ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 06

  1. The Security department has mandated that all outbound traffic from a VPC toward an on-premises datacenter must go through a security appliance that runs on an Amazon EC2 instance.

    Which of the following maximizes network performance on AWS? (Choose two.)

    • Support for the enhanced networking drivers
    • Support for sending traffic over the Direct Connect connection
    • The instance sizes and families supported by the security appliance
    • Support for placement groups within the VPC
    • Security appliance support for multiple elastic network interfaces
  2. A Network Engineer needs to be automatically notified when a certain TCP port is accessed on a fleet of Amazon EC2 instances running in an Amazon VPC.

    Which of the following is the MOST reliable solution?

    • Create an inbound rule in the VPC’s network ACL that matches the TCP port. Create an Amazon CloudWatch alarm on the NetworkPackets metric for the ACL that uses Amazon SNS to notify the Administrator when the metric is greater than zero.
    • Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to notify the Administrator with Amazon SNS each time the TCP port is accessed.
    • Create VPC Flow Logs that write to Amazon CloudWatch Logs, with a metric filter matching connections on the required port. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.
    • Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to publish to a custom Amazon CloudWatch metric each time the TCP port is accessed. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.
  3. A network engineer deploys an application in a private subnet in a VPC that connects to many external video feed providers using RTMP over the internet. A NAT gateway has been deployed in a public subnet and is working as expected. From the Amazon EC2 instance, the application is able to connect to all feed providers except one, which hangs when connecting. Manually testing a connection from an Amazon EC2 instance in the public subnet to the problem feed indicates that the feed works as expected.

    What is causing this issue?

    • The NAT gateway does not support fragmented packets.
    • The internet gateway only supports an MTU of 1500 bytes.
    • An Amazon EC2 instance expects to communicate with an MTU of 9001.
    • The security group on the instances does not allow PMTUD.
  4. A company has an application running in an Amazon VPC that must be able to communicate with on-premises resources in a data center. Network traffic between AWS and the data center will initially be minimal, but will increase to more than 10 Gbps over the next few months. The company’s goal is to launch the application as quickly as possible.

    The network engineer has been asked to design a hybrid IT connectivity solution.

    What should be done to meet these requirements?

    • Submit a 1 Gbps AWS Direct Connect connection request, then increase the number of Direct Connect connections, as needed.
    • Allocate elastic IPs to Amazon EC2 instances for temporary access to on-premises resources, then provision AWS VPN connections between an Amazon VPC and the data center.
    • Provision an AWS VPN connection between an Amazon VPC and the data center, then submit an AWS Direct Connect connection request. Later, cut over from the VPN connection to one or more Direct Connect connections, as needed.
    • Provision a 100 Mbps AWS Direct Connect connection between an Amazon VPC and the data center, then submit a Direct Connect connection request. Later, cut over from the hosted connection to one or more Direct Connect connections, as needed.
  5. A company has recently established an AWS Direct Connect connection from its on-premises data center to AWS. A Network Engineer has blocked all traffic destined for Amazon S3 over the company’s gateway to the internet from its on-premises firewall. S3 traffic should only traverse the Direct Connect connection. Currently, no one in the on-premises data center can access Amazon S3.

    Which solution will resolve this connectivity issue?

    • Configure a private virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop for traffic destined for Amazon S3.
    • Establish an S3 VPC endpoint for the company’s Amazon VPC. Configure a private virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop.
    • Configure a public virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop for traffic destined for Amazon S3.
    • Configure a public virtual interface on the Direct Connect connection. Establish an AWS managed VPN over the connection. Update the on-premises routing tables to choose the VPN connection as the preferred next hop.
  6. A company provisions an AWS Direct Connect connection to permit access to Amazon EC2 resources in several Amazon VPCs and to data stored in private Amazon S3 buckets. The Network Engineer needs to configure the company’s on-premises router for this Direct Connect connection.

    Which of the following actions will require the LEAST amount of configuration overhead on the customer router?

    • Configure private virtual interfaces for the VPC resources and for Amazon S3.
    • Configure private virtual interfaces for the VPC resources and a public virtual interface for Amazon S3.
    • Configure a private virtual interface to a Direct Connect gateway for the VPC resources and for Amazon S3.
    • Configure a private virtual interface to a Direct Connect gateway for the VPC resources and a public virtual interface for Amazon S3.
  7. A company has two redundant AWS Direct Connect connections to a VPC. The VPC is configured using BGP metrics so that one Direct Connect connection is used as the primary traffic path. The company wants the primary Direct Connect connection to fail to the secondary in less than one second.

    What should be done to meet this requirement?

    • Configure BGP on the company’s router with a keep-alive to 300 ms and the BGP hold timer to 900 ms.
    • Enable Bidirectional Forwarding Detection (BFD) on the company’s router with a detection minimum interval of 300 ms and a BFD liveness detection multiplier of 3.
    • Enable Dead Peer Detection (DPD) on the company’s router with a detection minimum interval of 300 ms and a DPD liveliness detection multiplier of 3.
    • Enable Bidirectional Forwarding Detection (BFD) echo mode on the company’s router and disable sending the Internet Control Message Protocol (ICMP) IP packet requests.
  8. A company’s network engineering team is solely responsible for deploying VPC infrastructure using AWS CloudFormation. The company wants to give its developers the ability to launch applications using CloudFormation templates so that subnets can be created using available CIDR ranges.

    What should be done to meet these requirements?

    • Create a CloudFormation template with Amazon EC2 resources that rely on cfn-init and cfn-signals to inform the stack of available CIDR ranges.
    • Create a CloudFormation template with a custom resource that analyzes traffic activity in VPC Flow Logs and reports on available CIDR ranges.
    • Create a CloudFormation template that references the Fn::Cidr intrinsic function within a subnet resource to select an available CIDR range.
    • Create a CloudFormation template with a custom resource that uses AWS Lambda and Amazon DynamoDB to manage available CIDR ranges.
  9. A company’s web application is deployed on Amazon EC2 instances behind a public Application Load Balancer. The application flags malicious requests and uses an AWS Lambda function to add the offending IP addresses to the network ACL to block any further requests for 24 hours. Recently, the application has been receiving more malicious requests, which causes the network ACL to reach its limit of allowed entries.

    Which action should be taken to block more IP addresses, without compromising the existing security requirements?

    • Update the AWS Lambda function to remove blocked entries from the network ACL after 2 hours.
    • Update the AWS Lambda function to block malicious IPs in security groups rather than the network ACL.
    • Update the AWS Lambda function to block malicious IPs in AWS WAF attached to the Application Load Balancer.
    • Update the AWS Lambda function to add an additional network ACL to the subnets once the limit for the previous ones has been reached.
  10. A company is using AWS to host all of its applications. Each application is isolated in its own Amazon VPC. Different environments such as Development, Test, and Production are also isolated in their own VPCs. The network engineer needs to automate VPC creation to enforce the company’s network and security standards. Additionally, the CIDR range used in each VPC needs to be unique.

    Which solution meets all of these requirements?

    • Use AWS CloudFormation to deploy the VPC infrastructure and a custom resource to request a CIDR range from an external IP address management (IPAM) service.
    • Use AWS OpsWorks to deploy the VPC infrastructure and a custom resource to request a CIDR range from an external IP address management (IPAM) service.
    • Use the VPC wizard in the AWS Management Console. Type in the CIDR blocks for the VPC and subnets.
    • Create the VPCs using AWS CLI and use the dry-run flag to validate if the current CIDR range is in use.
  11. You can turn on the AWS Config service from the AWS CLI by running the subscribe command and passing as parameters a valid IAM role, SNS topic, and ____.

    • EBS volume
    • EC2 instance
    • S3 bucket 
    • Kinesis stream
    Explanation:
    You can use the AWS CLI to turn on AWS Config. All it takes is the subscribe command and a few additional parameters. The parameters are -s3-bucket, which specifies the S3 bucket to which AWS Config data will be saved, -sns-topic, which specifies to which SNS topic messages from AWS Config will be sent, and -iam-role, which is an IAM role containing appropriate permissions for AWS Config to access the resources it monitors.
  12. You would like to automate the monitoring of changes in the configurations of your AWS resources and respond programmatically to configurations of only a certain type. To do this, you could use Amazon ____ as the endpoint for the Amazon SNS topics that generate messages from AWS Config.

    • Kinesis
    • Simple Email Service (SES)
    • Simple Storage Service (S3)
    • Simple Queue Service (SQS)
    Explanation:
    AWS Config uses Amazon Simple Notification Service (SNS) to send you notifications every time a supported AWS resource is created, updated, or otherwise modified as a result of user API activity. However, you might be interested in only certain resource configuration changes. For example, you might consider it critical to know when someone modifies the configuration of a security group, but not need to know every time there is a change to tags on your Amazon EC2 instances. Or, you might want to write a program that performs specific actions when specific resources are updated. For example, you might want to start a certain workflow when a security group configuration is changed. If you want to programmatically consume the data from AWS Config in these or other ways, use an Amazon Simple Queue Service queue as the notification endpoint for Amazon SNS.
  13. You can use the ____ command of the AWS Config service CLI to see the compliance state for each AWS resource of a specific type.

    • describe-compliance-by-resource 
    • get-compliance-details-by-config-rule
    • describe-compliance-by-config-rule
    • get-compliance-details-by-resource
  14. When an AWS Config rule is triggered a JSON object known as an AWS Config Event is created. This object contains another JSON string in its ____ parameter, which describes the event that triggered the rule.

