Weekend Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

Amazon Web Services ANS-C01 - Amazon AWS Certified Advanced Networking - Specialty

Amazon Web Services ANS-C01 Premium Access     Download Demo    
Page: 3 / 8
Total 288 questions

A company is hosting an application on Amazon EC2 instances behind a Network Load Balancer (NLB). A solutions architect added EC2 instances in a second Availability Zone to improve the availability of the application. The solutions architect added the instances to the NLB target group.

The company's operations team notices that traffic is being routed only to the instances in the first Availability Zone.

What is the MOST operationally efficient solution to resolve this issue?

A.

Enable the new Availability Zone on the NLB

B.

Create a new NLB for the instances in the second Availability Zone

C.

Enable proxy protocol on the NLB

D.

Create a new target group with the instances in both Availability Zones

An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.

Which solution will fix the connectivity failures with the LEAST amount of effort?

A.

Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.

B.

Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.

C.

Update the application server’s outbound security group to use the prefix-list for Amazon S3 in the same region.

D.

Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon.

A company has an order processing system that needs to keep credit card numbers encrypted. The company's customer-facing application runs as an Amazon Elastic Container Service (Amazon ECS) service behind an Application Load Balancer (ALB) in the us-west-2 Region. An Amazon CloudFront distribution is configured with the ALB as the origin. The company uses a third-party trusted certificate authority to provision its certificates.

The company is using HTTPS for encryption in transit. The company needs additional field-level encryption to keep sensitive data encrypted during processing so that only certain application components can decrypt the sensitive data.

Which combination of steps will meet these requirements? (Choose two.)

A.

Import the third-party certificate for the ALB. Associate the certificate with the ALB. Upload the certificate for the CloudFront distribution into AWS Certificate Manager (ACM) in us-west-2.

B.

Import the third-party certificate for the ALB into AWS Certificate Manager (ACM) in us-west-2. Associate the certificate with the ALB. Upload the certificate for the CloudFront distribution into ACM in the us-east-1 Region.

C.

Upload the private key that handles the encryption of the sensitive data to theCloudFront distribution. Create a field-level encryption profile and specify the fields that contain sensitive information. Create a field-level encryption configuration, and choose the newly created profile. Link the configuration to the appropriate cache behavior that is associated with sensitive POST requests.

D.

Upload the public key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryption configuration, and specify the fields that contain sensitive information. Create a field-level encryption profile, and choose the newly created configuration. Link the profile to the appropriate cache behavior that is associated with sensitive GET requests.

E.

Upload the public key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryption profile and specify the fields that contain sensitive information. Create a field-level encryption configuration, and choose the newly created profile. Link the configuration to the appropriate cache behavior that is associated with sensitive POST requests.

A company uses AWS Network Firewall to protect outgoing traffic for multiple VPCs that are in the same AWS account. Each VPC contains Amazon EC2 instances that host the company's applications. Each EC2 instance is tagged with the name of the application it hosts. The EC2 instances are in Auto Scaling groups.

A Network Firewall stateful rule group must remain up-to-date, even when an Auto Scaling group launches and terminates EC2 instances.

Which solution will meet this requirement with the LEAST implementation and administrative effort?

A.

Create a network ACL for each application. Reference the network ACL in the stateful rule group.

B.

Create a prefix list for each application. Reference the prefix list in the stateful rule group.

C.

Create an AWS Lambda function that queries the EC2 instance tags for each application name and then updates the stateful rule group with the IP address of each instance.

D.

Create a resource group for each application name. Reference the Amazon Resource Name (ARN) for the resource groups in the stateful rule group.

A company's AWS infrastructure is spread across more than 50 accounts and across five AWS Regions. The company needs to manage its security posture with simplified administration and maintenance for all the AWS accounts. The company wants to use AWS Firewall Manager to manage the firewall rules and requirements.

The company creates an organization with all features enabled in AWS Organizations.

Which combination of steps should the company take next to meet the requirements? (Select THREE.)

A.

Configure only the Firewall Manager administrator account to join the organization.

B.

