ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 07

  1. Which element of AWS Config can be used to help maintain internal and external compliance controls?

    • Configuration Item
    • Configuration Recorder
    • Configuration Streams
    • Config Rules
    Explanation:
    AWS Config allows you to utilise Config Rules to help you manage and organise this compliance which acts as an automatic resource compliance checker. When a change is made to a resource, AWS Config will check to see if the resource matches a rule, and if so it will check the compliance of that resource against the rule following the changes made.
  2. Which AWS service is used within an AWS Config Rule to perform the logic evaluation of that rule?

    • Inspector
    • WAF
    • Lambda
    • SWF
    Explanation:
    AWS Config Rules are a great way to help you enforce specific compliance controls and checks across your resources and allows for you to adopt an `ideal’ deployment specification for each of your resource types. Each Rule is simply a Lambda function that when called upon evaluates the resource and carries out some simply logic to determine the compliance result with the rule.
  3. AWS Config flags a resource as ____ if a resource violates any conditions of an AWS Config rule that it evaluates on the resource in question.

    • corrupted
    • noncompliant 
    • invalid
    • misconfigured
    Explanation:
    Use AWS Config to evaluate the configuration settings of your AWS resources. You do this by creating AWS Config rules, which represent your ideal configuration settings. AWS Config provides customizable, predefined rules called managed rules to help you get started. You can also create your own custom rules. While AWS Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes violate any of the conditions in your rules. If a resource violates a rule, AWS Config flags the resource and the rule as noncompliant.
  4. Each custom AWS Config rule you create must be associated with a(n) AWS ____, which contains the logic that evaluates whether your AWS resources comply with the rule.

    • Lambda function 
    • Configuration trigger
    • EC2 instance
    • S3 bucket
    Explanation:
    You can develop custom AWS Config rules to be evaluated by associating each of them with an AWS Lambda function, which contains the logic that evaluates whether your AWS resources comply with the rule. You associate this function with your rule, and the rule invokes the function either in response to configuration changes or periodically. The function then evaluates whether your resources comply with your rule, and sends its evaluation results to AWS Config.
  5. A user is trying to understand the detailed CloudWatch monitoring concept. Which of the below mentioned services does not provide detailed monitoring with CloudWatch?

    • AWS Route53
    • AWS EMR 
    • AWS ELB
    • AWS RDS
    Explanation:
    CloudWatch is used to monitor AWS as well as the custom services. It provides either basic or detailed monitoring for the supported AWS products. In basic monitoring, a service sends data points to CloudWatch every five minutes, while in detailed monitoring a service sends data points to CloudWatch every minute. Services, such as RDS, EC2, Auto Scaling, ELB, and Route 53 can provide the monitoring data every minute.
  6. You can use the ____ command of the AWS Config service CLI to see the compliance state of each of your rules.

    • get-compliance-details-by-resource
    • describe-compliance-by-config-rule 
    • get-compliance-details-by-config-rule
    • describe-compliance-by-resource
    Explanation:
    You can use the describe-compliance-by-config-rule command of the AWS Config CLI to see the compliance state of each of your rules. For each rule that has a compliance type of NON_COMPLIANT, AWS Config returns the number of noncompliant resources for the CappedCount parameter.
  7. You have several Amazon Glacier vaults you would like to monitor. How might you monitor those vaults?

    • Create a custom AWS Config rule. 
    • Use an AWS master Config rule.
    • Use an AWS managed Config rule.
    • Create a KMS policy and attach it to your Amazon Glacier vault.
    Explanation:
    AWS Config does not currently record Amazon Glacier resources; you must create a custom rule if you wish to monitor such a resource.
  8. In order to change the name of the AWS Config ____, you must stop the configuration recorder, delete the current one, and create a new one with a new name, since there can only be one of these per AWS account.

    • SNS topic
    • configuration history
    • delivery channel 
    • S3 bucket path
    Explanation:
    As AWS Config continually records the changes that occur to your AWS resources, it sends notifications and updated configuration states through the delivery channel. You can manage the delivery channel to control where AWS Config sends configuration updates. You can have only one delivery channel per AWS account, and the delivery channel is required to use AWS Config. To change the delivery channel name, you must delete it and create a new delivery channel with the desired name. Before you can delete the delivery channel, you must temporarily stop the configuration recorder. The AWS Config console does not provide the option to delete the delivery channel, so you must use the AWS CLI, the AWS Config API, or one of the AWS SDKs.
  9. Which of the following characters is not allowed while creating a Namespace for a CloudWatch metric?

    • /
    • :
    • #
    • @
    Explanation:
    Namespace is a grouping or a container for a CloudWatch metric. The names must be valid XML characters, typically containing the alphanumeric characters “0-9A-Za-z” plus “.”(period), “-” (hyphen), “_” (underscore), “/” (slash), “#” (hash), and “:” (colon). All AWS namespaces follow the convention AWS/<service>, such as AWS/EC2 and AWS/ELB.
  10. You would like to ensure that all Amazon S3 buckets going forward, current and newly created ones, have logging enabled. What type of trigger(s) should you use?

    • only a periodic trigger
    • only a configuration change trigger 
    • both configuration change and periodic triggers
    • only a transitioning trigger
    Explanation:
    This case requires only a configuration change trigger because you only need to trigger when S3 buckets are created and changed. There is no time component to when the trigger needs to fire.
  11. You have many IAM users with the ability to create EC2 volumes. Most of the data your team works with is sensitive, so you would like to make sure all volumes are encrypted. How might you facilitate this requirement?

    • Create an AWS KMS policy and attach it to all IAM users that can create EC2 volumes.
    • Use AWS Config and create a rule that requires all volumes, upon creation, be encrypted. 
    • Use AWS Config to send out reminders to IAM users every time they create an EC2 volume.
    • Set EC2 to notify creators to encrypt their EC2 volumes.
    Explanation:
    AWS Config is used to evaluate the configuration settings of many AWS resources. When an EC2 volume in created, AWS Config can evaluate the volume against a rule that requires volumes to be encrypted. If the volume is not encrypted, AWS Config flags the volume and the rule as noncompliant.
  12. You can use the ____ command of the AWS Config service CLI to see the compliance state of each resource that AWS Config evaluates for a specific rule.

    • describe-compliance-by-resource
    • describe-compliance-by-config-rule
    • get-compliance-details-by-config-rule 
    • get-compliance-details-by-resource
    Explanation:
    You can use the get-compliance-details-by-config-rule command of the AWS Config CLI to see the compliance state of each resource that AWS Config evaluates for a specific rule.
  13. A user is running a batch process on EBS backed EC2 instances. The batch process launches few EC2 instances to process hadoop Map reduce jobs which can run between 50-600 minutes or sometimes for even more time. The user wants a configuration that can terminate the instance only when the process is completed. How can the user configure this with CloudWatch?

    • Configure a job which terminates all instances after 600 minutes
    • It is not possible to terminate instances automatically
    • Set up the CloudWatch with Auto Scaling to terminate all the instances
    • Configure the CloudWatch action to terminate the instance when the CPU utilization falls below 5%
    Explanation:
    Amazon CloudWatch alarm watches a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The user can setup an action which terminates the instances when their CPU utilization is below a certain threshold for a certain period of time. The EC2 action can either terminate or stop the instance as part of the EC2 action.
  14. You need to create a subnet in a VPC that supports 14 hosts. You need to be as accurate as possible since you run a very large company. What CIDR should you use?

    • /28
    • /24
    • /25
    • /27
    Explanation:
    /27 supports 27 hosts since AWS reserves 5 addresses. /25 supports 123 hosts, /28 supports 11, /24 supports 251.
  15. You have a DX connection and a VPN connection as backup for your 10.0.0.0/16 network. You just received a letter indicating that the colocation provider hosting the DX connection will be undergoing maintenance soon. It is critical that you do not experience any downtime or latency during this period.

    What is the best course of action?

    • Configure the VPN as a static VPN instead of dynamic.
    • Configure AS_PATH Prepending on the DX connection to make it the less preferred path.
    • Advertise 10.0.0.0/9 and 10.128.0.0/9 over your VPN connection.
    • None of the above.
    Explanation:
    A more specific route is the only way to force AWS to prefer a VPN connection over a DX connection. A /9 is not more specific than a /16.
  16. You have two enhanced networking capable instances in a placement group. One with an Intel network interface and one with an ENA.

    What network speed will be achieved between the two?

    • 10Gbps 
    • 20Gbps
    • 5Gbps
    • You cannot have different network interfaces in a placement group.
    Explanation:
    10Gbps. The Intel interface has a max speed of 10 and the ENA is 20. The speed will be the lesser of the two.
  17. Your company has placement groups in two different availability zones. There is a large project coming up and, although resilience is important, cost and speed are the most important factors. The servers in each placement group need to be able to achieve the highest speed possible.

    How can this be achieved?

    • Create AMIs from all of the instances, terminate them, and deploy them all into one placement group. 
    • In the CLI, run the command “aws ec2 set-placement-group 1 ” for all of the instances.
    • Duplicate the VPC, peer the new VPC, create AMIs of the instances, terminate them, and redeploy them in two separate placement groups between the two VPCs.
    • Peer the two placement groups using AWS PG Peering.
    Explanation:
    There is no AWS PG Peering option, Duplicating the VPC does not align with the cost concern, there is no “aws ec2 set-placement-group” command.
  18. Your network utilizes jumbo frames on its servers and your router. You are trying to access your AWS resources, and you are having issues with packet loss. What is the best solution?

    • Remove the “Do not Fragment” flag on the packets. 
    • Lower the MTU for your network.
    • Call AWS support.
    • You will have to upgrade to Direct Connect.
    Explanation:
    Remove the “Don’t Fragment” Flag on your router. AWS will drop any data with an MTU of greater than 1500 if the “Do not Fragment” flag is set, so you need your router to indicate that data can be fragmented.
  19. You have two VPCs that you need to connect to an on-premises datacenter using VPNs. When you create the tunnels, you find that both tunnels use the same addresses. What two things can you do to overcome this? (Choose two.)

    • Delete the VPN, create a “dummy VPN”, recreate the VPN, then delete the “dummy” VPN. 
    • Delete your AWS account and create a new one since the VPN tunnel addresses are created from a hash of your account number and a proprietary algorithm.
    • Create a VHF within you router for each network.
    • Create a VRF within your router for each network.
  20. Your company just purchased a domain using another registrar and wants to use the same nameservers as your current domain hosted with AWS. How would this be achieved?

    • Every domain must have different nameservers.
    • In the API, create a Reusable Delegation Set. 
    • Import the domain to your account and it will automatically set the same nameservers.
    • In the console, create a Reusable Delegation Set.
    Explanation:
    You can’t create a reusable delegation set in the console. AWS does not provide the same nameservers to new domains, but a reusable delegation set can be used with as many domains as you like.