A company is deploying a non-web application on an Elastic Load Balancing. All targets are servers located on-premises that can be accessed by using AWS
Direct Connect. The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.
How can this requirement be achieved?

A. Use a Network Load Balancer to automatically preserve the source IP address.

B. Use a Network Load Balancer and enable the X-Forwarded-For attribute.

C. Use a Network Load Balancer and enable the ProxyProtocol attribute.

D. Use an Application Load Balancer to automatically preserve the source IP address in the X-Forwarded-For header.

An application runs on a fleet of Amazon EC2 instances in a VPC. All instances can reach one another using private IP addresses. The application owner has a new requirement that the domain name received via DHCP should be different for a particular set of instances that are currently in one particular subnet.
What changes should be made to meet this requirement while continuing to support the existing application requirements?

A. Modify the existing DHCP option set and specify the different domain name for the specified subnet.

B. Create a new DHCP option set with the different domain name, associate it with the specified subnet, and re-launch the Amazon EC2 instances.

C. Create a new subnet, configure the DHCP option set with the different domain name, and re-launch the required instances there.

D. Create a new peered VPC, configure the DHCP option set with the different domain name, and re-launch the required instances there.

What are three services that help mitigate a DDoS? (Choose two.)

A. AWS Shield

B. DynamoDB

C. Elastic Beanstalk

D. CloudFront

You have a hybrid infrastructure, and you need AWS resources to be able to resolve your on-premises DNS names. You have configured a DNS server on an
EC2 instance in your 10.1.3.0/24 subnet. This subnet resides on the VPC 10.1.0.0/16. What step should you take to accomplish this?

A. Configure your DNS server to forward queries for the private hosted zone to 10.1.3.2.

B. Configure the DHCP option set in the VPC to point to the EC2 DNS server.

C. Configure your DNS server to forward queries for the private hosted zone to 10.1.0.2.

D. Disable the source/destination check flag for the DNS instance.

To connect to public AWS products such as Amazon EC2 and Amazon S3 through the AWS Direct Link, which step is NOT required?

A. Provide public IP address (/31) for each Border Gateway Protocol (BGP) session.

B. Allocate a Private IP address to your network in 172.x.x.x range.

C. Provide the public routes that you will advertise over Border Gateway Protocol (BGP).

D. Provide a public Autonomous System Number (ASN) that you own or a private one to identify your network on the Internet.

Which service is used by default to store the CloudTrail log files?

A. Elastic Block Store (EBS)

B. Redshift

C. Simple Storage Service (S3)

D. Glacier

Considering the rules of IPv4 subnetting, how many subnets and hosts per subnet are possible given the following network 192.168.130.130/28? (in this question ignore the fact that AWS reserves 5 IP addresses)

A. 8 subnets and 30 hosts per subnet

B. 16 subnets and 14 hosts per subnet

C. 32 subnets and 30 hosts per subnet

D. 8 subnets and 14 hosts per subnet

You have configured a dynamic VPN between your datacenter and your VPC. Your router says the tunnel is up and BGP is active, but for some reason, you are not seeing your routes propagate.
What is most likely the issue?

A. You need to configure the firewall for BGP.

B. Your router does not support BFD.

C. You need to obtain a new BGP MD5 key.

D. You forgot to set route propagation to “yes” in the route table.

Which two statements about placement groups are correct? (Choose two.)

A. A placement group can span multiple VPCs.

B. A placement group can span multiple Availability Zones.

C. You cannot merge placement groups.

D. It is best to use the same instance types in a placement group.

You want to send a broadcast message to your 10.0.0.0/24 subnet, which one of these addresses should you use?

A. 10.0.0.255

B. 10.0.0.1

C. 10.0.0.2

D. You cannot send a broadcast in an AWS VPC.

You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning.
What is most likely the problem?

