Learn how to securely encrypt traffic between on-premises and AWS at every hop during migration by configuring MACsec encryption on the Direct Connect port and router with the correct key and mode.
Table of Contents
Question
A company is moving its record-keeping application to the AWS Cloud. All traffic between the company’s on-premises data center and AWS must be encrypted at all times and at every transit device during the migration.
The application will reside across multiple Availability Zones in a single AWS Region. The application will use existing 10 Gbps AWS Direct Connect dedicated connections with a MACsec capable port. A network engineer must ensure that the Direct Connect connection is secured accordingly at every transit device.
The network engineer creates a Connection Key Name and Connectivity Association Key (CKN/CAK) pair for the MACsec secret key.
Which combination of additional steps should the network engineer take to meet the requirements? (Choose two.)
A. Configure the on-premises router with the MACsec secret key.
B. Update the connection’s MACsec encryption mode to must_encrypt. Then associate the CKN/CAK pair with the connection.
C. Update the connection’s MACsec encryption mode to should encrypt. Then associate the CKN/CAK pair with the connection.
D. Associate the CKN/CAK pair with the connection. Then update the connection’s MACsec encryption mode to must_encrypt.
E. Associate the CKN/CAK pair with the connection. Then update the connection’s MACsec encryption mode to should_encrypt.
Answer
A. Configure the on-premises router with the MACsec secret key.
D. Associate the CKN/CAK pair with the connection. Then update the connection’s MACsec encryption mode to must_encrypt.
Explanation
These steps fully meet the requirements:
A – Configures the on-premises router with the MACsec key, encrypting traffic at that transit point.
D – Associating the key pair before setting the encryption mode to must_encrypt ensures encryption is enforced at every transit point between the locations.
Options B, C and E do not explicitly configure the on-premises router, leaving a transit point unencrypted.
The combinations of A + D are necessary to ensure encryption is applied at every transit device by configuring both the router and Direct Connect connection appropriately with the strongest encryption setting.
AWS Certified Advanced Networking – Specialty ANS-C01 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.