Free Amazon ANS-C01 Exam Questions

Question 1

A company runs workloads in multiple VPCs. The company needs to securely access a workload in one of the VPCs, named VPC-A, from an on-premises data center. A network engineer sets up an AWS Site-to-Site VPN connection to a transit gateway. The network engineer configures dynamic routing for the connection, and communication works properly. Recently, the owner of VPC-A added another CIDR range to the VPC. The VPC-A owner created workloads that use the additional CIDR range. The company's on-premises network is unable to reach the new workloads. The network engineer needs to resolve the network connectivity issue and ensure that connectivity will not be affected if additional VPC CIDR ranges are added to the VPC in the future. Which solution will meet these requirements with the MOST operational efficiency?

A : Configure route propagation for VPC-A to the VPN attachment route table.

B : Manually update the VPN attachment route table to include the new CIDR range.

C : Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the rule to matches an update to the VPC-A CIDR range. Configure the Lambda function to update the VPN attachment route table.

D : Configure an Amazon CloudWatch alarm to invoke an AWS Lambda function when there is an update to the VPC-A CIDR range. Configure the Lambda function to update the VPN attachment route table. Restart the VPN tunnels.

Answer: A

Question 2

A company recently implemented a security policy that prohibits developers from launching VPC network infrastructure. The policy states that any time a NAT gateway is launched in a VPC, the company's network security team must immediately receive an alert to terminate the NAT gateway. The network security team needs to implement a solution that can be deployed across AWS accounts with the least possible administrative overhead. The solution also must provide the network security team with a simple way to view compliance history. Which solution will meet these requirements?

A : Develop a script that programmatically checks for NAT gateways in an AWS account, sends an email alert, and terminates the NAT gateway if a NAT gateway is detected. Deploy the script on an Amazon EC2 instance in each account. Use a cron job to run the script every 5 minutes. Log the results of the checks to an Amazon RDS for MySQL database.

B : Create an AWS Lambda function that programmatically checks for NAT gateways in an AWS account, sends an email alert, and terminates the NAT gateway if a NAT gateway is detected. Deploy the Lambda function to each account by using AWS Serverless Application Model (AWS SAM) templates. Store the results of the checks on an Amazon OpenSearch Service cluster in each account.

C : Enable Amazon GuardDuty. Create an Amazon EventBridge rule for the Behavior:EC2/NATGatewayCreation GuardDuty finding type. Configure the rule to invoke an AWS Step Functions state machine to send an email alert and terminate a NAT gateway if a NAT gateway is detected. Store the runtime log as a text file in an Amazon S3 bucket.

D : Create a custom AWS Config rule that checks for NAT gateways in an AWS account. Configure the AWS Config rule to perform an AWS Systems Manager Automation remediation action to send an email alert and terminate the NAT gateway if a NAT gateway is detected. Deploy the AWS Config rule and the Systems Manager runbooks to each account by using AWS CloudFormation StackSets

Answer: D

Question 3

A department in your company has created a new account that is not part of the organization's consolidated billing family. The department has also created a VPC for its workload. Access is restricted by network access control lists to the department's on-premises private IP allocation. An AWS Direct Connect private virtual interface for this VPC advertises a default route to the company network. When the department downloads data from an Amazon Elastic Compute Cloud(EC2) instance in its new VPC, what are the associated charges?

A : company pays Internet Data Out charges.

B : company pays AWS Direct Connect Data Out charges.

C : department pays Internet Data Out charges.

D : department pays AWS Direct Connect Data Out charges.

Answer: D

Question 4

A company wants to implement a distributed architecture on AWS that uses a Gateway Load Balancer (GWLB) and GWLB endpoints. The company has chosen a hub-and-spoke model. The model includes a GWLB and virtual appliances that are deployed into a centralized appliance VPC and GWLB endpoints. The model also includes internet gateways that are configured in spoke VPCs. Which sequence of traffic flow to the internet from the spoke VPC is correct?

A : 1.An application in a spoke VPC sends traffic to the GWLB endpoint based on the VPC route table configuration.2. Traffic is delivered securely and privately to the GWLB.3. The GWLB sends the traffic to a virtual appliance for inspection.4. Return traffic flows back to the GWLB endpoint and out to the internet through the internet gateway.

B : 1. An application in a spoke VPC sends traffic to the GWLB endpoint based on the VPC route table configuration.2. Traffic is delivered securely and privately to the GWLB endpoint.3. The GWLB sets the X-Forwarded-For request header and sends the traffic to a virtual appliance for inspection.4. Return traffic flows back to the GWLB and out to the internet through an internet gateway.

C : 1. An application in a spoke VPC sends traffic to the GWLB endpoint.2. Traffic is delivered securely and privately to the GWLB.3. The GWLB sets the X-Forwarded-For request header and sends the traffic to a virtual appliance for inspection.4. Return traffic flows back to the GWLB endpoint and out to the internet through the internet gateway.

D : 1. An application in a spoke VPC sends traffic to the GWLB.2. Traffic is delivered securely and privately to the GWLB endpoint.3. The GWLB sends the traffic to a virtual appliance for inspection.4. Return traffic flows back to the GWLB and out to the internet through an internet gateway.

Answer: A

Question 5

A company wants to analyze TCP internet traffic. The traffic originates from Amazon EC2 instances in the companys VPC. The EC2 instances initiate connections through a NAT gateway. The company wants to capture data about the traffic including source and destination IP addresses ports, and the first 8 bytes of the TCP segments of the traffic. The company needs to collect, store, and analyze all the required data points. Which solution will meet these requirements?

A : Configure the EC2 instances to be VPC traffic mirror sources. Deploy software on the traffic mirror target to forward the data to Amazon CloudWatch Logs. Analyze the data by using CloudWatch Logs Insights

B : Configure the NAT gateway to be a VPC traffic mirror source. Deploy software on the traffic mirror target to forward the data to an Amazon S3 bucket. Analyze the data by using Amazon Athena.

C : Turn on VPC Flow Logs for the EC2 instances. Specify the default format and set Amazon CloudWatch Logs as the log destination. Analyze the flow log data by using CloudWatch Logs Insights.

D : Turn on VPC Flow Logs for the EC2 instances. Specify a custom format and set Amazon S3 as the log destination. Analyze the flow log data by using Amazon Athena.

Answer: A