The latest Amazon ANS-C00 dumps by Lead4Pass helps you pass the ANS-C00 exam for the first time! Lead4Pass Latest Update Amazon ANS-C00 VCE Dump and ANS-C00 PDF Dumps, Lead4Pass ANS-C00 Exam Questions Updated, Answers corrected! Get the latest Lead4Pass ANS-C00 dumps with Vce and PDF: https://www.pass4itsure.com/aws-certified-advanced-networking-specialty.html (Q&As: 348 dumps)
[Free ANS-C00 PDF] Latest Amazon ANS-C00 Dumps PDF collected by Lead4pass Google Drive:
https://drive.google.com/file/d/1B_eBjBOMm_7uwZ2qBSOU3hoTtKJbY8lg/
[Lead4pass ANS-C00 Youtube] Amazon ANS-C00 Dumps can be viewed on Youtube shared by Lead4Pass
Latest Amazon ANS-C00 Exam Practice Questions and Answers
QUESTION 1
Your organization requires strict adherence to a change control process for its Amazon Elastic Compute Cloud (EC2)
and VPC environments. The organization uses AWS CloudFormation as the AWS service to control and implement
changes. Which combination of three services provides an alert for changes made outside of AWS CloudFormation?
(Choose three.)
A. AWS Config
B. AWS Simple Notification Service
C. AWS CloudWatch metrics
D. AWS Lambda
E. AWS CloudFormation
F. AWS Identify and Access Management
Correct Answer: BCD
QUESTION 2
A company\\’s IT Security team needs to ensure that all servers within an Amazon VPC can communicate with a list of
five approved external IPs only. The team also wants to receive a notification every time any server tries to open a
connection with a non-approved endpoint.
What is the MOST cost-effective solution that meets these requirements?
A. Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to ALL.
Create an Amazon CloudWatch Logs filter on the VPC Flow Logs log group filtered by REJECT. Create an alarm for this
metric to notify the Security team.
B. Enable Amazon GuardDuty on the account and the specific region. Upload a list of allowed IPs to Amazon S3 and
link the S3 object to the GuardDuty trusted IP list. Configure an Amazon CloudWatch Events rule on all GuardDuty
findings to trigger an Amazon SNS notification to the Security team.
C. Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to
REJECT. Set an Amazon CloudWatch Logs filter for the log group on every event. Create an alarm for this metric to
notify the Security team.
D. Enable Amazon GuardDuty on the account and specific region. Upload a list of allowed IPs to Amazon S3 and link
the S3 object to the GuardDuty threat IP list. Integrate GuardDuty with a compatible SIEM to report on every alarm from
GuardDuty.
Correct Answer: A
QUESTION 3
A Network Engineer needs to create a public virtual interface on the company\\’s AWS Direct Connect connection and
only import routes which originated from the same region as the Direct Connect location What action should accomplish
this?
A. Configure a prefix-list on the customer router containing the AWS IP address ranges for the specific region.
B. Configure a filter on the company\\’s router to only import routes with the 7224:8100 BGP community attribute.
C. Configure a filter on the company\\’s router to only import routes without a BGP community attribute and a maximum path length of 3.
D. Configure a filter in the console and only allow routes advertised by AWS without a BGP community attribute and a maximum path length of 3.
Correct Answer: A
QUESTION 4
An organization will be extending its existing on-premises infrastructure into the cloud. The design consists of a transit
VPC that contains stateful firewalls that will be deployed in a highly available configuration across two Availability Zones
for automatic failover.
What MUST be configured for this design to work? (Choose two.)
A. A different Autonomous System Number (ASN) for each firewall.
B. Border Gateway Protocol (BGP) routing
C. Autonomous system (AS) path prepending
D. Static routing
E. Equal-cost multi-path routing (ECMP)
Correct Answer: BE
QUESTION 5
A corporate network routing table contains 624 individual RFC 1918 and public IP prefixes. You have two AWS Direct
Connect connectors. You configure a private virtual interface on both connections to a virtual private gateway. The
virtual private gateway is not currently attached to a VPC. Neither BGP session will maintain the Established state on
the customer router. The AWS Management Console reports the private virtual interfaces as Down.
What could you do to address the problem so that the AWS Management Console reports the private virtual interface as
Available?
A. Attach the virtual private gateway to a VPC and enable route propagation.
B. Filter the public IP pre? xes on the corporate network from the private virtual interface.
C. Change the BGP advertisements from the corporate network to only be a default route.
D. Attach the second virtual interface to an alternative virtual private gateway. Correct Answer: D
QUESTION 6
An organization is deploying an application in a VPC that requires SSL mutual authentication with a client-side
certificate, as that is the primary method of identifying clients. The Network Engineer has been tasked with defining the
mechanism used within AWS to provide the SSL mutual authentication.
Which of the following options meets the organization\\’s requirements?
A. Use a Classic Load Balancer and upload the client certificate private keys to it. Perform SSL mutual authentication of
the client-side certificate there.
B. Use a Network Load Balancer with a TCP listener on port 443 and pass the request through for the SSL mutual
authentication to be handled by a backend instance.
C. Use an Application Load Balancer and upload the client certificate private keys to it by using the native server name
indication (SNI) features with smart certificate selection to handle multiple calling applications.
D. Front the application with Amazon API Gateway, and use its client-side SSL mutual authentication feature that uses
the backend instances to verify the source of the request.
