An organization processes consumer information submitted through its website. The organization's security policy requires that personally identifiable information
(PII) elements are specifically encrypted at all times and as soon as feasible when received. The front-end Amazon EC2 instances should not have access to decrypted PII. A single service within the production VPC must decrypt the PII by leveraging an IAM role.
Which combination of services will support these requirements? (Choose two.)

A. Amazon Aurora in a private subnet

B. Amazon CloudFront using AWS Lambda@Edge

C. Customer-managed MySQL with Transparent Data Encryption

D. Application Load Balancer using HTTPS listeners and targets

E. AWS Key Management Services

The Payment Card Industry Data Security Standard (PCI DSS) merchants that handle credit card data must use strong cryptography. These merchants must also use security protocols to protect sensitive data during transmission over public networks.
A team will migrate the PCI DSS application from on-premises SSL appliance and Apache to a VPC behind Amazon CloudFront.
How should you configure CloudFront to meet this requirement?

A. Configure the CloudFront Cache Behavior to require HTTPS and the CloudFront Origin’s Protocol Policy to ‘Match Viewer’.

B. Configure the CloudFront Cache Behavior to allow TCP connections and to forward all requests to the origin without TLS termination at the edge.

C. Configure the CloudFront Cache Behavior to require HTTPS and to forward requests to the origin via AWS Direct Connect.

D. Configure the CloudFront Cache Behavior to redirect HTTP requests to HTTPS and to forward request to the origin via the Amazon private network.

Use ___________ to get more visibility into the health of your AWS Elastic Beanstalk application and take appropriate actions in case of hardware failure or performance degradation.

A. Amazon Elastic Beanstalk command line

B. Amazon EC2 log files

C. Amazon CloudWatch

D. Amazon Load balancing

Your company has set up AWS Direct Connect to connect on-premises to an Amazon VPC instance. Two Direct Connect connections terminate at two different
Direct Connect locations. You are using two routers, R1 and R2, at your end (one of each Direct Connect connection). R1 and R2 do NOT have connectivity between them. Both routers advertise the same routers over BGP to the VGW. You have a stateful firewall on each router. The routers drop some of the traffic coming from the VPC.
Which two actions should you take to fix this problem? (Choose two.)

A. Use BGP AS prepend attribute to prepend additional AS numbers while advertising routers from R1 to VGW.

B. Use BGP local preference attribute to assign R1 to a lower local preference number than R2.

C. Use BGP local preference attribute to assign R1 a higher local preference number than R2.

D. Use BGP MED attribute to assign a higher MED value to the routes advertised R1 to VGW.

E. Use BGP MED attribute to assign a higher MED value to the routes advertised from R2 to VGW.

Which of the following services is used to send an alert from CloudWatch?

A. AWS SNS

B. AWS EBS

C. AWS SES

D. AWS SQS

You need to create a baseline of normal traffic flow in order to implement some security changes to your organization.
What two items would be best to use? (Choose two.)

A. Wireshark

B. CloudTrail

C. An IDS

D. CloudWatch

Which endpoint is considered to be best practice when analyzing data within a Configuration Stream of AWS Config?

A. SNS

B. E-Mail

C. SQS

D. Kinesis

You use a VPN to extend your corporate network into a VPC. Instances in the VPC are able to resolve resource records in an Amazon Route 53 private hosted zone. Your on-premises DNS server is configured with a forwarder to the VPC DNS server IP address. On-premises users are unable to resolve names in the private hosted zone, although instances in a peered VPC can.
What should you do to provide on-premises users with access to the private hosted zone?

A. Create a proxy resolver within the VPC. Point the on-premises forwarder to the proxy resolver.

B. Modify the network access control list on the VPC to allow DNS queries from on-premises systems.

C. Configure the on-premises server as a secondary DNS for the private zone. Update the NS records.

D. Update the on-premises forwarders with the four name servers assigned to the private hosted zone.

A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy.
What is the MOST cost-effective solution to meet these requirements?

A. Move the EC2 instances to a dedicated VPC. Enable VPC Flow Logs with a filter on the deny action. Publish the flow logs to Amazon CloudWatch Logs.

B. Move the EC2 instances to a dedicated VPC subnet. Enable VPC Flow Logs for the subnet with a filter on the reject action. Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket.

C. Enable VPC Flow Logs, filtered for rejected traffic, for the elastic network interfaces associated with the instances. Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket.

D. Enable VPC Flow Logs, filtered for rejected traffic, for the elastic network interfaces associated with the instances. Publish the flow logs to Amazon CloudWatch Logs.

What MTU is recommended for VPN and Direct Connect links?

A. 1500

B. 2000

C. 128

D. Jumbo Frames

You have a Simple AD deployment, and you wish to use it for your Microsoft Exchange email server. You are having issues finding the AD server, why might this be?

A. You need to contact AWS to receive a PTR record for your email server.

B. Your firewall is blocking it.

C. Simple AD is not a full Active Directory server and will not work with many MS products.

D. SSL is not implemented.

An organization runs a consumer-facing website on AWS. The Amazon EC2-based web fleet is load balanced using the AWS Application Load Balancer; Amazon
Route 53 is used to provide the public DNS services.
The following URLs need to server content to end users:
test.example.com
web.example.com
example.com
Based on this information, what combination of services must be used to meet the requirement? (Choose two.)

A. Path condition in ALB listener to route example.com to appropriate target groups.

B. Host condition in ALB listener to route *.example.com to appropriate target groups.

C. Host condition in ALB listener to route example.com to appropriate target groups.

D. Path condition in ALB listener to route *.example.com to appropriate target groups.

E. Host condition in ALB listener to route $$$$.example.com to appropriate target groups.

[1]
your webpage will be _____.
[1]
[1]
[1]
[1]

A company's application runs in a VPC and stores sensitive data in Amazon S3. The application's Amazon EC2 instances are located in a private subnet with a
NAT gateway deployed in a public subnet to provide access to Amazon S3. The S3 bucket is located in the same AWS Region as the EC2 instances. The company wants to ensure that this bucket can be accessed only from the VPC where the application resides.
Which changes should a network engineer make to the architecture to meet these requirements?

A. Delete the existing S3 bucket and create a new S3 bucket inside the VPC in the private subnet. Configure the S3 security group to allow only the application instances to access the bucket.

B. Deploy an S3 VPC endpoint in the VPC where the application resides. Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint.

C. Configure an S3 bucket policy, and use an IP address condition to restrict access to the bucket. Allow access only from the VPC CIDR range, and deny all other IP address ranges.

D. Create a new IAM role for the EC2 instances that provides access to the S3 bucket, and assign the role to the application instances. Configure an S3 bucket policy to allow access only from the role.

How many tunnels do you get with each VPN connection hosted by AWS?

A. 4

B. 1

C. 2

D. 8

An application runs on a fleet of Amazon EC2 instances in a VPC. All instances can reach one another using private IP addresses. The application owner has a new requirement that the domain name received via DHCP should be different for a particular set of instances that are currently in one particular subnet.
What changes should be made to meet this requirement while continuing to support the existing application requirements?

A. Modify the existing DHCP option set and specify the different domain name for the specified subnet.

B. Create a new DHCP option set with the different domain name, associate it with the specified subnet, and re-launch the Amazon EC2 instances.

C. Create a new subnet, configure the DHCP option set with the different domain name, and re-launch the required instances there.

D. Create a new peered VPC, configure the DHCP option set with the different domain name, and re-launch the required instances there.

By default, all AWS accounts are limited to ____ EIPs, because public (IPv4) Internet addresses are a scarce public resource.

A. 5

B. 8

C. 6

D. 2

You received reports from clients in another time zone that they experienced an outage of your website several hours before you arrived at work. What two AWS services could prove crucial in figuring out what happened? (Choose two.)

A. AWS Support

B. CloudTrail

C. CloudWatch

D. Flow Logs

True or false: A VPC contains multiple subnets, where each subnet can span multiple Availability Zones.

A. This is true only for US regions.

B. This is false.

C. This is true.

D. This is true only if requested during the set-up of VPC.

Which service is used by default to store the CloudTrail log files?

A. Elastic Block Store (EBS)

B. Redshift

C. Simple Storage Service (S3)

D. Glacier

You are building an application that provides real-time audio and video services to customers on the Internet. The application requires high throughput. To ensure proper audio and video transmission, minimal latency is required.
Which of the following will improve transmission quality?

A. Enable enhanced networking

B. Select G2 instance types

C. Enable jumbo frames

D. Use multiple elastic network interfaces

You are configuring a CloudFront distribution, and when you try to attach an SSL, you do not see your SSL listed. What is the most likely reason for this?

