[Nov-2021] ANS-C00 exam torrent Amazon study guide [Q40-Q60]

[Nov-2021] ANS-C00 exam torrent Amazon study guide

Use Valid New ANS-C00 Test Notes & ANS-C00 Valid Exam Guide

NEW QUESTION 40
Which statement about VPC endpoints is incorrect?
Choose the correct answer:

• A. Endpoints are transitive for Direct Connect connections.
• B. Endpoints cannot be extended out of a VPC.
• C. Endpoints cannot be tagged.
• D. An S3 endpoint allows Amazon AMIs to install some software.

Answer: A

Explanation:
Endpoints are not transitive for Direct Connect connections or any other connections. To access S3 resources through an endpoint from outside of a VPC, an EC2 proxy must be used.

 

NEW QUESTION 41
A user has enabled detailed CloudWatch monitoring with the AWS Simple Notification Service.
Which of the below mentioned statements helps the user understand detailed monitoring better?

• A. SNS will send data every minute after configuration
• B. There is no need to enable since SNS provides data every minute
• C. AWS CloudWatch does not support monitoring for SNS
• D. SNS cannot provide data every minute

Answer: D

Explanation:
CloudWatch is used to monitor AWS as well as the custom services. It provides either basic or detailed monitoring for the supported AWS products. In basic monitoring, a service sends data points to CloudWatch every five minutes, while in detailed monitoring a service sends data points to CloudWatch every minute. The AWS SNS service sends data every 5 minutes. Thus, it supports only the basic monitoring. The user cannot enable detailed monitoring with SNS.
Reference:
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/supported_services.htm l

 

NEW QUESTION 42
Your company runs an HTTPS application using an Elastic Load Balancing (ELB) load balancer/PHP on nginx server/RDS in multiple Availability Zones. You need to apply Geographic Restriction and identify the client's IP address in your application to generate dynamic content.
How should you utilize AWS services in a scalable fashion to perform this task?

• A. Use X-Forwarded-For with security groups to apply the Geographic Restriction.
• B. Modify the application code to use value of X-Forwarded-For and CloudFront to apply the Geographic Restriction.
• C. Enable ELB access logs to store the client IP address and parse these to dynamically modify a blacklist.
• D. Modify the nginx log configuration to record value in X-Forwarded-For and use CloudFront to apply the Geographic Restriction.

Answer: D

 

NEW QUESTION 43
Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the company's highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to provide high bandwidth, low latency access to S3. Since the company does not own a publically routable IPv4 address block, a request was made to AWS for an AWS-owned address for a Public Virtual Interface (VIF).
The security team is calling this new connection a "backdoor", and you have been asked to clarify the risk to the company.
Which concern from the security team is valid and should be addressed?

• A. EC2 instances in the same region with access to the Internet could directly reach the router.
• B. Direct Connect customers with a Public VIF in the same region could directly reach the router.
• C. The S3 service could reach the router through a pre-configured VPC Endpoint.
• D. AWS advertises its aggregate routes to the Internet allowing anyone on the Internet to reach the router.

Answer: D

 

NEW QUESTION 44
Your company is connecting one data center with one router to several VPCs and needs to access them transitively. What should you do?
Choose the correct answer:

• A. Just connect; VPCs are transitive in nature.
• B. Use a transit VPC with a VPN running on one or more EC2 instances to route traffic between the VPCs.
• C. Create a VPN to one VPC and peer the others.
• D. This is not possible.

Answer: B

Explanation:
VPCs are not transitive, so you will need a "transit VPN" in order to route between the VPCs.

 

NEW QUESTION 45
You have two enhanced networking capable instances in a placement group. One with an Intel network interface and one with an ENA. What network speed will be achieved between the two?
Choose the correct answer:

• A. 20Gbps
• B. You cannot have different network interfaces in a placement group.
• C. 10Gbps
• D. 5Gbps

Answer: C

Explanation:
10Gbps. The Intel interface has a max speed of 10 and the ENA is 20. The speed will be the lesser of the two.

 

NEW QUESTION 46
You have been asked to monitor traffic flows on your Amazon EC2 instance. You will be performing deep packet inspection, looking for atypical patterns.
Which tool will enable you to look at this data?

• A. AWS CLI
• B. CloudWatch Logs
• C. Wireshark
• D. VPC Flow Logs

Answer: C

Explanation:
Explanation
References: https://www.slideshare.net/TeriRadichel/packet-capture-on-aws

 

NEW QUESTION 47
You use a VPN to extend your corporate network into a VPC. Instances in the VPC are able to resolve resource records in an Amazon Route 53 private hosted zone. Your on-premises DNS server is configured with a forwarder to the VPC DNS server IP address. On-premises users are unable to resolve names in the private hosted zone, although instances in a peered VPC can.
What should you do to provide on-premises users with access to the private hosted zone?

• A. Update the on-premises forwarders with the four name servers assigned to the private hosted zone.
• B. Configure the on-premises server as a secondary DNS for the private zone. Update the NS records.
• C. Create a proxy resolver within the VPC. Point the on-premises forwarder to the proxy resolver.
• D. Modify the network access control list on the VPC to allow DNS queries from on-premises systems.

Answer: C

 

NEW QUESTION 48
A user is trying to send custom metrics to CloudWatch using the PutMetricData APIs. Which of the below mentioned points should the user needs to take care while sending the data to CloudWatch?

• A. The size of a request is limited to 8KB for HTTP GET requests and 40KB for HTTP POST requests
• B. The size of a request is limited to 16KB for HTTP GET requests and 80KB for HTTP POST requests
• C. The size of a request is limited to 40KB for HTTP GET requests and 8KB for HTTP POST requests
• D. The size of a request is limited to 128KB for HTTP GET requests and 64KB for HTTP POST requests

Answer: A

Explanation:
With AWS CloudWatch, the user can publish data points for a metric that share not only the same time stamp, but also the same namespace and dimensions. CloudWatch can accept multiple data points in the same PutMetricData call with the same time stamp. The only thing that the user needs to take care of is that the size of a PutMetricData request is limited to 8KB for HTTP GET requests and 40KB for HTTP POST requests.
Reference:
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/cloudwatch_concepts.ht ml

 

NEW QUESTION 49
An organization with a growing e-commerce presence uses the AWS CloudHSM to offload the SSL/TLS processing of its web server fleet. The company leverages Amazon EC2 Auto Scaling for web servers to handle the growth. What architectural approach is optimal to scale the encryption operation?

• A. Use multiple CloudHSM instances, and load balance them using an Application Load Balancer.
• B. Use multiple CloudHSM instances, and load balance them using a Network Load Balancer.
• C. Use multiple CloudHSM instances to the cluster;request to it will automatically load balance.
• D. Enable Auto Scaling on the CloudHSM instance, with similar configuration to the web tier Auto Scaling group.

Answer: C

Explanation:
https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html#cluster-high-availability-load-balancing

 

NEW QUESTION 50
You are auditing an AWS infrastructure after you noticed some abnormal charges on the bill. You use AWS Config to monitor your changes. What else is required to find out who made the change? Choose the correct answer:

• A. Use the eventId of the change and reference it with CloudTrail to find the culprit.
• B. Use the eventID of the change and reference it with your Flow Logs.
• C. There is no information to find this. You will need to sign up for Config Premium.
• D. Use the eventID of the change and reference it with CloudWatch to find the culprit.

Answer: A

Explanation:
CloudTrail is for finding "who" performed an action.

 

NEW QUESTION 51
A company wants to use thin clients running virtual desktops to replace 500 desktop computers used by its call center employees The company is evaluating Amazon Workspaces as a solution A network engineer who is testing with a thin client is unable to conned to Amazon Workspaces After entering credentials the network engineer receives the following error:
"An error occurred while launching your Workspace Please try again"
What should the network engineer do to resolve this issue?

• A. Update the company's corporate firewall to allow outbound access to UDP on port 4172 and TCP on port 4172 Open inbound ephemeral ports explicitly to allow return communication
• B. Update the company's corporate firewall to allow inbound access to UDP on port 4172 and TCP on port 4172 Open outbound ephemeral ports explicitly to allow return communication
• C. Update the inbound rules on the security group assigned to Amazon Workspaces to allow UDP on port 4172 and TCP on port 4172
• D. Update the inbound rules on the network ACL on the subnets used for Amazon Workspaces to allow UDP on port 4172 and TCP on port 4172

Answer: C

 

NEW QUESTION 52
Your company wishes to improve the performance of its EC2 instances. They require low latency and high throughput. They are currently deployed on T2.medium. It is imperative that you experience as little downtime as possible, but cost and performance are most important. How should you accomplish this?
Choose the correct answer:

• A. Create AMIs from the instances, deploy the instances as i3.large, and start those instances in a placement group.
• B. Add an extra ENI to the instances and team them to provide greater throughput.
• C. Stop the instances and restart them in a placement group.
• D. Create AMIs from the instances, create new instances on t2.medium, and start those instances in a placement group.

Answer: A

Explanation:
T2. medium is not compatible with placement groups. You cannot team ENIs to add more throughput on AWS.

 

NEW QUESTION 53
You manage a web service that is used by client applications deployed in 300 offices worldwide. The web service architecture is an Elastic Load balancer (ELB) distributing traffic across four application servers deployed in an autoscaling group across two availability zones.
The ELB is configured to use round robin, and sticky sessions are disabled. You have configured the NACLs and Security Groups to allow port 22 from your bastion host, and port 80 from 0.0.0.0/0. The client configuration is managed by each regional IT team.
Upon inspection you find that a large amount of requests from incorrectly configured sites are causing a single application server to degrade. The remainder of the requests are equally distributed across all servers with no negative effects.
What should you do to remedy the situation and prevent future occurrences?

• A. Update the Security Groups to only allow port 80 to the application servers from the ELB.
• B. Mark the affected instance as degraded in the ELB and raise it with the client application team.
• C. Terminate the affected instance and allow Auto Scaling to create a new instance.
• D. Update the NACL to only allow port 80 to the application servers from the ELB servers.

