Amazon Amazon Certifications ANS-C01 Questions & Answers

• Question 61:

  A financial company that is located in the us-east-1 Region needs to establish secure connectivity to AWS. The company has two on-premisesdata centers, each located within the same Region. The company's network team needs to establish hybrid connectivity to its AWSenvironment with reliable and consistent connectivity.The connection must provide access to the company's private resources inside its AWS environment. The resources are located in the us-east-1 and us-west-2 Regions. The connection must allow resources from the corporate networks to send large amounts of data to Amazon S3 overthe same connection. To meet compliance requirements, the connection must be highly available and must provide encryption for all packetsthat are sent between the on-premises location and any services on AWS.Which combination of steps should the network team take to meet these requirements? (Choose two.)

  A. Set up a private VIF to send data to Amazon S3. Use an AWS Site-to-Site VPN connection over the private VIF to encrypt data in transitto the VPCs in us-east-1 and us-west-2.

  B. Set up an AWS Direct Connect connection to each of the company's data centers.

  C. Set up an AWS Direct Connect connection from one of the company's data centers to us-east-1 and us-west-2.

  D. Set up a public VIF to send data to Amazon S3. Use an AWS Site-to-Site VPN connection over the public VIF to encrypt data in transit tothe VPCs in us-east-1 and us-west-2.

  E. Set up a transit VIF for an AWS Direct Connect gateway to send data to Amazon S3. Create a transit gateway. Associate the transitgateway with the Direct Connect gateway to provide secure communications from the company's data centers to the VPCs in us-east-1 andus-west-2.

  Correct Answer: BD

  Option B: Establishing an AWS Direct Connect connection to each of the company's data centers ensures a reliable, consistent connection. This setup also addresses the requirement for high availability. If there are problems with one connection, the other connection can maintain the data flow.

  Option D: A public VIF can provide direct access to AWS services, including Amazon S3, across the Direct Connect link. By using an AWS Site-to-Site VPN connection over the public VIF, you can encrypt data in transit between the on-premises location and the VPCs in us-east-1 and us-west-2, thereby meeting the company's compliance requirements.

• Question 62:

  A company has a 2 Gbps AWS Direct Connect hosted connection from the company's office to a VPC in the ap-southeast-2 Region. A networkengineer adds a 5 Gbps Direct Connect hosted connection from a different Direct Connect location in the same Region. The hostedconnections are connected to different routers from the office with an iBGP session running in between the routers.The network engineer wants to ensure that the VPC uses the 5 Gbps hosted connection to route traffic to the office. Failover to the 2 Gbpshosted connection must occur when the 5 Gbps hosted connection is down.Which solution will meet these requirements?

  A. Configure an outbound BGP policy from the router that is connected to the 2 Gbps connection. Advertise routes with a longer AS_PATHattribute to AWS.

  B. Advertise a longer prefix route from the router that is connected to the 2 Gbps connection.

  C. Advertise a less specific route from the router that is connected to the 5 Gbps connection.

  D. Configure an outbound BGP policy from the router that is connected to the 5 Gbps connection. Advertise routes with a longer AS_PATHattribute to AWS.

  Correct Answer: A

  BGP prefers routes with a shorter AS_PATH over routes with a longer AS_PATH.

  By advertising routes with a longer AS_PATH attribute from the 2 Gbps connection, you can make those routes less preferable than the routes advertised from the 5 Gbps connection. This way, the VPC will use the 5 Gbps connection to route

  traffic to the office, as long as it is available. If the 5 Gbps connection goes down, BGP will fail over to the 2 Gbps connection.

• Question 63:

  A network engineer is evaluating a network setup for a global retail company. The company has an AWS Direct Connect connection betweenits on-premises data center and the AWS Cloud. The company has AWS resources in the eu-west-2 Region. These resources consist of multipleVPCs that are attached to a transit gateway.The company recently provisioned a few AWS resources in the eu-central-1. Region in a single VPC close to its users in this area. The networkengineer must connect the resources in eu-central-1 with the on-premises data center and the resources in eu-west-2. The solution mustminimize changes to the Direct Connect connection.What should the network engineer do to meet these requirements?

