AWS Certified Advanced Networking - Specialty
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
A company is migrating its record-keeping application to the AWS Cloud, requiring all traffic between its on-premises data center and AWS to be encrypted at all times and across every transit device during the migration.
The application will span multiple Availability Zones within a single AWS Region and will utilize existing 10 Gbps AWS Direct Connect dedicated connections with a MACsec-capable port. A network engineer must ensure the Direct Connect connection is secured at every transit device.
The network engineer has created a Connection Key Name and Connectivity Association Key (CKN/CAK) pair for the MACsec secret key.
Which two additional steps should the network engineer take to meet the requirements?
Explanation:
To ensure that the Direct Connect connection is secured at every transit device with MACsec encryption, the network engineer must take the following steps: First, configure the on-premises router with the MACsec secret key to enable encryption from the on-premises side. This is covered by option A. Second, to enforce encryption on the AWS side, the network engineer must update the connection's MACsec encryption mode to 'must_encrypt' and then associate the CKN/CAK pair with the connection. This ensures that encryption is mandatory for the connection, meeting the requirement for encryption at all times. Therefore, the correct steps are to configure the on-premises router with the MACsec secret key (A) and to update the connection's MACsec encryption mode to 'must_encrypt' before associating the CKN/CAK pair with the connection (D). Options B and C are incorrect because they suggest updating the encryption mode to 'should_encrypt', which does not enforce encryption as strictly as 'must_encrypt'. Option E is also incorrect for the same reason, and it suggests associating the CKN/CAK pair before updating the encryption mode, which is not the correct sequence.