AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 69

An organization's Security team has a requirement that all data leaving its on-premises data center be encrypted at the network layer and use dedicated connectivity. There is also a requirement to centrally log all traffic flow in Amazon VPC environments. An AWS Direct Connect connection has been ordered to build out this design.
What steps should be taken to ensure that connectivity to AWS meets these security requirements? (Choose two.)

Answer options

• A. Provision a public virtual interface on AWS Direct Connect and set up a VPN to each VPC.
• B. Provision a private virtual interface for each VPC connection.
• C. Enable VPC Flow Logs for each VPC.
• D. Use AWS KMS to encrypt traffic between on-premises and AWS.
• E. Provision a VPN connection to each VPC over the internet.

Correct answer: B, E

Explanation

Option B is correct because a private virtual interface allows for secure communication directly with the VPC over AWS Direct Connect, meeting the encryption requirement. Option E is also correct as it involves creating a VPN connection over the internet, which, while not as secure as Direct Connect, still provides encryption. Options A, C, and D do not fully satisfy the requirements as they either involve public interfaces or do not address the central logging requirement adequately.