AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 229

A company is planning to host a secure web application across multiple Amazon EC2 instances. The application will have an associated DNS domain in an Amazon Route 53 hosted zone.

The company wants to protect the domain from DNS poisoning attacks. The company also wants to allow web browsers to authenticate into the application by using a trusted third party.

Which combination of actions will meet these requirements?

Answer options

• A. Configure the Route 53 hosted zone to use DNS Security Extensions (DNSSEC). Install self-signed X.509 certificates on the EC2 instances.
• B. Configure a Name Authority Pointer (NAPTR) record in the Route 53 hosted zone. Install X 509 certificates that are signed by a public certificate authority on the EC2 instances.
• C. Configure the Route 53 hosted zone to use DNS Security Extensions (DNSSEC). Install X.509 certificates that are signed by a public certificate authority on the EC2 instances.
• D. Configure a Name Authority Pointer (NAPTR) record in the Route 53 hosted zone. Install self-signed X.509 certificates on the EC2 instances.

Correct answer: C

Explanation

The correct answer is C because using DNS Security Extensions (DNSSEC) protects against DNS poisoning, and employing X.509 certificates signed by a public certificate authority allows for trusted authentication in web browsers. Option A fails to use a public CA, which is necessary for browser trust. Option B does not implement DNSSEC, making it vulnerable to DNS attacks. Option D also lacks DNSSEC and similarly uses self-signed certificates, which do not provide browser trust.