Here you have the best Amazon ANS-C00 practice exam questions
Your organization's corporate website must be available on www.acme.com and acme.com.
How should you configure Amazon Route 53 to meet this requirement?
To ensure the corporate website is available on both www.acme.com and acme.com, you should configure acme.com with an ALIAS record targeting the Elastic Load Balancer (ELB) and www.acme.com also with an ALIAS record targeting the ELB. This configuration takes advantage of the ALIAS record's ability to point to AWS resources, which includes ELBs, while ensuring the root domain and subdomain both route traffic correctly. An ALIAS record can be used at the zone apex (acme.com), which cannot be done with a CNAME record.
You are building an application in AWS that requires Amazon Elastic MapReduce (Amazon EMR). The application needs to resolve hostnames in your internal, on-premises Active Directory domain. You update your DHCP Options Set in the VPC to point to a pair of Active Directory integrated DNS servers running in your
VPC.
Which action is required to support a successful Amazon EMR cluster launch?
For successful Amazon EMR cluster launch, it's crucial that the instances within the cluster can resolve not only their internal hostnames but also AWS service endpoints. The application points to Active Directory integrated DNS servers in the VPC for internal domain resolution. However, to ensure AWS service endpoints can still be resolved, adding a conditional forwarder to the Amazon-provided DNS server is necessary. This forwarder will direct the DNS queries for the AWS-specific domains to the Amazon DNS server, facilitating proper DNS resolution for AWS services.
You have a three-tier web application with separate subnets for Web, Applications, and Database tiers. Your CISO suspects your application will be the target of malicious activity. You are tasked with notifying the security team in the event your application is port scanned by external systems.
Which two AWS Services cloud you leverage to build an automated notification system? (Choose two.)
To build an automated notification system for detecting external port scans on your application within a three-tier web architecture, you should use VPC Flow Logs and AWS Lambda. VPC Flow Logs can capture detailed information about IP traffic reaching your network interfaces, including any suspicious port scan activities. AWS Lambda can then be used to automate the detection and notification process by analyzing the flow log data and triggering alerts to the security team when a port scan is identified. AWS CloudTrail, while useful for auditing AWS account activity, does not directly detect port scans. Similarly, AWS Inspector focuses on vulnerability assessments rather than real-time monitoring for port scans, and an Internet gateway is not relevant for such monitoring tasks.
You are designing the network infrastructure for an application server in Amazon VPC. Users will access all the application instances from the Internet and from an on-premises network. The on-premises network is connected to your VPC over an AWS Direct Connect link.
How should you design routing to meet these requirements?
To ensure users can access the application instances both from the Internet and from an on-premises network connected via AWS Direct Connect, you should configure a single routing table with a default route via the Internet Gateway (IGW) for internet-bound traffic. Specific routes for the on-premises network should be propagated via BGP on the AWS Direct Connect customer router to ensure proper routing. This setup allows the VPC to handle both types of traffic correctly and scales well with the network requirements.
Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the company's highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to provide high bandwidth, low latency access to S3. Since the company does not own a publically routable IPv4 address block, a request was made to AWS for an AWS-owned address for a Public Virtual Interface (VIF).
The security team is calling this new connection a `backdoor`, and you have been asked to clarify the risk to the company.
Which concern from the security team is valid and should be addressed?
The valid concern that should be addressed is that EC2 instances in the same region with access to the Internet could directly reach the router. It is crucial to understand that once AWS receives a BGP announcement from a customer, all network traffic from AWS destined to the announced prefix will be routed via AWS Direct Connect. This includes traffic from other AWS customers using public or Elastic IP addresses on their Amazon EC2 instances, traffic routed via NAT gateways, AWS Lambda functions making outbound connections, and more. Proper configuration of routers and firewalls is required to manage this traffic according to the company's routing policies.