    • resultToken
    • eventLeftScope
    • invokingEvent 
    • configRuleName
    Explanation:
    The JSON object for an AWS Config event contains an invoking Event attribute, which describes the event that triggers the evaluation for a rule. If the event is published in response to a resource configuration change, the value for this attribute is a string that contains a JSON configuration Item or a configuration Item Summary (for oversized configuration items). The configuration item represents the state of the resource at the moment that AWS Config detected the change. If the event is published for a periodic evaluation, the value is a string that contains a JSON object. The object includes information about the evaluation that was triggered. For each type of event, a function must parse the string with a JSON parser to be able to evaluate its contents.
  15. When an AWS Config rule is triggered a JSON object known as an AWS Config Event is created. This object contains a(n) ____ attribute, which is a JSON-formatted set of key/value pairs the receiving AWS Lambda function processes as part of its evaluation logic.

    • inputParameters 
    • invokingEvent
    • ruleConfiguration
    • mappingTemplate
    Explanation:
    The JSON object for an AWS Config event contains a ruleParameters attribute, which is a set of key/value pairs that the AWS Lambda function receiving the event processes as part of its evaluation logic. You define parameters when you use the AWS Config console to create a custom rule. You can also define parameters with the InputParameters attribute in the PutConfigRule AWS Config API request or the put-config-rule AWS CLI command. The JSON code for the parameters is contained within a string, so a function must parse the string with a JSON parser to be able to evaluate its contents
  16. When using AWS Config, which two items are stored on S3 as a part of its operation?

    • Configuration Items and Configuration History
    • Configuration Recorder and Configuration Snapshots
    • Configuration History and Configuration Snapshots 
    • Configuration Snapshots and Configuration Streams
    Explanation:
    S3 is used to store the Configuration History files and any Configuration Snapshots of your data within a single bucket, which is defined within the Configuration Recorder. You can get AWS Config to create a new bucket for you and select an existing bucket. If you have multiple AWS accounts you may want to aggregate your Configuration History and Snapshot files into the same S3 Bucket for your primary account, just be aware that this can be achieved. However, you will need to grant write access for the service principal (config.amazonaws.com) in your other accounts write access to the S3 bucket.
  17. You can use the ____ page of the AWS Config console to look up resources that AWS Config has discovered, including deleted resources and resources that are not currently being recorded.

    • snapshot listing
    • configuration history
    • resource inventory 
    • resource database
    Explanation:
    You can use the AWS Config console, AWS CLI, and AWS Config API to look up the resources that AWS Config has taken an inventory of, or discovered, including deleted resources and resources that AWS Config is not currently recording. AWS Config discovers supported resource types only. You can use the AWS Config console in the AWS Management console to look up these resources. The Resource Inventory page lets you perform this search.
  18. An AWS Config rule can be set to be evaluated if a certain set of resources undergoes a configuration change. The set of resources to which the rule applies can be restricted by the rule’s ____, which can include a combination of a resource type and a resource ID, for example.

    • trigger
    • domain
    • manifest
    • scope
    Explanation:
    When you add an AWS Config rule to your account, you can specify when you want AWS Config to run the rule; this is called a trigger. AWS Config evaluates your resource configurations against the rule when the trigger occurs. You choose which resources trigger the evaluation by defining the rule’s scope. The scope can include the following: One or more resource types
    A combination of a resource type and a resource ID A combination of a tag key and value. When any recorded resource is created, updated, or deleted AWS Config runs the evaluation when it detects a change to a resource that matches the rule’s scope. You can use the scope to constrain which resources trigger evaluations. Otherwise, evaluations are triggered when any recorded resource changes.
  19. Which other AWS service is used to track `Related Events’ within the Configuration Item?

    • AWS WAF
    • SQS
    • AWS CloudTrail 
    • S3
    Explanation:
    Related Events’ displays the AWS CloudTrail event ID that is related to the change that triggered the creation of the CI. There is a new CI made for every change made against a resource. As a result a different CloudTrail event IDs will be created. This allows you you to deep-dive into who or what and when made the change that triggered this CI. A great feature allowing for some great analysis to be taken, specifically when this affects security resources.
  20. Non-compliant resources identified through the use of AWS Config Rules are automatically removed from operational service.

    • It depends on the Rule configuration
    • Only if it remains non-compliant for more than 6 hours
    • True
    • False
    Explanation:
    Each time a change is made to one of your supported resources, AWS config will check its compliance against any Config Rules that you have in place. If there is a violation against these rules then AWS Config will send a message to the Configuration Stream via SNS and the resource will be marked as `noncompliant’. It’s important to note that this does not mean the resource will be taken out of service or it will stop working. It will continue to operate exactly as it is with its new configuration. AWS Config simply alerts you that there is a violation and it’s up to you to take the appropriate action.
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments