AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 265

A network engineer is using AWS Direct Connect connections and MACsec to encrypt data from a corporate data center to the Direct Connect location. The network engineer learns that the MACsec secret key might have been compromised. The network engineer needs to update the connection with an uncompromised secure key.

Which solution will meet this requirement?

Answer options

• A. Create a new MACsec secret key that uses an AWS Key Management Service (AWS KMS) AWS managed key. Associate the new pre-shared key, Connection Key Name (CKN), and Connectivity Association Key (CAK) with the connection.
• B. Create a new MACsec secret key that uses an AWS Key Management Service (AWS KMS) customer managed key. Associate the new pre-shared key, Connection Key Name (CKN), and Connectivity Association Key (CAK) with the connection.
• C. Modify the existing MACsec secret key. Re-associate the existing pre-shared key, Connection Key Name (CKN), and Connectivity Association Key (CAK) with the connection.
• D. Modify the existing MACsec secret key. Associate the new pre-shared key, Connection Key Name (CKN), and Connectivity Association Key (CAK) with the connection.

Correct answer: B

Explanation

To configure MACsec for AWS Direct Connect, the secret containing the Connection Key Name (CKN) and Connectivity Association Key (CAK) must be stored in AWS Secrets Manager and encrypted using an AWS KMS customer managed key, as AWS managed keys are not supported for this service. Because the previous key is compromised, a brand-new secret key must be generated rather than modifying the compromised one to ensure security integrity. Therefore, creating a new secret key with a customer managed key and associating it with the connection is the correct procedure.