01. A company has implemented a critical environment on AWS. For compliance purposes, a network engineer needs to verify that the Amazon EC2 instances are using a specific approved security group and belong to a specific VPC.
The configuration history of the instances should be recorded and, in the event of any compliance issues, the instances should be automatically stopped.
What should be done to meet these requirements?
a) Enable AWS CloudTrail and create a custom Amazon CloudWatch alarm to perform the required checks. When the CloudWatch alarm is in a failed state, trigger the stop this instance action to stop the noncompliant EC2 instance.
b) Configure a scheduled event with AWS CloudWatch Events to invoke an AWS Lambda function to perform the required checks. In the event of a noncompliant resource, invoke another Lambda function to stop the EC2 instance.
c) Configure an event with AWS CloudWatch Events for an EC2 instance state-change notification that triggers an AWS Lambda function to perform the required checks. In the event of a noncompliant resource, invoke another Lambda function to stop the EC2 instance.
d) Enable AWS Config and create custom AWS Config rules to perform the required checks. In the event of a noncompliant resource, use a remediation action to execute an AWS Systems Manager document to stop the EC2 instance.
02. A network engineer is architecting a high performance computing solution on AWS. The system consists of a cluster of Amazon EC2 instances that require low-latency communications between them.
Which method will meet these requirements?
a) Launch instances into a single subnet with a size equal to the number of instances required for the cluster.
b) Create a cluster placement group. Launch Elastic Fabric Adapter (EFA)-enabled instances into the placement group.
c) Launch Amazon EC2 instances with the largest available number of cores and RAM. Attach Amazon EBS Provisioned IOPS (PIOPS) volumes. Implement a shared memory system across all instances in the cluster.
d) Choose an Amazon EC2 instance type that offers enhanced networking. Attach a 10 Gbps non-blocking elastic network interface to the instances.
03. A company is extending its on-premises data center to AWS. Peak traffic is expected to range between 1 Gbps and 2 Gbps.
A network engineer must ensure that there is sufficient bandwidth between AWS and the data center to handle peak traffic. The solution should be highly available and cost effective.
What should be implemented to address these needs?
a) Deploy a 10 Gbps AWS Direct Connect connection with an IPsec VPN backup.
b) Deploy two 1 Gbps AWS Direct Connect connections in a link aggregation group.
c) Deploy two 1 Gbps AWS Direct Connect connections in a link aggregation group to two different Direct Connect locations.
d) Deploy a 10 Gbps AWS Direct Connect connection to two different Direct Connect locations.
04. A company has an application that processes confidential data. The data is currently stored in an onpremises data center.
A network engineer is moving workloads to AWS, and needs to ensure confidentiality and integrity of the data in transit to AWS. The company has an existing AWS Direct Connect connection.
Which combination of steps should the network engineer perform to set up the most cost-effective connection between the on-premises data center and AWS?
(Select TWO.)
a) Attach an internet gateway to the VPC.
b) Configure a public virtual interface on the AWS Direct Connect connection.
c) Configure a private virtual interface to the virtual private gateway.
d) Set up an IPsec tunnel between the customer gateway and a software VPN on Amazon EC2.
e) Set up a Site-to-Site VPN between the customer gateway and the virtual private gateway.
05. A company’s compliance requirements specify that web application logs must be collected and analyzed to identify any malicious activity.
A network engineer also needs to monitor for remote attempts to change the network interface of web instances.
Which services and configurations will meet these requirements?
a) Install the Amazon CloudWatch Logs agent on the web instances to collect application logs. Use VPC Flow Logs to send data to CloudWatch Logs. Use CloudWatch Logs metric filters to define the patterns to look for in the log data.
b) Configure AWS CloudTrail to log all management and data events to a custom Amazon S3 bucket and Amazon CloudWatch Logs. Use VPC Flow Logs to send data to CloudWatch Logs. Use CloudWatch Logs metric filters to define the patterns to look for in the log data.
c) Configure AWS CloudTrail to log all management events to a custom Amazon S3 bucket and Amazon CloudWatch Logs. Install the Amazon CloudWatch Logs agent on the web instances to collect application logs. Use CloudWatch Logs Insights to define the patterns to look for in the log data.
d) Enable AWS Config to record all configuration changes to the web instances. Configure AWS CloudTrail to log all management and data events to a custom Amazon S3 bucket. Use Amazon Athena to define the patterns to look for in the log data stored in Amazon S3.
06. A company is creating new features for its ecommerce website. These features will be deployed as microservices using different domain names for each service. The company requires the use of HTTPS for all its public-facing websites. The application requires the client's source IP.
Which combination of actions should be taken to accomplish this?
(Select TWO.)
a) Use a Network Load Balancer to distribute traffic to each service.
b) Use an Application Load Balancer to distribute traffic to each service.
c) Configure the application to retrieve client IPs using the X-Forwarded-For header.
d) Configure the application to retrieve client IPs using the X-Forwarded-Host header.
e) Configure the application to retrieve client IPs using the PROXY protocol header.
07. A company’s internal security team receives a request to allow Amazon S3 access from inside the corporate network. All external traffic must be explicitly allowed through the corporate firewalls.
How can the security team grant this access?
a) Schedule a script to download the Amazon S3 IP prefixes from AWS developer forum announcements. Update the firewall rules accordingly.
b) Schedule a script to download and parse the Amazon S3 IP prefixes from the ip-ranges.json file. Update the firewall rules accordingly.
c) Schedule a script to perform a DNS lookup on Amazon S3 endpoints. Update the firewall rules accordingly.
d) Connect the data center to a VPC using AWS Direct Connect. Create routes that forward traffic from the data center to an Amazon S3 VPC endpoint.
08. A network engineer needs to limit access to the company's Amazon S3 bucket to specific source networks. What should the network engineer do to accomplish this?
a) Create an ACL on the S3 bucket, limiting access to the CIDR blocks of the specified networks.
b) Create a bucket policy on the S3 bucket, limiting access to the CIDR blocks of the specified networks using a condition statement.
c) Create a security group allowing inbound access to the CIDR blocks of the specified networks and apply the security group to the S3 bucket.
d) Create a security group allowing inbound access to the CIDR blocks of the specified networks, create a S3 VPC endpoint, and apply the security group to the VPC endpoint.
09. A company’s on-premises network has an IP address range of 11.11.0.0/16. Only IPs within this network range can be used for inter-server communication. The IP address range 11.11.253.0/24 has been allocated for the cloud.
A network engineer needs to design a VPC on AWS. The servers within the VPC should be able to communicate with hosts both on the internet and on-premises through a VPN connection.
Which combination of configuration steps meet these requirements?
(Select TWO.)
a) Set up the VPC with an IP address range of 11.11.253.0/24.
b) Set up the VPC with an RFC 1918 private IP address range (for example, 10.10.10.0/24). Set up a NAT gateway to do translation between 10.10.10.0/24 and 11.11.253.0/24 for all outbound traffic.
c) Set up a VPN connection between a virtual private gateway and an on-premises router. Set the virtual private gateway as the default gateway for all traffic. Configure the on-premises router to forward traffic to the internet.
d) Set up a VPN connection between a virtual private gateway and an on-premises router. Set the virtual private gateway as the default gateway for traffic destined to 11.11.0.0/24. Add a VPC subnet route to point the default gateway to an internet gateway for internet traffic.
e) Set up the VPC with an RFC 1918 private IP address range (for example, 10.10.10.0/24). Set the virtual private gateway to do a source IP translation of all outbound packets to 11.11.0.0/16.
10. A network engineer needs to design a solution for an application running on an Amazon EC2 instance to connect to a publicly accessible Amazon RDS Multi-AZ DB instance in a different VPC and Region. Security requirements mandate that the traffic not traverse the internet.
Which configuration will ensure that the instances communicate privately without routing traffic over the internet?
a) Create a peering connection between the VPCs and update the routing tables to route traffic between the VPCs. Enable DNS resolution support for the VPC peering connection. Configure the application to connect to the DNS endpoint of the DB instance.
b) Create a gateway endpoint to the DB instance. Update the routing tables in the application VPC to route traffic to the gateway endpoint.
c) Configure a transit VPC to route traffic between the VPCs privately. Configure the application to connect to the DNS endpoint of the DB instance.
d) Create a NAT gateway in the same subnet as the EC2 instances. Update the routing tables in the application VPC to route traffic through the NAT gateway to the DNS endpoint of the DB instance.