Answer: A

 

NEW QUESTION 54
An organization has ordered a new AWS Direct Connect connection. The AWS Management Console reports that the connection is available and BGP status is up. However, the networking team is not able to reach instances in the VPC using ping on the organization's private IP address What could cause this connectivity issue? (Choose two.)

• A. The instance security group does not allow ICMP traffic.
• B. There is a misconfiguration of the bi-directional forwarding detection.
• C. The VGW is not advertising the correct CIDR range back on-premises.
• D. A public virtual interface must be configured for Amazon EC2 connectivity.
• E. The on-premises router is not advertising the correct CIDR range to AWS.

Answer: A,E

 

NEW QUESTION 55
A company is about to migrate an application from its on-premises data center to AWS. As part of the planning process, the following requirements involving DNS have been identified.
The organization's VPC uses the CIDR block 172.16.0.0/16.
Assuming that there is no DNS namespace overlap, how can these requirements be met?

• A. Change the DHCP options set for the VPC to use both the Amazon-provided DNS server and the on-premises DNS systems. Configure the on-premises DNS systems with a stub-zone, delegating the name server 172.16.0.2 as authoritative for the Route 53 private hosted zone.
• B. Deploy and configure a set of EC2 instances into the company VPC to act as DNS proxies. Configure the proxies to forward queries for the on-premises domain to the on-premises DNS systems, and forward all other queries to 172.16.0.2. Change the DHCP options set for the VPC to use the new DNS proxies.
  Configure the on-premises DNS systems with a stub-zone, delegating the name server 172.16.0.2 as authoritative for the Route 53 private hosted zone.
• C. Change the DHCP options set for the VPC to use both the on-premises DNS systems. Configure the on-premises DNS systems with a stub-zone, delegating the Route 53 private hosted zone's name servers as authoritative for the Route 53 private hosted zone.
• D. Deploy and configure a set of EC2 instances into the company VPC to act as DNS proxies. Configure the proxies to forward queries for the on-premises domain to the on-premises DNS systems, and forward all other queries to the Amazon-provided DNS server (172.16.0.2). Change the DHCP options set for the VPC to use the new DNS proxies. Configure the on-premises DNS systems with a stub-zone, delegating the proxies as authoritative for the Route 53 private hosted zone.

Answer: D

 

NEW QUESTION 56
A user is collecting 1000 records per second. The user wants to send the data to CloudWatch using a custom namespace, Which of the below mentioned options is recommended for this activity?

• A. Send all the data values to CloudWatch in a single command by separating them with a comma.
  CloudWatch will parse automatically
• B. Aggregate the data with statistics, such as Min, max, Average, Sum and Sample data and send the data to CloudWatch
• C. It is not possible to send all the data in one call. Thus, it should be sent one by one.
  CloudWatch will aggregate the data automatically
• D. Create one csv file of all the data and send a single file to CloudWatch

Answer: B

Explanation:
AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. The user can publish data to CloudWatch as single data points or as an aggregated set of data points called a statistic set using the command put-metric-data. It is recommended that when the user is having multiple data points per minute, he should aggregate the data so that it will minimize the number of calls to put-metric- data. In this case it will be single call to CloudWatch instead of 1000 calls if the data is aggregated.
Reference:
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/publishingMetrics.html

 

NEW QUESTION 57
An application runs on a fleet of Amazon EC2 instances in a VPC. All instances can reach one another using private IP addresses. The application owner has a new requirement that the domain name received via DHCP should be different for a particular set of instances that are currently in one particular subnet.
What changes should be made to meet this requirement while continuing to support the existing application requirements?

• A. Modify the existing DHCP option set and specify the different domain name for the specified subnet.
• B. Create a new subnet, configure the DHCP option set with the different domain name, and re-launch the required instances there.
• C. Create a new DHCP option set with the different domain name, associate it with the specified subnet, and re-launch the Amazon EC2 instances.
• D. Create a new peered VPC, configure the DHCP option set with the different domain name, and re-launch the required instances there.

Answer: D

Explanation:
Explanation
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html

 

NEW QUESTION 58
You have a three-tier web application with separate subnets for Web, Applications, and Database tiers. Your CISO suspects your application will be the target of malicious activity. You are tasked with notifying the security team in the event your application is port scanned by external systems.
Which two AWS Services cloud you leverage to build an automated notification system? (Select two.)

• A. Lambda
• B. Internet gateway
• C. AWS Inspector
• D. AWS CloudTrail
• E. VPC Flow Logs

Answer: A,E

Explanation:
References: https://aws.amazon.com/blogs/security/how-to-receive-alerts-when-specific-apis-are-called-by-using-aws-cloudtrail-amazon-sns-and-aws-lambda/

 

NEW QUESTION 59
What are three services that help mitigate a DDoS? Choose the 2 correct answers:

• A. AWS Shield
• B. Elastic Beanstalk
• C. CloudFront
• D. DynamoDB

Answer: A,C

Explanation:
AWS Shield and CloudFront can help mitigate the effects of a DDoS

 

NEW QUESTION 60
......

ANS-C00 Exam questions and answers: https://dumpscertify.torrentexam.com/ANS-C00-exam-latest-torrent.html