A. There is no rule in your bucket policy allowing public access.

B. You have applied your SSL to your Elastic Loadbalancer but not your CDN.

C. Your S3 Bucket permissions are incorrect.

D. You are using an SSL from an external CA.

A company is delivering web content from an Amazon EC2 instance in a public subnet with address 2001:db8:1:100::1. Users report they are unable to access the web content. The VPC Flow Logs for the subnet contain the following entries:
2 012345678912 eni-0596e500123456789 2001:db8:2:200::2 2001:db8:1:100::1 0 0 58 234 24336 1551299195 1551299434 ACCEPT
OK -
2 012345678912 eni-0596e500123456789 2001:db8:1:100::1 2001:db8:2:200::2 0 0 58 234 24336 1551299195 1551299434 REJECT
OK -
Which action will restore network reachability to the EC2 instance?

A. Update the security group associated with eni-0596e500123456789 to permit inbound traffic.

B. Update the security group associated with eni-0596e500123456789 to permit outbound traffic.

C. Update the network ACL associated with the subnet to permit inbound traffic.

D. Update the network ACL associated with the subnet to permit outbound traffic.

In AWS, which service provides a reliable and inexpensive way to backup and archive CloudTrail log files?

A. Amazon Archiver

B. Amazon Glacier

C. AWS Storage Gateway

D. Amazon Elastic Block Store

Which AWS service is used within an AWS Config Rule to perform the logic evaluation of that rule?

A. Inspector

B. WAF

C. Lambda

D. SWF

In the context of Amazon CloudFront, when you configure the media player, the path you specify to the media file must contain the characters _____________.

A. flv/std just before the domain name

B. flv/std immediately after the domain name

C. cfx/st just before the domain name

D. cfx/st immediately after the domain name

Over which of the following Ethernet standards does AWS Direct Connect link your internal network to an AWS Direct Connect location?

A. Copper backplane cable

B. Twisted pair cable

C. Single mode fiber-optic cable

D. Shielded balanced copper cable

AWS Config flags a resource as ____ if a resource violates any conditions of an AWS Config rule that it evaluates on the resource in question.

A. corrupted

B. noncompliant

C. invalid

D. misconfigured

For _______ distributions, CloudFront does not cache cookies in edge caches.

A. AMI

B. Web

C. RTMP

D. Web and RTMP

An organization with a growing ecommerce presence uses the AWS CloudHSM to offload the SSL/TLS processing of its web server fleet. The company leverages
Amazon EC2 Auto Scaling for web servers to handle the growth. What architectural approach is optimal to scale the encryption operation?

A. Use multiple CloudHSM instances, and load balance them using a Network Load Balancer.

B. Use multiple CloudHSM instances to the cluster; request to it will automatically load balance.

C. Enable Auto Scaling on the CloudHSM instance, with similar configuration to the web tier Auto Scaling group.

D. Use multiple CloudHSM instances, and load balance them using an Application Load Balancer.

In AWS Direct Connect, to provide for failover, AWS recommends that you request and configure two dedicated connections to AWS. These connections can terminate on one or two routers in your network. You can do this while __________________ with AWS Direct Connect step.

A. creating a Virtual Interface

B. configuring redundant connections

C. completing the cross-connect

D. verifying your Virtual Interface

In the context of CloudFront RTMP Distribution, the Adobe Flash Media Server _________ file specifies which domains can access media files in a particular domain.

A. accessdomain.JSON

B. crossdomain.xml

C. accessdomain.xml

D. crossdomain.JSON

A legacy, on-premises web application cannot be load balanced effectively. There are both planned and unplanned events that cause usage spikes to millions of concurrent users. The existing infrastructure cannot handle the usage spikes. The CIO has mandated that the application be moved to the cloud to avoid further disruptions, with the additional requirement that source IP addresses be unaltered to support network traffic-monitoring needs. Which of the following designs will meet these requirements?

A. Use an Auto Scaling group of Amazon EC2 instances behind a Classic Load Balancer.

B. Use an Auto Scaling group of EC2 instances in a target group behind an Application Load Balancer.

C. Use an Auto Scaling group of EC2 instances in a target group behind a Classic Load Balancer.

D. Use an Auto Scaling group of EC2 instances in a target group behind a Network Load Balancer.

An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.
Which solution will fix the connectivity failures with the LEAST amount of effort?

A. Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.

B. Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.

C. Update the application server’s outbound security group to use the prefix-list for Amazon S3 in the same region.

D. Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon S3.

Which of these modes is not a configuration mode for a WAF?

