Question 1

A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a unique random session key. What should the network engineer do to meet this requirement?

Options :

A : Change the ALB security policy to a policy that supports TLS 1.2 protocol only

B : Use AWS Key Management Service (AWS KMS) to encrypt session keys

C :

Associate an AWS WAF web ACL with the ALBs. and create a security rule to enforce forward secrecy (FS)

D : Change the ALB security policy to a policy that supports forward secrecy (FS)

Answer: D

Question 2

The networking team at an e-commerce company has created a VPC with CIDR 21.5.0.0/16 with only a private subnet and VPN connection to the on-premises data center using the AWS VPC wizard. The team wants to connect to the instance in a private subnet over SSH. How would you define the security rule for SSH?

Options :

A :

Allow Inbound traffic on port 80 and port 22 to allow the user to connect to a private subnet over the internet

B : Allow Inbound traffic on port 22 from the public subnet having a bastion host

C : Allow Inbound traffic on port 22 from the on-premises network

D : Allow Inbound traffic on port 80 and port 22 from the public subnet having a bastion host

Answer: C

Question 3

A company's AWS infrastructure is spread across more than 50 accounts and across five AWS Regions. The company needs to manage its security posture with simplified administration and maintenance for all the AWS accounts. The company wants to use AWS Firewall Manager to manage the firewall rules and requirements. The company creates an organization with all features enabled in AWS Organizations. Which combination of steps should the company take next to meet the requirements? (Select THREE.)

Options :

A : Configure only the Firewall Manager administrator account to join the organization.

B : Configure all the accounts to join the organization.

C : Set an account as the Firewall Manager administrator account.

D : Set an account as the Firewall Manager child account.

E : Set up AWS Config for all the accounts and all the Regions where the company has resources.

F : Set up AWS Config for only the organization-s management account.

Answer: B,C,E

Question 4

AnyCompany has acquired Example Corp. AnyCompany's infrastructure is all on premises, and Example Corp's infrastructure is completely in the AWS Cloud. The companies are using AWS Direct Connect with AWS Transit Gateway to establish connectivity between each other. Example Corp has deployed a new application across two Availability Zones in a VPC with no internet gateway. The CIDR range for the VPC is 10.0.0.0/16. Example Corp needs to access an application that is deployed on premises by AnyCompany. Because of compliance requirements, Example Corp must access the application through a limited contiguous block of approved IP addresses (10.1.0.0/24). A network engineer needs to implement a highly available solution to achieve this goal. The network engineer starts by updating the VPC to add a new CIDR range of 10.1.0.0/24. What should the network engineer do next to meet the requirements?

Options :

A : In each Availability Zone in the VPC, create a subnet that uses part of the allowed IP address range.

Create a public NAT Sateway in each of the new

subnets. Update the route tables that are associated with other subnets to route application traffic to the

public NAT gateway in the corresponding Availability

Zone. Add a route to the route table that is associated with the subnets of the public NAT gateways to

send traffic destined for the application to the transit

gateway.

B : In each Availability Zone in the VPC, create a subnet that uses part of the allowed IP address range.

Create a private NAT gateway in each of the new

subnets. Update the route tables that are associated with other subnets to route application traffic to the

private NAT gateway in the corresponding

Availability Zone. Add a route to the route table that is associated with the subnets of the private NAT

gateways to send traffic destined for the application to

the transit gateway.

C : In the VPC, create a subnet that uses the allowed IP address range. Create a private NAT gateway in the

new subnet. Update the route tables that are

associated with other subnets to route application traffic to the private NAT gateway. Add a route to the

route table that is associated with the subnet of the

private NAT gateway to send traffic destined for the application to the transit gateway.

D : In the VPC, create a subnet that uses the allowed IP address range. Create a public NAT gateway in the

new subnet. Update the route tables that are

associated with other subnets to route application traffic to the public NAT gateway. Add a route to the

route table that is associated with the subnet of the

public NAT gateway to send traffic destined for the application to the transit gateway.

Answer: B

Question 5

A company has an application that runs on premises. The application needs to communicate with an application that runs in a VPC on AWS. The communication between the applications must be encrypted and must use private IP addresses. The communication cannot travel across the public internet. The company has established a 1 Gbps AWS Direct Connect connection between the on-premises location and AWS. Which solution will meet the connectivity requirements with the LEAST operational overhead?

Options :

A :

Configure a private VIF on the Direct Connect connection. Associate the private VIF with the VPC's virtual private gateway. Set up an AWS Site-to-Site VPN private IP VPN connection to the virtual private gateway.

B :

Create a transit gateway. Configure a transit VIF on the Direct Connect connection. Associate the transit VIF with a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway. Set up an AWS Site-to-Site VPN private IP VPN connection to the transit gateway.

C :

Configure a public VIF on the Direct Connect connection. Associate the public VIF with a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway. Set up an AWS Site-to-Site VPN private IP VPN connection to the transit gateway.

D :

Create a transit gateway. Configure a transit VIF on the Direct Connect connection. Associate the transit VIF with a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway. Set up a third-party firewall in a new VPC that is attached to the transit gateway. Set up a VPN connection to the third-party firewall.

Answer: D

Higher Test Marks with Free Online ANS-C01 Exam Practice

Buying Options: