A company has recently established an AWS Direct Connect connection from its on-premises data center to AWS. A Network Engineer has blocked all traffic destined for Amazon S3 over the company's gateway to the internet from its on-premises firewall. S3 traffic should only traverse the Direct Connect connection. Currently, no one in the on-premises data center can access Amazon S3.

Which solution will resolve this connectivity issue?

A. Configure a private virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop for traffic destined for Amazon S3.

B. Establish an S3 VPC endpoint for the company's Amazon VPC. Configure a private virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop.

C. Configure a public virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop for traffic destined for Amazon S3.

D. Configure a public virtual interface on the Direct Connect connection. Establish an AWS managed VPN over the connection. Update the on-premises routing tables to choose the VPN connection as the preferred next hop.

A company's Network Engineering team is solely responsible for deploying VPC infrastructure using AWS CloudFormation. The company wants to give its Developers the ability to launch applications using CloudFormation templates so that subnets can be created using available CIDR ranges.

What should be done to meet these requirements?

A. Create a CloudFormation templates with Amazon EC2 resources that rely on cfn-init and cfn-signals to inform the stack of available CIDR ranges.

B. Create a CloudFormation template with a custom resource that analyzes traffic activity in VPC Flow Logs and reports on available CIDR ranges.

C. Create a CloudFormation template that references the Fn::Cidr intrinsic function within a subnet resource to select an available CIDR range.

D. Create a CloudFormation template with a custom resource that uses AWS Lambda and Amazon DynamoDB to manage available CIDR ranges.

You have several Amazon Glacier vaults you would like to monitor. How might you monitor those vaults?

A. Create a custom AWS Config rule.

B. Use an AWS master Config rule.

C. Use an AWS managed Config rule.

D. Create a KMS policy and attach it to your Amazon Glacier vault.

Your company is connecting one data center with one router to several VPCs and needs to access them transitively. What should you do?

A. Create a VPN to one VPC and peer the others.

B. This is not possible.

C. Use a transit VPC with a VPN running on one or more EC2 instances to route traffic between the VPCs.

D. Just connect; VPCs are transitive in nature.

Your company is working on a transition from IPv4 to IPv6 but is concerned about the security of having public IPv6 addresses attached to instances in a public network. They currently use a NAT to allow outbound traffic for instances. Outbound traffic is required for updates. What are two options to alleviate your company's concerns? (Choose two.)

A. Remove any rules allowing ::/0 inbound in the security group.

B. Block ::/0 inbound in the NACL.

C. Create an egress-only internet gateway.

D. Block 0.0.0.0/0 inbound in the NACL.

Convert the following IPv4 address in presented in binary form, into dotted decimal form 10101100.01111011.00001101.10011101.

A. 172.123.13.157

B. 173.13.13.157

C. 172.122.13.15

D. 172.124.13.57

Which statement is NOT true about accessing remote AWS region in the US by your AWS Direct Connect which is located in the US?

A. To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.

B. To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session.

C. If you have a public virtual interface and established a BGP session to it, your router learns the routes of the other AWS regions in the US.

D. Any data transfer out of a remote region is billed at the location of your AWS Direct Connect data transfer rate.

Your company has decided to deploy AWS WorkSpaces for its hosted desktop solution. Your manager is very concerned with security and cost, as well as reliability.

What two things should be deployed? (Choose two.)

A. VPN

B. AWS Hosted AD

C. Direct Connect

D. AD Connector

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use ____.

A. trusted signers

B. optimistic locking

C. integrity validation

D. root credentialing

A company has two AWS accounts: one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.

Which set of steps should the network engineer follow in each AWS account to meet these requirements?

A. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Connectivity account ID. Enable the feature to allow external accounts.

2.

In the Connectivity account: Accept the resource.

3.

In the Connectivity account: Create an attachment to the VPC subnets.

4.

In the Production account: Accept the attachment. Associate a route table with the attachment.

B. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Connectivity account ID. Enable the feature to allow external accounts.

2.

In the Connectivity account: Accept the resource.

3.

In the Production account: Create an attachment on the transit gateway to the VPC subnets.

4.

In the Connectivity account: Accept the attachment. Associate a route table with the attachment.

C. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Production account ID. Enable the feature to allow external accounts.

2.

In the Production account: Accept the resource.

3.

In the Connectivity account: Create an attachment on the transit gateway to the VPC subnets.

4.

In the Production account: Accept the attachment. Associate a route table with the attachment.

D. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Production account ID. Enable the feature to allow external accounts.

2.

In the Production account: Accept the resource.

3.

In the Production account: Create an attachment to the VPC subnets.

4.

In the Connectivity account: Accept the attachment. Associate a route table with the attachment.