AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 35

A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a unique random session key.
What should the network engineer do to meet this requirement?

Answer options

• A. Change the ALB security policy to a policy that supports TLS 1.2 protocol only
• B. Use AWS Key Management Service (AWS KMS) to encrypt session keys
• C. Associate an AWS WAF web ACL with the ALBs. and create a security rule to enforce forward secrecy (FS)
• D. Change the ALB security policy to a policy that supports forward secrecy (FS)

Correct answer: D

Explanation

The correct answer is D because forward secrecy ensures that session keys are not compromised even if the private key is exposed in the future, enhancing security for encrypted data. Option A only changes the protocol version and does not address session key security. Option B focuses on encrypting session keys but does not specifically implement forward secrecy. Option C adds a web ACL but does not change the security policy to enforce forward secrecy.