Exam 1: AWS Certified Advanced Networking - Specialty (ANS-C00)

A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in us-west-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?

Which one of these healthcheck reason codes is not a valid reason code?

The Web Application Development team is worried about malicious activity from 200 random IP addresses. Which action will ensure security and scalability from this type of threat?

A customer is using ABC Telecom as a network provider. The customer has 10 different offices connected to ABC Telecom's MPLS backbone. The customer is setting up an AWS Direct Connect connection to AWS and has provided the LOA-CFA to ABC Telecom. ABC Telecom has terminated the Direct Connect circuit into their MPLS backbone. To uniquely identify the customer's traffic over the MPLS backbone, the customer must encapsulate all traffic with VLAN tag 100. The customer wants to send traffic to multiple VPCs. Which two steps should be taken to meet the customer's requirement? (Choose two.)

An unfortunate situation has just come to your attention. A business critical application with sensitive data running on-prem will run out of storage disk space in 24hrs. This business critical application is dependent a very large set of routes - required for integration with other system. You make a quick but well informed decision to migrate this application quickly to AWS. You are able to quickly launch a new VPC and within it equivalent infrastructure to re-home the application. In order to complete the replication of application data and ensure the application remains operational beyond the next 24hrs, select the best implementation.

Which service would you use to see if your infrastructure has changed?

In Amazon CloudFront, which of the following is true of Smooth Streaming?

An organization processes consumer information submitted through its website. The organization's security policy requires that personally identifiable information (PII) elements are specifically encrypted at all times and as soon as feasible when received. The front-end Amazon EC2 instances should not have access to decrypted PII. A single service within the production VPC must decrypt the PII by leveraging an IAM role. Which combination of services will support these requirements? (Choose two.)

You have just peered two VPCs, and you need to improve performance for instances you plan on deploying. What are two steps you would take to do this? (Choose two.)

Which of these is not a requirement to set up a DX connection?

Which element of AWS Config can be used to help maintain internal and external compliance controls?

A company has two redundant AWS Direct Connect connections to a VPC. The VPC is configured using BGP metrics so that one Direct Connect connection is used as the primary traffic path. The company wants the primary Direct Connect connection to fail to the secondary in less than one second. What should be done to meet this requirement?

A company's network engineer needs to evaluate and monitor DNS traffic. The company uses Amazon Route 53 as the DNS service for its public hosted zone. All DNS queries must be captured for future analysis. What should the network engineer do to meet these requirements?

You are under a DDoS attack and you have added a deny all TCP rule to your NACL, but traffic is still coming. What did you do wrong?

An organization will be extending its existing on-premises infrastructure into the cloud. The design consists of a transit VPC that contains stateful firewalls that will be deployed in a highly available configuration across two Availability Zones for automatic failover. What MUST be configured for this design to work? (Select two.)

A company has an application running on Amazon EC2 instances in a VPC. The application must publish custom metrics to Amazon CloudWatch in the same AWS Region. The metrics include proprietary information. All connectivity must be over private IP addresses. Which solution will meet these requirements?

What is the minimum number of subnets for an RDS subnet group?

Your Amazon Kinesis application receives data streams from thousands of devices. The data is then stored in an on-premises Hadoop cluster. You are concerned about historical data that shows periods of sustained traffic between 1 Gbps and 2 Gbps during peaks. You must ensure that you have secure, fault- tolerant connectivity between Amazon Kinesis and your data center. What should you implement to address these needs?

Refer to the image. You have three VPCs: A, B, and C. VPCs A and C are both peered with VPC B. The IP address ranges are as follows: VPC A: 10.0.0.0/16 VPC B: 192.168.0.0/16 VPC C: 10.0.0.0/16 Instance i-1 in VPC A has the IP address 10.0.0.10. Instance i-2 in VPC C has the IP address 10.0.0.10. Instances i-3 and i-4 in VPC B have the IP addresses 192.168.1.10 and 192.168.1.20, respectively, i-3 and i-4 are in the subnet 192.168.1.0/24. i-3 must be able to communicate with i-1 i-4 must be able to communicate with i-2 i-3 and i-4 are able to communicate with i-1, but not with i-2. Which two steps will fix this problem? (Choose two.)

A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy. What is the MOST cost-effective solution to meet these requirements?