Q25 — AWS ANS-C01 Ch.1
Question 25 of 100 | ← Chapter 1
A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a Unique random session key. What should the network engineer do to meet this requirement?
- A. Change the ALB security policy to a policy that supports TLS 1.2 protocol only
- B. Use AWS Key Management Service (AWS KMS) to encrypt session keys
- C. Associate an AWS WAF web ACL with the ALBs. and create a security rule to enforce forward secrecy (FS)
- D. Change the ALB security policy to a policy that supports forward secrecy (FS) ✓
Correct Answer: D. Change the ALB security policy to a policy that supports forward secrecy (FS)
Explanation
在保护ApplicationLoadBalancers(ALBs)上的加密数据时,使用唯一随机会话密钥是增强安全性的有效方法。为了实现这一点,需要确保ALB的安全策略支持前向保密(FS)。FS是一种加密协议,它保证即使长期密钥被泄露,过去的会话仍然保持安全,因为每个会话都使用独特的密钥。A选项改变ALB安全策略为仅支持TLS1.2协议,虽然TLS1.2是安全的,但它本身并不保证FS。B选项使用AWSKMS加密会话密钥,这虽然增强了密钥管理,但并未直接解决ALB上的FS问题。C选项将AWSWAFwebACL与ALBs关联,并创建规则以执行FS,但WAF主要用于防护Web应用免受常见攻击,并不直接控制ALB的加密策略。D选项改变ALB安全策略以支持FS,直接满足了题目要求,即通过唯一随机会话密钥来保护加密数据。因此,D是正确答案。 查看全部