A. You must configure an https record in Route 53 first.

B. Sometimes, it won’t show, and you need to retrieve the ARN for the SSL and enter it manually.

C. You requested an SSL for the wrong region.

D. You didn’t wait 48 hours after approving the SSL.

A company is running services in a VPC with a CIDR block of 10.5.0.0/22. End users report that they no longer can provision new resources because some of the subnets in the VPC have run out of IP addresses.
How should a network engineer resolve this issue?

A. Add 10.5.2.0/23 as a second CIDR block to the VPC. Create a new subnet with a new CIDR block, and provision new resources in the new subnet.

B. Add 10.5.4.0/21 as a second CIDR block to the VPC. Assign a second network from this CIDR block to the existing subnets that have run out of IP addresses.

C. Add 10.5.4.0/22 as a second CIDR block to the VPC. Assign a second network from this CIDR block to the existing subnets that have run out of IP addresses.

D. Add 10.5.4.0/22 as a second CIDR block to the VPC. Create a new subnet with a new CIDR block, and provision new resources in the new subnet.

Your company needs to leverage Amazon Simple Storage Solution (S3) for backup and archiving. According to company policy, data should not flow on the public
Internet even if data is encrypted. You have set up two S3 buckets in us-east-1 and us-west-2. Your company data center is located on the West Coast of the
United States. The design must be cost-effective and enable minimal latency.
Which design should you set up?

A. An AWS Direct Connect connection to us-east-1 and a Direct Connect connection to us-west-2.

B. An AWS Direct Connect connection to us-east-1.

C. An AWS Direct Connect connection to us-west-2.

D. An AWS Direct Connect connection to us-west-2 and a VPN connection to us-east-1.

Your company has a 1-Gbps AWS Direct Connect connection to AWS. Your company needs to send traffic from on-premises to a VPC owned by a partner company. The connectivity must have minimal latency at the lowest price.
Which of the following connectivity options should you choose?

A. Create a new Direct Connect connection, and set up a new circuit to connect to the partner VPC using a private virtual interface.

B. Create a new Direct Connect connection, and leverage the existing circuit to connect to the partner VPC.

C. Create a new private virtual interface, and leverage the existing connection to connect to the partner VPC.

D. Enable VPC peering and use your VPC as a transitive point to reach the partner VPC.

What statement about LAGs is incorrect?

A. If you create a new connection, you will have to fill out another LOA-CFA.

B. You can pool connections with multiple speeds to create one faster speed.

C. You will receive 1 LOA-CFA with a page for each connection.

D. All connections in the LAG must terminate at the same DX endpoint.

An AWS Config rule can be set to be evaluated if a certain set of resources undergoes a configuration change. The set of resources to which the rule applies can be restricted by the rule's ____, which can include a combination of a resource type and a resource ID, for example.

A. trigger

B. domain

C. manifest

D. scope

A company is deploying a new web application that uses a three-tier model with a public-facing Network Load Balancer and web servers in an Amazon VPC. The application servers are hosted in the company's data center. There is an AWS Direct Connect connection between the VPC and the company's data center. Load testing results indicate that up to 100 servers, equally distributed across multiple Availability Zones, are required to handle peak loads.
The network engineer needs to design a VPC that has a /24 CIDR assigned to it.
How should the engineer allocate subnets across three Availability Zones for each tier?

A. Network Load Balancer: /29 per subnet Web: /26 per subnet

B. Network Load Balancer: /28 per subnet Web: /25 per subnet

C. Network Load Balancer: /28 per subnet Web: /27 per subnet

D. Network Load Balancer: /28 per subnet Web: /26 per subnet

Which one of the following options is not true about WorkSpaces?

A. WorkSpaces allows integration with Microsoft AD.

B. WorkSpaces is great for running Linux applications.

C. WorkSpaces is a fully managed, secure desktop computing service.

D. WorkSpaces can query on-premises domains for authentication.

You wish to access all European regions using your Direct Connect connection. How should you accomplish this?

A. Peer VPCs in the different regions and connect DX to one of the regions to communicate with the other.

B. Use a DX Gateway.

C. Find the prefix list for the other region and add it to your route table.

D. One DX connection will connect you to all regions.

When configuring Active/Passive HA on VPN tunnels, choose the two best ways to configure this. (Choose two.)

A. Keep both tunnels up.

B. Configure AS_PATH prepending on one of the paths.

C. Turn off one of the paths until you need it.

D. Configure MED on one of the tunnels.

You are designing the network infrastructure for an application server in Amazon VPC. Users will access all the application instances from the Internet and from an on-premises network. The on-premises network is connected to your VPC over an AWS Direct Connect link.
How should you design routing to meet these requirements?

A. Configure a single routing table with two default routes: one to the Internet via an IGW, the other to the on-premises network via the VGW. Use this routing table across all subnets in your VPC.

B. Configure two routing tables: one that has a default route via the IGW, and another that has a default route via the VGW. Associate both routing tables with each VPC subnet.

C. Configure a single routing table with a default route via the IGW. Propagate a default route via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPC subnet.

D. Configure a single routing table with a default route via the IGW. Propagate specific routes for the on-premises networks via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPC subnets.

An organization will be extending its existing on-premises infrastructure into the cloud. The design consists of a transit VPC that contains stateful firewalls that will be deployed in a highly available configuration across two Availability Zones for automatic failover.
What MUST be configured for this design to work? (Choose two.)

A. A different Autonomous System Number (ASN) for each firewall

B. Border Gateway Protocol (BGP) routing

C. Autonomous system (AS) path prepending

D. Static routing

E. Equal-cost multi-path routing (ECMP)

Which CloudWatch attributes are used for the statistics generation?

A. All the options are used

B. Dimension

C. Data point unit

D. NameSpace

Which of the following statements is true of AWS Elastic Beanstalk?

A. AWS Elastic Beanstalk uses CloudWatch for monitoring and alarms, meaning CloudWatch costs are applied to your AWS account for any alarms that you use.

B. AWS Elastic Beanstalk uses CloudWatch for monitoring and alarms, and both are free of charge.

C. AWS Elastic Beanstalk doesn’t use CloudWatch for monitoring and alarms, but you pay extra for any AWS Elastic Beanstalk Alarm you set in the monitoring tool.

D. AWS Elastic Beanstalk has its own free-of-charge monitoring tool, and you are not charged for the alarm you set.

You are architecting your e-business application for PCI compliance. To meet the compliance requirements, you need to monitor web application logs to identify any malicious activity. You also need to monitor for remote attempts to change the network interface of web instances.
Which two AWS services will be helpful to achieve this goal?

A. Amazon CloudWatch Logs and VPC Flow Logs

B. AWS CloudTrail and VPC Flow Logs

C. AWS CloudTrail and CloudWatch Logs

D. AWS CloudTrail and AWS Config

A network engineer is managing two AWS Direct Connect connections. Each connection has a public virtual interface configured with a private ASN. The engineer wants to configure active/passive routing between the Direct Connect connections to access Amazon public endpoints. What BGP configuration is required for the on-premises equipment? (Choose two.)

A. Use Local Pref to control outbound traffic.

B. Use AS Prepending to control inbound traffic.

C. Use eBGP multi-hop between loopback interfaces.

D. Use BGP Communities to control outbound traffic.

E. Advertise more specific prefixes over one Direct Connect connection.

A company has an application running on Amazon EC2 instances in a VPC. The application must publish custom metrics to Amazon CloudWatch in the same
AWS Region. The metrics include proprietary information. All connectivity must be over private IP addresses.
Which solution will meet these requirements?

A. Connect to CloudWatch through a NAT gateway.

B. Connect to CloudWatch through a gateway endpoint.

C. Connect to CloudWatch through an internet gateway.

D. Connect to CloudWatch through an interface endpoint.

Which two choices can serve as a directory service for WorkSpaces? (Choose two.)

A. Simple AD

B. Enhanced AD

C. Direct Connection

D. AWS Microsoft AD

A Lambda function needs to access the private address of an Amazon ElastiCache cluster in a VPC. The Lambda function also needs to write messages to
Amazon SQS. The Lambda function has been configured to run in a subnet in the VPC.
Which of the following actions meet the requirements? (Choose two.)

A. The Lambda function needs an IAM role to access Amazon SQS

B. The Lambda function must route through a NAT gateway or NAT instance in another subnet to access the public SQS API.

C. The Lambda function must be assigned a public IP address to access the public Amazon SQS API.

D. The ElastiCache server outbound security group rules must be configured to permit the Lambda function’s security group.

E. The Lambda function must consume auto-assigned public IP addresses but not elastic IP addresses.

You have configured a dynamic VPN between your datacenter and your VPC. Your router says the tunnel is up and BGP is active, but for some reason, you are not seeing your routes propagate.
What is most likely the issue?

A. You need to configure the firewall for BGP.

B. Your router does not support BFD.

C. You need to obtain a new BGP MD5 key.

D. You forgot to set route propagation to “yes” in the route table.

Your company operates a single AWS account. A common services VPC is deployed to provide shared services, such as network scanning and compliance tools.
Each AWS workload uses its own VPC, and each VPC must peer with the common services VPC. You must choose the most efficient and cost effective approach.
Which approach should be used to automate the required VPC peering?

A. AWS CloudTrail integration with Amazon CloudWatch Logs to trigger a Lambda function.

B. An OpsWorks Chef recipe to execute a command-line peering request.

C. Cfn-init with AWS CloudFormation to execute a command-line peering request.

D. An AWS CloudFormation template that includes a peering request.

What service is used to store the log files generated by CloudTrail?

A. EC2

B. EBS

C. S3

D. VPC

Which of the following statements does not describe Jumbo Frames in an AWS VPC environment?

A. For instances that are collocated inside a placement group, jumbo frames help to achieve the maximum network throughput possible

B. Jumbo Frames are not supported for traffic that exits the Virtual Private Gateway

C. Jumbo Frames are not supported for traffic that exits the Internet Gateway

D. T2.micro instances do not support Jumbo Frames

If you have one VPC peered with two VPCs with overlapping CIDRs, which route will be more preferred?

A. 10.1.0.0/16

B. 10.0.0.0/8

C. 10.1.1.5/32

D. 10.1.1.0/24

A company has a VPC in the us-west-1 Region and another VPC in the ap-southeast-2 Region. Network engineers set up an AWS Direct Connect connection from their data center to the us-east-1 Region. They create a private virtual interface (VIF) that references a Direct Connect gateway, which is then connected to virtual private gateways in both VPCs. When the setup is complete, the engineers cannot access resources in us-west-1 from ap-southeast-2.
What should the network engineers do to resolve this issue?

A. Add the subnet range for the VPCs in us-west-1 and ap-southeast-2 to the route tables for both VPCs. Add the Direct Connect gateway as a target.

B. Configure the Direct Connect gateway to route traffic between the VPCs in ap-southeast-2 and us-west-2.

C. Establish a VPC peering connection between the VPCs in ap-southeast-2 and us-west-2. Add the subnet ranges to the routing tables.

D. Create static routes in each VPC that point to the destination VPC with the virtual private gateway as the route target.

You have a server that serves www, FTP, and mail. You need to access this server using www.yourname.com, ftp.yourname.com, and mail.yourname.com. You want to ensure an IP change results in the least number of other changes.
What is the best solution?

A. Create PTR records and point the IP address of the server back to www, ftp, and mail.

B. Create an A record pointing to the server’s IP address and create CNAME records for www, ftp, and mail and point those to the A record.

C. Create an A record for www, ftp and mail, and point it to the ALIAS of the server.

D. Create CNAME records for www, ftp, and mail and point those to the A record already provided to the instance by AWS.

The IPsec protocol suite is made up of various components covering aspects such as confidentiality, encryption, and integrity.
Select the correct statement below regarding the correct configuration options for ensure IPsec confidentiality:

A. The following protocols may be used to configure IPsec confidentiality, DES, 3DES, MD5

B. The following protocols may be used to configure IPsec confidentiality, DES, 3DES, AES

C. The following protocols may be used to configure IPsec confidentiality, PSK, RSA

D. The following protocols may be used to configure IPsec confidentiality, PSK, MD5

E. The following protocols may be used to configure IPsec confidentiality, PSK, RSA

A financial company is designing a secure AWS network architecture to support a hybrid cloud strategy. Systems deployed in the AWS Cloud are mission critical and have strict availability requirements. The company anticipates the need for hundreds of VPCs. Instances will be transient and rely heavily on DNS resolution.
The applications must be designed to have Availability Zone isolation and tolerate the loss of an Availability Zone.
What is the MOST reliable way to implement DNS in this scenario?

A. Create a new DHCP options set with DNS settings with on-premises DNS servers that traverse an AWS Direct Connect connection.

B. Create private hosted zones and share them with each VPC. Use Amazon Route 53 Resolver for hybrid DNS.

C. Modify the default DHCP options set with a fleet of proxy DNS servers that are deployed in each VPC.

D. Create a fleet of DNS proxy servers in a central VPC. Share the proxy fleet with each VPC using AWS PrivateLink.

What is NOT a benefit of CloudFront?

A. Helps ease the strain on your web servers

B. Distributes traffic evenly to EC2 instances

C. Speeds up distribution of RTMP content

D. Speeds up distribution of static and dynamic web content