interface VPC endpoint for Amazon S3. Use HTTPS forcommunication.

D. Create a Direct Connect public VIF. Set up an IPsec VPN connection over the public VIF to the transit gateway. Create an attachment forAmazon S3. Use HTTPS for communication.

A company has a hybrid cloud environment. The company's data center is connected to the AWS Cloud by an AWS Direct Connect connection.The AWS environment includes VPCs that are connected together in a hub-and-spoke model by a transit gateway. The AWS environment has atransit VIF with a Direct Connect gateway for on-premises connectivity.The company has a hybrid DNS model. The company has configured Amazon Route 53 Resolver endpoints in the hub VPC to allowbidirectional DNS traffic flow. The company is running a backend application in one of the VPCs.The company uses a message-oriented architecture and employs Amazon Simple Queue Service (Amazon SQS) to receive messages fromother applications over a private network. A network engineer wants to use an interface VPC endpoint for Amazon SQS for this architecture.Client services must be able to access the endpoint service from on premises and from multiple VPCs within the company's AWSinfrastructure.Which combination of steps should the network engineer take to ensure that the client applications can resolve DNS for the interfaceendpoint? (Choose three.)

A. Create the interface endpoint for Amazon SQS with the option for private DNS names turned on.

B. Create the interface endpoint for Amazon SQS with the option for private DNS names turned off.

C. Manually create a private hosted zone for sqs.us-east-1.amazonaws.com. Add necessary records that point to the interface endpoint.Associate the private hosted zones with other VPCs.

D. Use the automatically created private hosted zone for sqs.us-east-1.amazonaws.com with previously created necessary records thatpoint to the interface endpoint. Associate the private hosted zones with other VPCs.

E. Access the SQS endpoint by using the public DNS name sqs.us-east-1 amazonaws.com in VPCs and on premises.

F. Access the SQS endpoint by using the private DNS name of the interface endpoint .sqs.us-east-1.vpce.amazonaws.com in VPCs and onpremises.

A company is hosting an application on Amazon EC2 instances behind an Application Load Balancer. The instances are in an Amazon EC2Auto Scaling group. Because of a recent change to a security group, external users cannot access the application.A network engineer needs to prevent this downtime from happening again. The network engineer must implement a solution that remediatesnoncompliant changes to security groups.Which solution will meet these requirements?

A. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security groupconfiguration. Create an AWS Systems Manager Automation runbook to remediate noncompliant security groups.

B. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security groupconfiguration. Configure AWS OpsWorks for Chef to remediate noncompliant security groups.

C. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security groupconfiguration. Configure AWS OpsWorks for Chef to remediate noncompliant security groups.

D. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security groupconfiguration. Create an AWS Systems Manager Automation runbook to remediate noncompliant security groups.

A company is developing a new application that is deployed in multiple VPCs across multiple AWS Regions. The VPCs are connected through AWS Transit Gateway. The VPCs contain private subnets and public subnets.

All outbound internet traffic in the private subnets must be audited and logged. The company's network engineer plans to use AWS Network Firewall and must ensure that all traffic through Network Firewall is completely logged for auditing and alerting.

How should the network engineer configure Network Firewall logging to meet these requirements?

A. Configure Network Firewall logging in Amazon CloudWatch to capture all alerts. Send the logs to a log group in Amazon CloudWatch Logs.

B. Configure Network Firewall logging in Network Firewall to capture all alerts and flow logs.

C. Configure Network Firewall logging by configuring VPC Flow Logs for the firewall endpoint. Send the logs to a log group in Amazon CloudWatch Logs.

D. Configure Network Firewall logging by configuring AWS CloudTrail to capture data events.

A company has two business units (BUs). The company operates in the us-east-1 Region and the us-west-1 Region. The company plans to extend to more Regions in the future. Each BU has a VPC in each Region. Each Region has a transit gateway with the BU VPCs attached. The transit gateways in both Regions are peered.

The company will create several more BUs in the future and will need to isolate some of the BUs from the other BUs. The company wants to migrate to an architecture to incorporate more Regions and BUs.

Which solution will meet these requirements with the MOST operational efficiency?

A. Create a new transit gateway for each new BU in each Region. Peer the new transit gateways with the existing transit gateways. Update the route tables to control traffic between BUs.

B. Create an AWS Cloud WAN core network with an edge location in both Regions. Configure a segment for each BU with VPC attachments to the new BU VPCs. Use segment actions to control traffic between segments.

C. Create an AWS Cloud WAN core network with an edge location in both Regions. Configure a segment for each BU with VPC attachments to the new BU VPCs. Configure the segments to isolate attachments to control traffic between segments.

D. Attach new VPCs to the existing transit gateways. Update route tables to control traffic between BUs.

A company has an internal web-based application that employees use. The company hosts the application over a VPN in the company's on-premises network. The application runs on a fleet of Amazon EC2 instances in a private subnet

behind a Network Load Balancer (NLB) in the same subnet. The instances are in an Amazon EC2 Auto Scaling group.

During a recent security incident, SQL injection occurred on the application. A network engineer must implement a solution to prevent SQL injection attacks in the future.

Which combination of steps will meet these requirements? (Choose three.)

A. Create an AWS WAF web ACL that includes rules to block SQL injection attacks.

B. Create an Amazon CloudFront distribution. Specify the EC2 instances as the origin.

C. Replace the NLB with an Application Load Balancer.

D. Associate the AWS WAF web ACL with the NLB.

E. Associate the AWS WAF web ACL with the Application Load Balancer.

F. Associate the AWS WAF web ACL with the Amazon CloudFront distribution.