Question 1

A VPC peering connection exists between VPC A and VPC B. The network team has added the following additional configurations to the existing peering connection: VPC A has an AWS Direct Connect connection to a corporate network VPC A has a VPC gateway endpoint that connects it to Amazon S3 What will be the outcome? (Select Two)

Options :

A :

Traffic from the corporate network can access VPC B if AWS Direct Connect connection to VPC A is converted to a Site-to-Site VPN connection to VPC A

B : VPC A can be used to extend the peering relationship between VPC B and the corporate network

C : VPC B can directly access Amazon S3 using the VPC gateway endpoint connection to VPC A

D : VPC B can't directly access Amazon S3 using the VPC gateway endpoint connection to VPC A

E :

Traffic from the corporate network cannot directly access VPC B by using the AWS Direct Connect connection to VPC A

Answer: D,E

Question 2

An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers. The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company's global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency. The company migrates the MQTT brokers to run on Amazon EC2 instances. What should the company do next to meet these requirements?

Options :

A :

Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Use Bring Your Own IP (BYOIP) from the on-premises network with the NLB.

B :

Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the onpremises network with Global Accelerator.

C :

Place the EC2 instances behind an Application Load Balancer (ALB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the ALB. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator

D :

Place the EC2 instances behind an Amazon CloudFront distribution. Use Bring Your Own IP (BYOIP) from the on-premises network with CloudFront.

Answer: B

Question 3

An analytics company uses Amazon QuickSight (Enterprise Edition) to easily create and publish interactive BI dashboards that can be accessed from any device. For a specific requirement, the company needs to create a private connection from Amazon QuickSight to an Amazon RDS DB instance that's in a private subnet to fetch data for analysis. Which of the following represents an optimal solution for configuring a private connection between QuickSight and Amazon RDS DB instance?

Options :

A :

Amazon QuickSight Enterprise edition is fully integrated with the Amazon VPC service. Create an ENI in QuickSight that points to the VPC that hosts the RDS DB instance. However, the subnet has to be a private subnet and not a public subnet

B :

Create a new private subnet in the same VPC as the Amazon RDS DB instance. Create a new security group with necessary inbound rules for QuickSight in the same VPC. Sign in to QuickSight as a QuickSight admin and create a new QuickSight VPC connection. Create a new dataset from the RDS DB instance

C :

Create a Private Virtual Interface between VPC that hosts Amazon RDS DB instance and QuickSight. Use this connection to privately access necessary data from RDS DB

D :

Create a new private subnet in the same VPC as the Amazon RDS DB instance. Create a new network Access Control List (ACL) with necessary inbound rules for QuickSight in the same VPC. Connect from QuckSight using VPC connector

Answer: B

Question 4

A company recently implemented a security policy that prohibits developers from launching VPC network infrastructure. The policy states that any time a NAT gateway is launched in a VPC, the company's network security team must immediately receive an alert to terminate the NAT gateway. The network security team needs to implement a solution that can be deployed across AWS accounts with the least possible administrative overhead. The solution also must provide the network security team with a simple way to view compliance history. Which solution will meet these requirements?

Options :

A :

Develop a script that programmatically checks for NAT gateways in an AWS account, sends an email alert, and terminates the NAT gateway if a NAT gateway is detected. Deploy the script on an Amazon EC2 instance in each account. Use a cron job to run the script every 5 minutes. Log the results of the checks to an Amazon RDS for MySQL database.

B :

Create an AWS Lambda function that programmatically checks for NAT gateways in an AWS account, sends an email alert, and terminates the NAT gateway if a NAT gateway is detected. Deploy the Lambda function to each account by using AWS Serverless Application Model (AWS SAM) templates. Store the results of the checks on an Amazon OpenSearch Service cluster in each account.

C :

Enable Amazon GuardDuty. Create an Amazon EventBridge rule for the Behavior:EC2/NATGatewayCreation GuardDuty finding type. Configure the rule to invoke an AWS Step Functions state machine to send an email alert and terminate a NAT gateway if a NAT gateway is detected. Store the runtime log as a text file in an Amazon S3 bucket.

D :

Create a custom AWS Config rule that checks for NAT gateways in an AWS account. Configure the AWS Config rule to perform an AWS Systems Manager Automation remediation action to send an email alert and terminate the NAT gateway if a NAT gateway is detected. Deploy the AWS Config rule and the Systems Manager runbooks to each account by using AWS CloudFormation StackSets

Answer: D

Question 5

An application's EC2 instances are located in a private subnet and these instances access sensitive data in S3 via a NAT gateway deployed in a public subnet. The S3 bucket is located in the same AWS Region as the EC2 instances. The development team at the company wants to ensure that this bucket can be accessed only from the VPC where the application resides. As an AWS Certified Networking Specialist, which of the following solutions would you suggest to meet these requirements?

Options :

A :

Create an S3 bucket policy and use an IP address condition to restrict access to the bucket. Allow access only from the VPC CIDR range and deny all other IP address ranges

B :

Create a new IAM role for the EC2 instances that provides access to the S3 bucket and assign the role to the application instances. Set up an S3 bucket policy to allow access only from the role

C :

Set up an S3 VPC endpoint in the VPC where the application resides. Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint

D : Set up an Origin Access Identity (OAI) for the S3 bucket and allow access only from within the VPC

Answer: C

Free ANS-C01 Mock Exam – Practice Online Confidently

Buying Options: