AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 109

A company is moving its record-keeping application to the AWS Cloud. All traffic between the company's on-premises data center and AWS must be encrypted at all times and at every transit device during the migration.

The application will reside across multiple Availability Zones in a single AWS Region. The application will use existing 10 Gbps AWS Direct Connect dedicated connections with a MACsec capable port. A network engineer must ensure that the Direct Connect connection is secured accordingly at every transit device.

The network engineer creates a Connection Key Name and Connectivity Association Key (CKN/CAK) pair for the MACsec secret key.

Which combination of additional steps should the network engineer take to meet the requirements? (Choose two.)

Answer options

• A. Configure the on-premises router with the MACsec secret key.
• B. Update the connection's MACsec encryption mode to must_encrypt. Then associate the CKN/CAK pair with the connection.
• C. Update the connection's MACsec encryption mode to should encrypt. Then associate the CKN/CAK pair with the connection.
• D. Associate the CKN/CAK pair with the connection. Then update the connection's MACsec encryption mode to must_encrypt.
• E. Associate the CKN/CAK pair with the connection. Then update the connection’s MACsec encryption mode to should_encrypt.

Correct answer: A, D

Explanation

The correct steps involve configuring the on-premises router with the MACsec secret key (Option A) and then associating the CKN/CAK pair with the connection while updating the MACsec encryption mode to must_encrypt (Option D). Options B and C suggest updating the encryption mode before associating the keys, which does not align with the required order of operations. Options E and B also do not meet the encryption assurance needed in this scenario.