ANS-C01 Question #145: Real Exam Question with Answer & Explanation

Question

A company is moving its record-keeping application to the AWS Cloud. All traffic between the company's on-premises data center and AWS must be encrypted at all times and at every transit device during the migration. The application will reside across multiple Availability Zones in a single AWS Region. The application will use existing 10 Gbps AWS Direct Connect dedicated connections with a MACsec capable port. A network engineer must ensure that the Direct Connect connection is secured accordingly at every transit device. The network engineer creates a Connection Key Name and Connectivity Association Key (CKN/CAK) pair for the MACsec secret key. Which combination of additional steps should the network engineer take to meet the requirements? (Choose two.)

Options

• AConfigure the on-premises router with the MACsec secret key.
• BUpdate the connection's MACsec encryption mode to must_encrypt. Then associate the
• CUpdate the connection's MACsec encryption mode to should encrypt. Then associate the
• DAssociate the CKN/CAK pair with the connection. Then update the connection's MACsec
• EAssociate the CKN/CAK pair with the connection. Then update the connection's MACsec

Explanation

According to AWS, you need to do the following 4 steps in order. 1. Create a new connection with MACsec support 2. Associate the CKN/CAK with the connection 3. Verify the connection status 4. Migrate traffic to new connection as appropriate When you first create the DX connection, the default encryption mode is should encrypt. You need to update it to must encrypt in step 3. There's no way to specify that during the creation of https://aws.amazon.com/blogs/networking-and-content-delivery/adding-macsec-security-to-aws- direct-connect-connections/

No community discussion yet for this question.