A. Block

B. Allow

C. Sleep

D. Monitor

You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway is attached, and the main route table has a default route
(0.0.0.0/0) configured with a target of the Internet gateway.
The instance has a security group configured to allow as follows:
✑ Protocol: TCP
✑ Port: 80 inbound and nothing outbound
The Network ACL for the subnet is configured to allow as follows:
✑ Protocol: TCP
✑ Port: 80 inbound and nothing outbound
When you try to browse to the web server, you receive no response.
Which additional step should you take to receive a successful response?

A. Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80

B. Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535

C. Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80

D. Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535

A company's IT Security team needs to ensure that all servers within an Amazon VPC can communicate with a list of five approved external IPs only. The team also wants to receive a notification every time any server tries to open a connection with a non-approved endpoint.
What is the MOST cost-effective solution that meets these requirements?

A. Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to ALL. Create an Amazon CloudWatch Logs filter on the VPC Flow Logs log group filtered by REJECT. Create an alarm for this metric to notify the security team.

B. Enable Amazon GuardDuty on the account and the specific Region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty trusted IP list. Configure an Amazon CloudWatch Events rule on all GuardDuty findings to trigger an Amazon SNS notification to the security team.

C. Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to REJECT. Set an Amazon CloudWatch Logs filter for the log group on every event. Create an alarm for this metric to notify the security team.

D. Enable Amazon GuardDuty on the account and specific Region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty threat IP list. Integrate GuardDuty with a compatible SIEM to report on every alarm from GuardDuty.

Non-compliant resources identified through the use of AWS Config Rules are automatically removed from operational service.

A. It depends on the Rule configuration

B. Only if it remains non-compliant for more than 6 hours

C. True

D. False

A Network Engineer is provisioning a subnet for a load balancer that will sit in front of a fleet of application servers in a private subnet. There is limited IP space left in the VPC CIDR. The application has few users now but is expected to grow quickly to millions of users.
What design will use the LEAST amount of IP space, while allowing for this growth?

A. Use two /29 subnets for an Application Load Balancer in different Availability Zones.

B. Use one /29 subnet for the Network Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.

C. Use two /28 subnets for a Network Load Balancer in different Availability Zones.

D. Use one /28 subnet for an Application Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.

You have 3 VPCs that need to be able to pass traffic. In what two ways can you achieve this? (Choose two.)

A. Peer each VPC to every other VPC to create a full mesh peering.

B. Peer them, VPC peering allows transitive peering as of December 2017.

C. Call AWS to enable transitive peering.

D. Create VPNs between them and adjust the routing tables accordingly.

An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF.
What additional configuration is required to enable the applications in VPCs to communicate with each other and access on-premises resources?

A. Configure each application VPC with a static route entry pointing the on-premises CIDR block to the software VPN instances.

B. Configure the central VPC with a static route entry pointing the on-premises CIDR block to local VGWs.

C. Advertise all application VPC CIDR blocks to on-premises resources via the VGW in the central VPC.

D. Configure IPSec tunnels from the on-premises router into the software VPN instances with dynamic routing.

Your company runs an application for the US market in the us-east-1 AWS region. This application uses proprietary TCP and UDP protocols on Amazon Elastic
Compute Cloud (EC2) instances. End users run a real-time, front-end application on their local PCs. This front-end application knows the DNS hostname of the service.
You must prepare the system for global expansion. The end users must access the application with lowest latency.
How should you use AWS services to meet these requirements?

A. Register the IP addresses of the service hosts as ג€Aג€ records with latency-based routing policy in Amazon Route 53, and set a Route 53 health check for these hosts.

B. Set the Elastic Load Balancing (ELB) load balancer in front of the hosts of the service, and register the ELB name of the main service host as an ALIAS record with a latency-based routing policy in Route 53.

C. Set Amazon CloudFront in front of the host of the service, and register the CloudFront name of the main service as an ALIAS record in Route 53.

D. Set the Amazon API gateway in front of the service, and register the API gateway name of the main service as an ALIAS record in Route 53.

What must be added to your web server configuration to view the true requesting IP address?

A. X-Actual-IP

B. X-Forwarded-Proto

C. X-Amzn-Trace-ID

D. X-Forwarded-For

An organization has three AWS accounts with each containing VPCs in Virginia, Canada and the Sydney regions. The organization wants to determine whether all available Elastic IP addresses (EIPs) in these accounts are attached to Amazon EC2 instances or in use elastic network interfaces (ENIs) in all of the specified regions for compliance and cost-optimization purposes.
Which of the following meets the requirements with the LEAST management overhead?

A. Use an Amazon CloudWatch Events rule to schedule an AWS Lambda function in each account in all three regions to find the unattached and unused EIPs.

B. Use a CloudWatch event bus to schedule Lambda functions in each account in all three regions to find the unattached and unused EIPs.

C. Add an AWS managed, EIP-attached AWS Config rule in each region in all three accounts to find unattached and unused EIPs.

D. Use AWS CloudFormation StackSets to deploy an AWS Config EIP-attached rule in all accounts and regions to find the unattached and unused EIPs.

A company is running services in a VPC with a CIDR block of 10.5.0.0/22. End users report that they no longer can provision new resources because some of the subnets in the VPC have run out of IP addresses.
How should a network engineer resolve this issue?

A. Add 10.5.2.0/23 as a second CIDR block to the VPC. Create a new subnet with a new CIDR block, and provision new resources in the new subnet.

B. Add 10.5.4.0/21 as a second CIDR block to the VPC. Assign a second network from this CIDR block to the existing subnets that have run out of IP addresses.

C. Add 10.5.4.0/22 as a second CIDR block to the VPC. Assign a second network from this CIDR block to the existing subnets that have run out of IP addresses.

D. Add 10.5.4.0/22 as a second CIDR block to the VPC. Create a new subnet with a new CIDR block, and provision new resources in the new subnet.

A company has an AWS Direct Connect connection between its on-premises data center and Amazon VPC. An application running on an Amazon EC2 instance in the VPC needs to access confidential data stored in the on-premises data center with consistent performance. For compliance purposes, data encryption is required.
What should the network engineer do to meet these requirements?

A. Configure a public virtual interface on the Direct Connect connection. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.

B. Configure a private virtual interface on the Direct Connect connection. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.

C. Configure an internet gateway in the VPC. Set up a software VPN between the customer gateway and an EC2 instance in the VPC.

D. Configure an internet gateway in the VPC. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.

An AWS Config rule can be set to be evaluated if a certain set of resources undergoes a configuration change. The set of resources to which the rule applies can be restricted by the rule's ____, which can include a combination of a resource type and a resource ID, for example.

A. trigger

B. domain

C. manifest

D. scope

Which of these is not a requirement to set up a DX connection?

A. Support for 802.1q VLANs

B. BGP MD5 Authentication

C. Autonegotiation enabled

D. Single mode fiber capability

Which service would you use to see the DSCP value in a packet header?

A. CloudTrail

B. Config

C. Flow Logs

D. None of the above

A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS Direct Connect to enable data flow from on-premises to each VPC. The customer has monitoring software running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to budget requirements, data transfer charges should be kept at minimum.
Which design should be recommended?

A. Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link.

B. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs.

C. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs; enable source/destination NAT in the Management VPC.

D. Create a total of four private VIFs, and enable VPC peering between all VPCs.

Which of the following statements is true of AWS Elastic Beanstalk?

A. AWS Elastic Beanstalk uses CloudWatch for monitoring and alarms, meaning CloudWatch costs are applied to your AWS account for any alarms that you use.

B. AWS Elastic Beanstalk uses CloudWatch for monitoring and alarms, and both are free of charge.

C. AWS Elastic Beanstalk doesn’t use CloudWatch for monitoring and alarms, but you pay extra for any AWS Elastic Beanstalk Alarm you set in the monitoring tool.

D. AWS Elastic Beanstalk has its own free-of-charge monitoring tool, and you are not charged for the alarm you set.

The Web Application Development team is worried about malicious activity from 200 random IP addresses. Which action will ensure security and scalability from this type of threat?

A. Use inbound security group rules to block the IP addresses.

B. Use inbound network ACL rules to block the IP addresses.

C. Use AWS WAF to block the IP addresses.

D. Write iptables rules on the instance to block the IP addresses.

You are the AWS cloud architect and have been tasked with designing an appropriate subnetting design for your production VPC. Your production VPC requires secure communications back to the corporate private network. Quality of Service (QoS) is very important 24 ֳ— 7 for this particular connection, as real-time data is passed continually backwards and forwards between your on-prem bioinformatics enterprise application, and the number crunching servers deployed in the cloud.
Any potential latency incurred on this connection will have a direct impact on the company's ability to attract investors and expansion into new markets.
Select the correct network configuration that best facilitates your company's continued growth plans.

A. Provision a Direct Connect connection – between your service provider’s data center and the AWS region that your cloud compute resources exist in. Configure just a Private Virtual Interface. As this is a Direct Connection, a Virtual Private Gateway is not required

B. Configure a site-to-site layer 2 software router using OpenVPN within your VPC and ensure that QoS enabled – this is a secure and cheap option

C. Configure a site-to-site layer 3 software router using OpenVPN within your VPC and ensure that QoS enabled – this is a secure and cheap option

D. Provision a Direct Connect connection ג€” between your existing service provider’s data center and the AWS region that your cloud compute resources exist in. Configure a Virtual Private Gateway and Private Virtual Interface

A company's web application is deployed on Amazon EC2 instances behind a public Application Load Balancer. The application flags malicious requests and uses an AWS Lambda function to add the offending IP addresses to the network ACL to block any further requests for 24 hours. Recently, the application has been receiving more malicious requests, which causes the network ACL to reach its limit of allowed entries.
Which action should be taken to block more IP addresses, without compromising the existing security requirements?

A. Update the AWS Lambda function to remove blocked entries from the network ACL after 2 hours.

B. Update the AWS Lambda function to block malicious IPs in security groups rather than the network ACL.

C. Update the AWS Lambda function to block malicious IPs in AWS WAF attached to the Application Load Balancer.

D. Update the AWS Lambda function to add an additional network ACL to the subnets once the limit for the previous ones has been reached.

To directly manage your CloudTrail security layer, you can use ____ for your CloudTrail log files

A. SSE-S3

B. SCE-KMS

C. SCE-S3

D. SSE-KMS

An architecture is being designed to support an Amazon WorkSpaces deployment of 1,000 desktops.
Which architecture will support this deployment while allowing for future expansion?

A. A VPC with a /16 CIDR and one /21 subnet

B. A VPC with a /20 CIDR and two /21 subnets

C. A VPC with a /16 CIDR and one /22 subnet

D. A VPC with a /20 CIDR and two /23 subnets

In Amazon CloudFront, while creating a web distribution, which of the following can be used as origin servers?

A. Any combination AWS Glacier archives and Oracle server

B. Any combination of Amazon DB intances and XML servers

C. Any combination of Amazon S3 buckets and HTTP servers

D. Any combination of Amazon Data Insights and PHP servers

What are two ways to influence the direction of Dynamic VPN traffic over multiple links? (Choose two.)

A. AS_PATH Prepending

B. BFD

C. MED

D. Shouting at it

You are architecting an HPC solution in AWS. The system consists of a cluster of EC2 instances that require low-latency communications between them.
Which method should you use to set up a cluster to meet these requirements?

A. Create a VPC with one subnet in a single Availability Zone. Keep the size of the subnet equal to the number of instances required in the cluster. Launch instances for the cluster in this small subnet to guarantee low-latency network performance.

B. Create a placement group. Choose an EC2 instance type compatible with placement groups for the cluster. Launch instances for the cluster in the placement group.

C. Launch Amazon EC2 instances with the largest available number of cores and RAM. Attach all instances to an Amazon EBS PIOPS volume. Implement a shared memory system across all instances in the cluster, using this shared EBS volume to minimize latency of communication.

D. Choose an EC2 instance type that offers enhanced networking. Attach a 10-Gbps non-blocking elastic network interface to the instances. Configure the elastic network interface to optimize network performance to reduce latency.

Within the TCP/IP model what is the name of the Packet Data Unit (PDU) used between Transport Layers for communication between sender and receiver

A. Frames

B. Packets

C. Data

D. Segments

What is NOT a benefit of CloudFront?

A. Helps ease the strain on your web servers

B. Distributes traffic evenly to EC2 instances

C. Speeds up distribution of RTMP content

D. Speeds up distribution of static and dynamic web content