exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 115 discussion

A company is moving its record-keeping application to the AWS Cloud. All traffic between the company's on-premises data center and AWS must be encrypted at all times and at every transit device during the migration.

The application will reside across multiple Availability Zones in a single AWS Region. The application will use existing 10 Gbps AWS Direct Connect dedicated connections with a MACsec capable port. A network engineer must ensure that the Direct Connect connection is secured accordingly at every transit device.

The network engineer creates a Connection Key Name and Connectivity Association Key (CKN/CAK) pair for the MACsec secret key.

Which combination of additional steps should the network engineer take to meet the requirements? (Choose two.)

  • A. Configure the on-premises router with the MACsec secret key.
  • B. Update the connection's MACsec encryption mode to must_encrypt. Then associate the CKN/CAK pair with the connection.
  • C. Update the connection's MACsec encryption mode to should encrypt. Then associate the CKN/CAK pair with the connection.
  • D. Associate the CKN/CAK pair with the connection. Then update the connection's MACsec encryption mode to must_encrypt.
  • E. Associate the CKN/CAK pair with the connection. Then update the connection’s MACsec encryption mode to should_encrypt.
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
lygf
Highly Voted 1 year, 5 months ago
Selected Answer: AD
According to AWS, you need to do the following 4 steps in order. 1. Create a new connection with MACsec support 2. Associate the CKN/CAK with the connection 3. Verify the connection status 4. Migrate traffic to new connection as appropriate When you first create the DX connection, the default encryption mode is should encrypt. You need to update it to must encrypt in step 3. There's no way to specify that during the creation of DX. https://aws.amazon.com/blogs/networking-and-content-delivery/adding-macsec-security-to-aws-direct-connect-connections/
upvoted 12 times
...
woorkim
Most Recent 5 days, 14 hours ago
Selected Answer: AD
https://aws.amazon.com/blogs/networking-and-content-delivery/adding-macsec-security-to-aws-direct-connect-connections/
upvoted 1 times
...
JoellaLi
8 months, 2 weeks ago
You cannot modify a MACsec secret key after you associate it with a connection. If you need to modify the key, disassociate the key from the connection, and then associate a new key with the connection. https://aws.amazon.com/blogs/networking-and-content-delivery/adding-macsec-security-to-aws-direct-connect-connections/
upvoted 2 times
arturogomezb
5 months, 2 weeks ago
But you can change the encryption mode https://docs.aws.amazon.com/directconnect/latest/UserGuide/updateconnection.html
upvoted 2 times
...
...
MohamedSherif1
1 year, 3 months ago
Selected Answer: AD
The default value for the encryption mode is “should_encrypt”, and this can be changed using the new DirectConnect API UpdateConnection.
upvoted 1 times
...
norimune
1 year, 5 months ago
Selected Answer: AB
Update the MACsec encryption mode before binding.
upvoted 3 times
Spaurito
1 month ago
Agree, the key was created. You then have to update the mode and associate the key.
upvoted 1 times
...
...
Balasmaniam
1 year, 6 months ago
Selected Answer: AD
docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-mac-sec-getting-started.html
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago