A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The
application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the
bucket policy is configured to deny access from public IP addresses.
How should an engineer configure the network to meet these requirements?
You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping
the instance. You have double checked your security groups and NACLs.
Why might this be?
Every route needs a return route for ICMP traffic.
Which is not a valid Route 53 record?
BFD stands for Bi-directional Forwarding Detection and has nothing to do with Route 53.
A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company
recently experienced a network security breach. A network engineer must collect and analyze logs that include the client IP
address, target IP address, target port, and user agent of each user that accesses the application.
What is the MOST operationally efficient solution that meets these requirements?
A multinational organization has applications deployed in three different AWS regions. These applications must securely
communicate with each other by VPN. According to the organizations security team, the VPN must meet the following
AES 128-bit encryption
User access via SSL VPN
PFS using DH Group 2
Ability to maintain/rotate keys and passwords Certificate-based authentication
Which solution should you recommend so that the organization meets the requirements?
Your company has decided to use AWS WorkSpaces for its hosted desktop solution. Your company has an existing AD of
about 57,000 users, and you want to minimize authentication traffic from AWS to your datacenter. Your company has a lot of
personnel changes, and it is crucial that these changes are reflected reliably. What two steps should you take? (Choose
A VPN is not reliable enough, and an AD connector will cause too much authentication traffic.
Which other AWS service is used to track `Related Events' within the Configuration Item?
`Related Events' displays the AWS CloudTrail event ID that is related to the change that triggered the creation of the CI.
There is a new CI made for every change made against a resource. As a result a different CloudTrail event IDs will be
created. This allows you you to deep-dive into who or what and when made the change that triggered this CI. A great feature
allowing for some great analysis to be taken, specifically when this affects security resources.
You have two Direct Connect connections and two VPN connections to your network. Site A is VPN 10.1.0.0/24 AS 65000
65000, Site B is VPN 10.1.0.252/30 AS 65000, Site C is DX 10.0.0.0/8 AS 65000 and Site D is DX 10.0.0.0/16 AS 65000
65000 65000. Which site will AWS choose to reach your network?
Site B, the most specific prefix always wins.
Your website utilizes EC2, S3, ELB-Classic, and CloudFront. Your manager has shifted focus to security and wants you to
ensure the site is as secure as possible. What two items could you recommend?
A WAF on CloudFront and a restricted bucket policy to ensure the only access is from CloudFront. You cannot apply a WAF
to a classic load balancer and an NACL that blocks all ports would block access to the load balancer.
You are configuring multiple Direct Connect links for your organization and need them to be in an HA Active/Passive
configuration with extreme sensitivity to outages in order to encourage very quick failover times. You also need to be able to
control which link is active.
What two configuration changes should you implement? (Choose two.)
Bidirectional-Forwarding Detection will allow for faster failover times. AS_PATH Prepending will allow you to choose the
default path. BGP is already implemented and MPLS does not matter.
Your customer's internal security teams receive requests to allow Amazon S3 access from inside the corporate network. All
external traffic must be explicitly whitelisted through your corporate firewalls.
How can your security team grant this access?
ip-ranges.json contains the latest list of IP addresses used by AWS. AWS no longer posts IP prefixes in Forum
announcements. DNS lookups would not provide an exhaustive list of possible IP prefixes. D would require transitive routing,
which is not possible.
What is NOT a benefit of CloudFront?
Elastic Load balancers distribute traffic to EC2 instances.
A network engineer has configured a private hosted zone using Amazon Route 53. The engineer needs to configure health
checks for record sets within the zone that are associated with instances.
How can the engineer meet the requirements?
Which of the following statements does not describe Jumbo Frames in an AWS VPC environment?
All answers except for Answer D are correct. Answer D is incorrect in that AWS does indeed support Jumbo Frames on all
instance types within the T2 family class - including the T2.micro instance type.
You have multiple Amazon Elastic Compute Cloud (EC2) instances running a web server in a VPC configured with security
groups and NACL. You need to ensure layer 7 protocol level logging of all network traffic (ACCEPT/REJECT) on the
instances. What should be enabled to complete this task?