  A. Create a new virtual private gateway. Attach the new virtual private gateway to the VPC in eu-central-1. Use a transit VIF to connect theVPC and the Direct Connect router.

  B. Create a new transit gateway in eu-central-1. Create a peering attachment request to the transit gateway in eu-west-2. Add a staticroute in the transit gateway route table in eu-central-1 to point to the transit gateway peering attachment. Accept the peering request.Add a static route in the transit gateway route table in eu-west-2 to point to the new transit gateway peering attachment.

  C. Create a new transit gateway in eu-central-1. Use an AWS Site-to-Site VPN connection to peer both transit gateways. Add a static routein the transit gateway route table in eu-central-1 to point to the transit gateway VPN attachment. Add a static route in the transit gatewayroute table in eu-west-2 to point to the new transit gateway peering attachment.

  D. Create a new virtual private gateway. Attach the new virtual private gateway to the VPC in eu-central-1. Use a public VIF to connect theVPC and the Direct Connect router.

  Correct Answer: B

  https://aws.amazon.com/blogs/networking-and-content-delivery/building-a-global-network-using-aws-transit-gateway-inter-region-peering/

• Question 64:

  A company uses multiple AWS accounts and VPCs in a single AWS Region. The company must log all network traffic for Amazon EC2 instancesand Amazon RDS databases. The company will use the log information to monitor and identify traffic flows in the event of a security incident.The information must be retained for 12 months but will be accessed infrequently after the first 90 days. The company must be able to viewmetadata that includes the vpc-id, subnet-id: and tcpflags fields.Which solution will meet these requirements at the LOWEST cost?

  A. Configure VPC flow logs with the default fields Store the logs in Amazon CloudWatch Logs.

  B. Configure Traffic Mirroring on all AWS resources to point to a Network Load Balancer that will send the mirrored traffic to monitoringinstances.

  C. Configure VPC flow logs with additional custom format fields Store the logs in Amazon S3.

  D. Configure VPC flow logs with additional custom format fields Store the logs in Amazon CloudWatch Logs.

  Correct Answer: C

  The other options are less cost-effective:

  Option A does not allow you to capture the custom fields you need (vpc-id, subnet-id, and tcp-flags).

  Option B, Traffic Mirroring, would involve a considerable overhead in terms of infrastructure and cost. Traffic Mirroring copies all traffic (not just metadata), which can be massive, and it requires additional resources to capture and process that

  traffic.

  Option D is less cost-effective for long-term, infrequently accessed storage because Amazon CloudWatch Logs is more expensive than Amazon S3 for these use cases.

• Question 65:

  A network engineer needs to design the architecture for a high performance computing (HPC) workload. Amazon EC2 instances will require 10Gbps flows and an aggregate throughput of up to 100 Gbps across many instances with low-latency communication.Which architecture solution will optimize this workload?

  A. Place nodes in a single subnet of a VPC. Configure a cluster placement group. Ensure that the latest Elastic Fabric Adapter (EFA)drivers are installed on the EC2 instances with a supported operating system.

  B. Place nodes in multiple subnets in a single VPC. Configure a spread placement group. Ensure that the EC2 instances support ElasticNetwork Adapters (ENAs) and that the drivers are updated on each instance operating system.

  C. Place nodes in multiple VPCs Use AWS Transit Gateway to route traffic between the VPCs. Ensure that the latest Elastic Fabric Adapter(EFA) drivers are installed on the EC2 instances with a supported operating system.

  D. Place nodes in multiple subnets in multiple Availability Zones. Configure a cluster placement group. Ensure that the EC2 instancessupport Elastic Network Adapters (ENAs) and that the drivers are updated on each instance operating system.

  Correct Answer: A

  Option A is the most suitable solution for the high-performance computing workload:

  Cluster Placement Group: A cluster placement group ensures that EC2 instances are placed close together within the same Availability Zone to minimize network latency and provide high-bandwidth, low-latency communication between instances. This is crucial for an HPC workload where low-latency communication is essential.

  Single Subnet of a VPC: Placing nodes in a single subnet of a VPC ensures that the EC2 instances are closely located within the same subnet, further reducing network latency.

  Elastic Fabric Adapter (EFA): EFA is a network interface designed specifically for HPC workloads that require low-latency and high-bandwidth communication. Using EFA drivers on EC2 instances ensures optimal performance for communication between instances.

• Question 66:

  A company hosts a web application that runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The instancesare in an Auto Scaling group. The company uses an Amazon CloudFront distribution with the ALB as an origin.The application recently experienced an attack. In response, the company associated an AWS WAF web ACL with the CloudFront distribution.The company needs to use Amazon Athena to analyze application attacks that AWS WAF detects.Which solution will meet this requirement?

  A. Configure the ALB and the EC2 instance subnets to produce VPC flow logs. Configure the VPC flow logs to deliver logs to an Amazon S3bucket for log analysis.

  B. Create a trail in AWS CloudTrail to capture data events. Configure the trail to deliver logs to an Amazon S3 bucket for log analysis.

  C. Configure the AWS WAF web ACL to deliver logs to an Amazon Kinesis Data Firehose delivery stream. Configure the stream to deliverthe data to an Amazon S3 bucket for log analysis.

  D. Turn on access logging for the ALB. Configure the access logs to deliver the logs to an Amazon S3 bucket for log analysis.

  Correct Answer: C

  To send logs to Amazon Kinesis Data Firehose, you send logs from your web ACL to an Amazon Kinesis Data Firehose with a configured storage destination. After you enable logging, AWS WAF delivers logs to your storage destination through the HTTPS endpoint of Kinesis Data Firehose.

• Question 67:

  A real estate company is using Amazon Workspaces to provide corporate managed desktop service to its real estate agents around the world.These Workspaces are deployed in seven VPCs. Each VPC is in a different AWS Region.According to a new requirement, the company's cloud-hosted security information and events management (SIEM) system needs to analyzeDNS queries generated by the Workspaces to identify the target domains that are connected to the Workspaces. The SIEM system supportspoll and push methods for data and log collection.Which solution should a network engineer implement to meet these requirements MOST cost-effectively?

  A. Create VPC flow logs in each VPC that is connected to the Workspaces instances. Publish the log data to a central Amazon S3 bucket.Configure the SIEM system to poll the S3 bucket periodically.

  B. Configure an Amazon CloudWatch agent to log all DNS requests in Amazon CloudWatch Logs. Configure a subscription filter inCloudWatch Logs. Push the logs to the SIEM system by using Amazon Kinesis Data Firehose.

  C. Configure VPC Traffic Mirroring to copy network traffic from each Workspace and to send the traffic to the SIEM system probes foranalysis.

  D. Configure Amazon Route 53 query logging. Set the destination as an Amazon Kinesis Data Firehose delivery stream that is configuredto push data to the SIEM system.

  Correct Answer: D

  https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs-choosing-target-resource.html

• Question 68:

  A company has deployed a multi-VPC environment in the AWS Cloud. The company uses a transit gateway to connect all the VPCs together. Inthe past, the company has experienced a loss of connectivity between applications after changes to security groups, network ACLs, and routetables in a VPC. When these changes occur, the company wants to automatically verify that connectivity still exists between differentresources in a single VPC.

  A. Create a list of paths between different resources to check in VPC Reachability Analyzer. Create an Amazon EventBridge rule to monitorwhen a change is made and logged in Amazon CloudWatch. Configure the rule to invoke an AWS Lambda function to test the differentpaths in Reachability Analyzer.

  B. Create a list of paths between different resources to check in VPC Reachability Analyzer. Create an Amazon EventBridge rule to monitorwhen a change is made and logged in AWS. CloudTrail. Configure the rule to invoke an AWS Lambda function to test the different paths inReachability Analyzer.

  C. Create a list of paths to check in AWS Transit Gateway Network Manager Route Analyzer. Create an Amazon EventBridge rule to monitorwhen a change is made and logged in Amazon CloudWatch. Configure the rule to invoke an AWS Lambda function to test the diffidentpaths in Route Analyzer.

  D. Create a list of paths to check in AWS Transit Gateway Network Manager Route Analyzer. Create an Amazon EventBridge rule to monitorwhen a change is made and logged in AWS CloudTrail. Configure the rule to invoke an AWS Lambda function to test the different paths inRoute Analyzer.