Configure all the accounts to join the organization.

C.

Set an account as the Firewall Manager administrator account.

D.

Set an account as the Firewall Manager child account.

E.

Set up AWS Config for all the accounts and all the Regions where the company has resources.

F.

Set up AWS Config for only the organization's management account.

A company uses the us-east-1 Region and the ap-south-1 Region for its business units (BUs). The BUs are named BU-1 and BU-2. For each BU. there are two VPCs in us-east-1 and one VPC in ap-south-1.

Because of workload isolation requirements, resources can communicate within the same BU but cannot communicate with resources in the other BU. The company plans to add more BUs and plans to expand into more Regions.

Which solution will meet these requirements with the MOST operational efficiency?

A.

Configure an AWS Cloud WAN network that operates in the required Regions Attach all BU VPCs to the AWS Cloud WAN core network. Update the AWS Cloud WAN segment actions to configure new routes to deny traffic between the different BU segments.

B.

Configure a transit gateway in each Region. Configure peering between the transit gateways. Attach the BU VPCs to the transit gateway in the corresponding Region. Configure the transit gateway and VPC route tables to isolate traffic between BU VPCs.

C.

Configure an AWS Cloud WAN network that operates in the required Regions. Attach all BU VPCs to the AWS Cloud WAN core network. Update the core network policy by setting the isolate-attachments parameter for each segment.

D.

Configure an AWS Cloud WAN network that operates in the required Regions. Create AWS Cloud WAN segments for each BU. Configure VPC attachments for each BU's VPCs to the corresponding BU segment.

A company has an internal web-based application that employees use. The company hosts the application over a VPN in the company's on-premises network. The application runs on a fleet of Amazon EC2 instances in a private subnet behind a Network Load Balancer (NLB) in the same subnet. The instances are in an Amazon EC2 Auto Scaling group.

During a recent security incident, SQL injection occurred on the application. A network engineer must implement a solution to prevent SQL injection attacks in the future.

Which combination of steps will meet these requirements? (Select THREE.)

A.

Create an AWS WAF web ACL that includes rules to block SQL injection attacks

B.

Create an Amazon CloudFront distribution. Specify the EC2 instances as the origin.

C.

Replace the NLB with an Application Load Balancer

D.

Associate the AWS WAF web ACL with the NLB.

E.

Associate the AWS WAF web ACL with the Application Load Balancer.

F.

Associate the AWS WAF web ACL with the Amazon CloudFront distribution.

All IP addresses within a 10.0.0.0/16 VPC are fully utilized with application servers across two Availability Zones. The application servers need to send frequent UDP probes to a single central authentication server on the Internet to confirm that is running up-to-date packages. The network is designed for application servers to use a single NAT gateway for internal access. Testing reveals that a few of the servers are unable to communicate with the authentication server.

A.

The NAT gateway does not support UDP traffic.

B.

The authentication server is not accepting traffic.

C.

The NAT gateway cannot allocate more ports.

D.

The NAT gateway is launched in a private subnet.

A company is building a new workload on AWS that uses an Application Load Balancer (ALB) The company has configured a new ALB target group that uses slow start mode. A team begins registering Amazon EC2 Instances as targets in the new target group. During testing, the team observes that the targets did not enter slow start mode.

What caused the targets to not enter slow start mode?

A.

The ALB configuration uses the round robin routing algorithm for traffic.

B.

The target group did not contain at least one healthy target configured in slow start mode.

C.

The target group must contain EC2 instances that are all the same instance type.

D.

The ALB configuration uses the 5-tuple criteria for traffic.

You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway is attached, and the main route table has a default route (0.0.0.0/0) configured with a targetof the Internet gateway.

The instance has a security group configured to allow as follows:

    Protocol: TCP

    Port: 80 inbound, nothing outbound

The Network ACL for the subnet is configured to allow as follows:

    Protocol: TCP

    Port: 80 inbound, nothing outbound

When you try to browse to the web server, you receive no response.

Which additional step should you take to receive a successful response?

A.

Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80

B.

Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535

C.

Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80

D.

Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535