AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 6

A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet.
The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event.
Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)

Answer options

• A. Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances.
• B. Set up AWS WAF on all network components.
• C. Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses.
• D. Use AWS Direct Connect with MACsec support for connectivity to the cloud.
• E. Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.
• F. Configure AWS Shield Advanced and ensure that it is configured on all public assets.

Correct answer: D, E, F

Explanation

The correct options, D, E, and F, ensure encryption, traffic inspection, and DDoS protection. AWS Direct Connect with MACsec provides secure connectivity, Gateway Load Balancers allow for effective traffic inspection with third-party firewalls, and AWS Shield Advanced offers comprehensive protection against DDoS attacks. Options A, B, and C do not directly address the full scope of security and compliance required for this scenario.