Correct Answer: C
Reference: https://aws.amazon.com/about-aws/whats-new/2017/10/elastic-load-balancing-application-load-balancersnow-support-multiple-ssl-certificates-and-smart-certificate-selection-using-server-name-indication-sni/
QUESTION 7
Your company operates a single AWS account. A common service VPC is deployed to provide shared services, such
as network scanning and compliance tools. Each AWS workload uses its own VPC, and each VPC must peer with the
common services VPC. You must choose the most efficient and cost-effective approach.
Which approach should be used to automate the required VPC peering?
A. AWS CloudTrail integration with Amazon CloudWatch Logs to trigger a Lambda function.
B. An OpsWorks Chef recipe to execute a command-line peering request.
C. Cfn-init with AWS CloudFormation to execute a command-line peering request.
D. An AWS CloudFormation template that includes a peering request.
Correct Answer: A
QUESTION 8
You use a VPN to extend your corporate network into a VPC. Instances in the VPC are able to resolve resource records
in an Amazon Route 53 private hosted zone. Your on-premises DNS server is configured with a forwarder to the VPC
DNS server IP address. On-premises users are unable to resolve names in the private hosted zone, although instances
in a peered VPC can.
What should you do to provide on-premises users with access to the private hosted zone?
A. Create a proxy resolver within the VPC. Point the on-premises forwarder to the proxy resolver.
B. Modify the network access control list on the VPC to allow DNS queries from on-premises systems.
C. Configure the on-premises server as a secondary DNS for the private zone. Update the NS records.
D. Update the on-premises forwarders with the four name servers assigned to the private hosted zone.
Correct Answer: D
References: https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-andaws-by-using-unbound/
QUESTION 9
Your company runs an HTTPS application using an Elastic Load Balancing (ELB) load balancer/PHP on Nginx
server/RDS in multiple Availability Zones. You need to apply Geographic Restriction and identify the client\\’s IP address
in your application to generate dynamic content.
How should you utilize AWS services in a scalable fashion to perform this task?
A. Modify the Nginx log configuration to record value in X-Forwarded-For and use CloudFront to apply the Geographic
Restriction.
B. Enable ELB access logs to store the client IP address and parse these to dynamically modify a blacklist.
C. Use X-Forwarded-For with security groups to apply the Geographic Restriction.
D. Modify the application code to use the value of X-Forwarded-For and CloudFront to apply the Geographic Restriction.
Correct Answer: A
QUESTION 10
An organization processes consumer information submitted through its website. The organization\\’s security policy
requires that personally identifiable information (PII) elements are specifically encrypted at all times and as soon as
feasible when received. The front-end Amazon EC2 instances should not have access to decrypted PII. A single service
within the production VPC must decrypt the PII by leveraging an IAM role.
Which combination of services will support these requirements? (Choose two.)
A. Amazon Aurora in a private subnet
B. Amazon CloudFront using AWS Lambda@Edge
C. Customer-managed MySQL with Transparent Data Encryption
D. Application Load Balancer using HTTPS listeners and targets
E. AWS Key Management Services
Correct Answer: CE
References: https://noise.getoto.net/tag/aws-kms/
QUESTION 11
You are building an application that provides real-time audio and video services to customers on the Internet. The
application requires high throughput. To ensure proper audio and video transmission, minimal latency is required. Which
of the following will improve transmission quality?
A. Enable enhanced networking
B. Select G2 instance types
C. Enable jumbo frames
D. Use multiple elastic network interfaces
Correct Answer: A
QUESTION 12
You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for
this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URL, the instances
should be able to access any Amazon S3 bucket in the same region via any URL.
Which of the following solutions should you deploy? (Choose two.)
A. Include s3.amazonaws.com in the whitelist.
B. Create a VPC endpoint for S3.
C. Run Squid proxy on a NAT instance.
D. Deploy a NAT gateway into your VPC.
E. Utilize a security group to restrict access.
Correct Answer: BC
References: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
QUESTION 13
Changes made to a security group attached to an Application Load Balancer resulted in connectivity issues for a
company\\’s production web application. The Network Engineer needs to lock down permissions for the company\\’s
AWS account, automate auditing for any changes and set up notifications.
What actions should accomplish this?
A. Configure IAM user policies to lock down permissions for specific users. Enable AWS CloudTrail to identify API calls
from users. Use AWS Config to audit any changes, and configure Amazon SNS to send notifications.
B. Configure IAM user policies to lock down permissions for specific users. Enable AWS CloudTrail to identify the API
calls from users. Configure AWS CodeCommit to audit any changes in configurations, and configure Amazon SNS to
send notifications.
C. Configure IAM user policies to lock down permissions for specific users. Enable AWS CloudTrail to identify the API
calls from users. Configure Amazon Macie to use machine learning to identify any configuration changes, and configure
Amazon SNS to send notifications.
D. Configure IAM role policies to lock down permissions for specific users. Configure Amazon GuardDuty to audit and
monitor configuration changes, and configure Amazon SNS to send notifications.
Correct Answer: D
latest updated Amazon ANS-C00 exam questions from the Lead4Pass ANS-C00 dumps! 100% pass the ANS-C00 exam! Download Lead4Pass ANS-C00 VCE and PDF dumps: https://www.pass4itsure.com/aws-certified-advanced-networking-specialty.html (Q&As: 348 dumps)
Get free Amazon ANS-C00 dumps PDF online: https://drive.google.com/file/d/1B_eBjBOMm_7uwZ2qBSOU3hoTtKJbY8lg/