Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 7 discussion

D) - All data to and from the on-premises environment must be encrypted in transit. (Use AWS Direct Connect with MACsec support for connectivity to the cloud.) E) - All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment (Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.) F) - The architecture also must provide protection against financial liability for services that scale out during a DDoS event.(Configure AWS Shield Advanced and ensure that it is configured on all public assets) F) -

D https://docs.aws.amazon.com/directconnect/latest/UserGuide/MACsec.html E https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/introduction.html F https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-summary.html

D: All traffic must be encrypted in transit, need to use Direct connect with MACSec E: For inspection of traffic before it is allowed to leave the cloud and travel to the on-prem, need to use GWLB with third party firewall for insepction. F: For DDOS event, AWS Shield Advanced must be used.

DEF are the correct answers. D >> DX connection with MASSec to provide required encryption. E >> GWLB to provide inspection of the flow F >> Shield Advanced to provide DDoS protection and cover for scale out expenses if happened.

F is needed to protect from DDOS attacks E is needed to inspect the traffic before leaving the cloud D is needed to encrypt the direct connect connection

Correct answer is DEF B is not correct because you can associate WAF rules with ALB only and not all network component of VPC

The other options are not directly related to the specified security requirements: A. Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances: Traffic Mirroring is useful for capturing and analyzing network traffic but may not be directly related to inline inspection or DDoS protection. C. Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses: While Lambda functions can automate certain tasks, using them to create Deny rules in security groups might not provide the same level of comprehensive protection as dedicated security services like AWS WAF and AWS Shield Advanced. D. Use AWS Direct Connect with MACsec support for connectivity to the cloud: AWS Direct Connect with MACsec provides secure connectivity but does not directly address the requirements for traffic inspection or DDoS protection in this context.

I think that it's correct answer is DEF according to SPOTO products.

I think that it's correcty answer is B & D & F.

I can confirm that DEF is the correct answer. AWS WAF doesn't answer the requirement of having financial protection against cost induced by DDoS attacks. Also Shield Advanced doesn't require AWS WAF and can be activated on itself.

D) - All data to and from the on-premises environment must be encrypted in transit. (Use AWS Direct Connect with MACsec support for connectivity to the cloud.) E) - All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment (Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.) F) - The architecture also must provide protection against financial liability for services that scale out during a DDoS event.(Configure AWS Shield Advanced and ensure that it is configured on all public assets) F) -

D) AWS Direct Connect with MACsec support for connectivity to the cloud. >> all the data to and from the on-premises environment must be encrypted in transit. E) Gateway Load Balancers to insert third-party firewalls for inline traffic inspection. >> all the traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment F) Configure AWS Shield Advanced and ensure that it is configured on all public assets. >> The architecture also must provide protection against financial liability for services that scale out during a DDoS event

Yes DEF is correct.

D. Use AWS Direct Connect with MACsec support for connectivity to the cloud. MACsec (Media Access Control Security) provides encryption in transit over the network for the Direct Connect link between the on-premises environment and AWS, ensuring that all data is encrypted as required. E. Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection. AWS Gateway Load Balancer makes it easy to deploy, scale, and manage third-party virtual network appliances. Using Gateway Load Balancer, you can easily insert, scale, and manage firewalls in the path of internet traffic for inspection purposes. F. Configure AWS Shield Advanced and ensure that it is configured on all public assets. AWS Shield Advanced provides advanced DDoS (Distributed Denial of Service) protection. It not only defends your application against DDoS attacks but also provides cost protection, which can protect your business from additional charges incurred during a DDoS attack. Therefore, the answers are D, E, and F.

Question: The question doesn't say anything about direct connect being used. Why are we still preferring MACsec option?

ANS: DEF DX now support MACSec for encryption, GWLb with Third-party for Network Inspection, Advance shield for Ddos as WAF can not protect.

To meet all the requirements mentioned in the question, the most probable and relevant solution would be to choose options B, E, and F.