  Correct Answer: B

  https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html

• Question 69:

  A company has an order processing system that needs to keep credit card numbers encrypted. The company's customer-facing applicationruns as an Amazon Elastic Container Service (Amazon ECS) service behind an Application Load Balancer (ALB) in the us-west-2 Region. AnAmazon CloudFront distribution is configured with the ALB as the origin. The company uses a third-party trusted certificate authority toprovision its certificates.The company is using HTTPS for encryption in transit. The company needs additional field-level encryption to keep sensitive data encryptedduring processing so that only certain application components can decrypt the sensitive data.Which combination of steps will meet these requirements? (Choose two.)

  A. Import the third-party certificate for the ALB. Associate the certificate with the ALB. Upload the certificate for the CloudFrontdistribution into AWS Certificate Manager (ACM) in us-west-2.

  B. Import the third-party certificate for the ALB into AWS Certificate Manager (ACM) in us-west-2. Associate the certificate with theALUpload the certificate for the CloudFront distribution into ACM in the us-east-1 Region.

  C. Upload the private key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryptionprofile and specify the fields that contain sensitive information. Create a field-level encryption configuration, and choose the newlycreated profile. Link the configuration to the appropriate cache behavior that is associated with sensitive POST requests.

  D. Upload the public key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryptionconfiguration, and specify the fields that contain sensitive information. Create a field-level encryption profile, and choose the newlycreated configuration. Link the profile to the appropriate cache behavior that is associated with sensitive GET requests.

  E. Upload the public key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryptionprofile and specify the fields that contain sensitive information. Create a field-level encryption configuration, and choose the newlycreated profile. Link the configuration to the appropriate cache behavior that is associated with sensitive POST requests.

  Correct Answer: BE

  Option A: CloudFront does not use certificates stored in AWS Certificate Manager (ACM) in the us-west-2 region. It uses certificates stored in the us-east-1 region, making this option incorrect.

  Option C: This is incorrect because the private key should not be uploaded to CloudFront for field-level encryption. Instead, the public key is used. A private key must remain confidential and not exposed or uploaded to public services.

  Option D: This option incorrectly suggests that the field-level encryption profile should be linked to GET requests. Field-level encryption is used for encrypting sensitive information coming in POST requests (like form submissions with credit card details), not for GET requests. Therefore, this option is incorrect.

• Question 70:

  A company is using a shared services VPC with two domain controllers. The domain controllers are deployed in the company's privatesubnets. The company is deploying a new application into a new VPC in the account. The application will be deployed onto an Amazon EC2 forWindows Server instance in the new VPC. The instance must join the existing Windows domain that is supported by the domain controllers inthe shared services VPC.A transit gateway is attached to both the shared services VPC and the new VPC. The company has updated the route tables for the transitgateway, the shared services VPC, and the new VPC. The security groups for the domain controllers and the instance are updated and allowtraffic only on the ports that are necessary for domain operations. The instance is unable to join the domain that is hosted on the domaincontrollers.Which combination of actions will help identify the cause of this issue with the LEAST operational overhead? (Choose two.)

  A. Use AWS Network Manager to perform a route analysis for the transit gateway network. Specify the existing EC2 instance as the source.Specify the first domain controller as the destination. Repeat the route analysis for the second domain controller.

  B. Use port mirroring with the existing EC2 instance as the source and another EC2 instance as the target to obtain packet captures of theconnection attempts.

  C. Review the VPC flow logs on the shared services VPC and the new VPC.

  D. Issue a ping command from one of the domain controllers to the existing EC2 instance.

  E. Ensure that route propagation is turned off on the shared services VPC.

  Correct Answer: AC

  To identify the cause of this issue with the least operational overhead, you can use AWS Network Manager to perform a route analysis for the transit gateway network. You can specify the existing EC2 instance as the source and one of the domain controllers as the destination. You can repeat the route analysis for the second domain controller. This will help you verify if there is any routing issue between the EC2 instance and the domain controllers through the transit gateway.

  You can also review the VPC flow logs on the shared services VPC and the new VPC. VPC flow logs capture information about accepted and rejected IP traffic in your VPCs. You can use VPC flow logs to troubleshoot connectivity issues or monitor network traffic in your VPCs. You can view VPC flow logs in Amazon CloudWatch Logs or Amazon S3.