AWS VPC Quiz

1.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same region. Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks. The company wants to push minor code releases from Dev to Prod to speed up time to market. Which of the following options helps the company accomplish this?

A. Create a new peering connection Between Prod and Dev along with appropriate routes.

B. Create a new entry to Prod in the Dev route table using the peering connection as the target.

C. Attach a second gateway to Dev. Add a new entry in the Prod route table identifying the gateway as the target.

D. The VPCs have non-overlapping CIDR blocks in the same account. The route tables contain local routes for all VPCs.

2.

MULTIPLE SELECT QUESTION

30 sec • 1 pt

Instance A and instance B are running in two different subnets A and B of a VPC. Instance A is not able to ping instance B. What are two possible reasons for this? (Pick 2 correct answers)

A. The routing table of subnet A has no target route to subnet B

B. The security group attached to instance B does not allow inbound ICMP traffic

C. The policy linked to the IAM role on instance A is not configured correctly

D.The NACL on subnet B does not allow outbound ICMP traffic

3.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic. The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic. What changes need to be made to allow SSH access to the instance?

A.The outbound security group needs to be modified to allow outbound traffic

B.The outbound network ACL needs to be modified to allow outbound traffic

C. Nothing, it can be accessed from any IP address using SSH

D. Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic.

4.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

1. From what services I can block incoming/outgoing IPs?

A. Security Groups

B. DNS

C.ELB

D. VPC subnet

E. NACL

5.

MULTIPLE SELECT QUESTION

30 sec • 1 pt

What is the difference between a security group in VPC and a network ACL in VPC (chose 3 correct answers)

A. Security group restricts access to a Subnet while ACL restricts traffic to EC2

B.Security group restricts access to EC2 while ACL restricts traffic to a subnet

C. Security group can work outside the VPC also while ACL only works within a VPC

D. Network ACL performs stateless filtering and Security group provides stateful filtering

E. Security group can only set Allow rule, while ACL can set Deny rule also

6.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

You are currently hosting multiple applications in a VPC and have logged numerous port scans coming in from a specific IP address block. Your security team has requested that all access from the offending IP address block be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP address block?

A. Create an AD policy to modify Windows Firewall settings on all hosts in the VPC to deny access from the IP address block

B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP address block

C. Add a rule to all of the VPC 5 Security Groups to deny access from the IP address block

D. Modify the Windows Firewall settings on all Amazon Machine Images (AMIs) that your organization uses in that VPC to deny access from the IP address block

7.

MULTIPLE SELECT QUESTION

30 sec • 1 pt

You have two Elastic Compute Cloud (EC2) instances inside a Virtual Private Cloud (VPC) in the same Availability Zone (AZ) but in different subnets. One instance is running a database and the other instance an application that will interface with the database. You want to confirm that they can talk to each other for your application to work properly. Which two things do we need to confirm in the VPC settings so that these EC2 instances can communicate inside the VPC? Choose 2 answers

A. A network ACL that allows communication between the two subnets.

B.Both instances are the same instance class and using the same Key-pair

C.That the default route is set to a NAT instance or Internet Gateway (IGW) for them to communicate

D.Security groups are set to allow the application host to talk to the database on the right port/protocol

8.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A benefits enrollment company is hosting a 3-tier web application running in a VPC on AWS, which includes a NAT (Network Address Translation) instance in the public Web tier. There is enough provisioned capacity for the expected workload tor the new fiscal year benefit enrollment period plus some extra overhead Enrollment proceeds nicely for two days and then the web tier becomes unresponsive, upon investigation using CloudWatch and other monitoring tools it is discovered that there is an extremely large and unanticipated amount of inbound traffic coming from a set of 15 specific IP addresses over port 80 from a country where the benefits company has no customers. The web tier instances are so overloaded that benefit enrollment administrators cannot even SSH into them. Which activity would be useful in defending against this attack?

A. Create a custom route table associated with the web tier and block the attacking IP addresses from the IGW (internet Gateway)

B.Change the EIP (Elastic IP Address) of the NAT instance in the web tier subnet and update the Main Route Table with the new EIP

C. Change the EIP (Elastic IP Address) of the NAT instance in the web tier subnet and update the Main Route Table with the new EIP

D. Create an inbound NACL (Network Access control list) associated with the web tier subnet with deny rules to block the attacking IP addresses

9.

MULTIPLE SELECT QUESTION

30 sec • 1 pt

Which of the following statements describes network ACLs? (Choose 2 answers)

A. Responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versa (are stateless)

B.Using network ACLs, you can deny access from a specific IP range

C.Keep network ACL rules simple and use a security group to restrict application level access

D. NACLs are associated with a single Availability Zone (associated with Subnet)

10.

MULTIPLE SELECT QUESTION

30 sec • 1 pt

You are designing security inside your VPC. You are considering the options for establishing separate security zones and enforcing network traffic rules across different zone to limit Instances can communications. How would you accomplish these requirements? Choose 2 answers

A.Configure a security group for every zone. Configure a default allow all rule. Configure explicit deny rules for the zones that shouldn’t be able to communicate with one another (Security group does not allow deny rules)

B.Configure you instances to use pre-set IP addresses with an IP address range every security zone. Configure NACL to explicitly allow or deny communication between the different IP address ranges, as required for interzone communication

C. Configure a security group for every zone. Configure allow rules only between zone that need to be able to communicate with one another. Use implicit deny all rule to block any other traffic

D. Configure multiple subnets in your VPC, one for each zone. Configure routing within your VPC in such a way that each subnet only has routes to other subnets with which it needs to communicate, and doesn’t have routes to subnets with which it shouldn’t be able to communicate. (default routes are unmodifiable)

Create a free account and access millions of resources

Similar Resources on Wayground

Popular Resources on Wayground

Discover more resources for Other