Exams > Amazon > ANS-C00: AWS Certified Advanced Networking - Specialty
ANS-C00: AWS Certified Advanced Networking - Specialty
Page 5 out of 37 pages Questions 41-50 out of 367 questions
Question#41

You have many IAM users with the ability to create EC2 volumes. Most of the data your team works with is sensitive, so you would like to make sure all volumes are encrypted. How might you facilitate this requirement?

  • A. Create an AWS KMS policy and attach it to all IAM users that can create EC2 volumes.
  • B. Use AWS Config and create a rule that requires all volumes, upon creation, be encrypted.
  • C. Use AWS Config to send out reminders to IAM users every time they create an EC2 volume.
  • D. Set EC2 to notify creators to encrypt their EC2 volumes.
Discover Answer Hide Answer

B
AWS Config is used to evaluate the configuration settings of many AWS resources. When an EC2 volume in created, AWS Config can evaluate the volume against a rule that requires volumes to be encrypted. If the volume is not encrypted, AWS Config flags the volume and the rule as noncompliant.
Reference:
http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html

Question#42

You can use the ____ command of the AWS Config service CLI to see the compliance state of each resource that AWS Config evaluates for a specific rule.

  • A. describe-compliance-by-resource
  • B. describe-compliance-by-config-rule
  • C. get-compliance-details-by-config-rule
  • D. get-compliance-details-by-resource
Discover Answer Hide Answer

C
You can use the get-compliance-details-by-config-rule command of the AWS Config CLI to see the compliance state of each resource that AWS Config evaluates for a specific rule.
Reference:
http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_view-compliance.html

Question#43

A user is running a batch process on EBS backed EC2 instances. The batch process launches few EC2 instances to process hadoop Map reduce jobs which can run between 50-600 minutes or sometimes for even more time. The user wants a configuration that can terminate the instance only when the process is completed. How can the user configure this with CloudWatch?

  • A. Configure a job which terminates all instances after 600 minutes
  • B. It is not possible to terminate instances automatically
  • C. Set up the CloudWatch with Auto Scaling to terminate all the instances
  • D. Configure the CloudWatch action to terminate the instance when the CPU utilization falls below 5%
Discover Answer Hide Answer

D
Amazon CloudWatch alarm watches a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The user can setup an action which terminates the instances when their CPU utilization is below a certain threshold for a certain period of time. The EC2 action can either terminate or stop the instance as part of the EC2 action.
Reference:
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingAlarmActions.html

Question#44

You need to create a subnet in a VPC that supports 14 hosts. You need to be as accurate as possible since you run a very large company. What CIDR should you use?

  • A. /28
  • B. /24
  • C. /25
  • D. /27
Discover Answer Hide Answer

D
/27 supports 27 hosts since AWS reserves 5 addresses. /25 supports 123 hosts, /28 supports 11, /24 supports 251.

Question#45

You have a DX connection and a VPN connection as backup for your 10.0.0.0/16 network. You just received a letter indicating that the colocation provider hosting the DX connection will be undergoing maintenance soon. It is critical that you do not experience any downtime or latency during this period.
What is the best course of action?

  • A. Configure the VPN as a static VPN instead of dynamic.
  • B. Configure AS_PATH Prepending on the DX connection to make it the less preferred path.
  • C. Advertise 10.0.0.0/9 and 10.128.0.0/9 over your VPN connection.
  • D. None of the above.
Discover Answer Hide Answer

D
A more specific route is the only way to force AWS to prefer a VPN connection over a DX connection. A /9 is not more specific than a /16.

Question#46

You have two enhanced networking capable instances in a placement group. One with an Intel network interface and one with an ENA.
What network speed will be achieved between the two?

  • A. 10Gbps
  • B. 20Gbps
  • C. 5Gbps
  • D. You cannot have different network interfaces in a placement group.
Discover Answer Hide Answer

A
10Gbps. The Intel interface has a max speed of 10 and the ENA is 20. The speed will be the lesser of the two.

Question#47

Your company has placement groups in two different availability zones. There is a large project coming up and, although resilience is important, cost and speed are the most important factors. The servers in each placement group need to be able to achieve the highest speed possible.
How can this be achieved?

  • A. Create AMIs from all of the instances, terminate them, and deploy them all into one placement group.
  • B. In the CLI, run the command "aws ec2 set-placement-group 1 " for all of the instances.
  • C. Duplicate the VPC, peer the new VPC, create AMIs of the instances, terminate them, and redeploy them in two separate placement groups between the two VPCs.
  • D. Peer the two placement groups using AWS PG Peering.
Discover Answer Hide Answer

A
There is no AWS PG Peering option, Duplicating the VPC does not align with the cost concern, there is no "aws ec2 set-placement-group" command.

Question#48

Your network utilizes jumbo frames on its servers and your router. You are trying to access your AWS resources, and you are having issues with packet loss.
What is the best solution?

  • A. Remove the "Do not Fragment" flag on the packets.
  • B. Lower the MTU for your network.
  • C. Call AWS support.
  • D. You will have to upgrade to Direct Connect.
Discover Answer Hide Answer

A
Remove the "Don't Fragment" Flag on your router. AWS will drop any data with an MTU of greater than 1500 if the "Do not Fragment" flag is set, so you need your router to indicate that data can be fragmented.

Question#49

You have two VPCs that you need to connect to an on-premises datacenter using VPNs. When you create the tunnels, you find that both tunnels use the same addresses. What two things can you do to overcome this? (Choose two.)

  • A. Delete the VPN, create a "dummy VPN", recreate the VPN, then delete the "dummy" VPN.
  • B. Delete your AWS account and create a new one since the VPN tunnel addresses are created from a hash of your account number and a proprietary algorithm.
  • C. Create a VHF within you router for each network.
  • D. Create a VRF within your router for each network.
Discover Answer Hide Answer

AD

Question#50

Your company just purchased a domain using another registrar and wants to use the same nameservers as your current domain hosted with AWS. How would this be achieved?

  • A. Every domain must have different nameservers.
  • B. In the API, create a Reusable Delegation Set.
  • C. Import the domain to your account and it will automatically set the same nameservers.
  • D. In the console, create a Reusable Delegation Set.
Discover Answer Hide Answer

B
You can't create a reusable delegation set in the console. AWS does not provide the same nameservers to new domains, but a reusable delegation set can be used with as many domains as you like.

chevron rightPrevious Nextchevron right