AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A financial-services company exchanges personally identifiable information (PII) with an AWS workload that runs in a private VPC. The company currently uses a single 10 Gbps dedicated AWS Direct Connect private virtual interface that terminates on its on-premises core router. New regulatory requirements mandate that all PII in transit across the hybrid link must be encrypted. The solution must preserve at least 8 Gbps of throughput, add as little operational overhead as possible, and avoid any application-level changes.
Which approach meets these requirements?
Configure an AWS Site-to-Site VPN connection with two IPsec tunnels over the Direct Connect link and route all traffic through the VPN.
Implement TLS encryption at the application layer for every service that exchanges PII over the Direct Connect link.
Order a second 10 Gbps dedicated Direct Connect at a different location and enable BGP MD5 authentication on both connections.
Enable MAC Security (MACsec) on the existing 10 Gbps dedicated Direct Connect port and configure matching MACsec parameters on the on-premises router.
MAC Security (MACsec) is a native option for 10-Gbps, 100-Gbps, and 400-Gbps dedicated Direct Connect ports. When enabled on the existing 10-Gbps connection and configured on the on-premises router, MACsec provides IEEE 802.1AE layer-2 encryption for all traffic between the data center and the Direct Connect location. Because encryption happens in hardware on the link, there is no reduction in available bandwidth or increase in latency, and no additional tunnels or devices to manage.
Using Site-to-Site VPN over Direct Connect would require multiple IPsec tunnels-each limited to 1.25 Gbps-to reach 8 Gbps, adding complexity and management overhead. Encrypting at the application layer with TLS would force code and configuration changes across every workload and still leave unmanaged protocols unprotected. Adding a second Direct Connect and relying on BGP MD5 only authenticates the BGP session; it does not encrypt user data, so the compliance requirement is not satisfied.
Therefore, enabling MACsec on the existing dedicated Direct Connect link is the simplest solution that satisfies both the encryption and performance requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is MACsec and why is it suitable for this scenario?
Open an interactive chat with Bash
Why wouldn’t a Site-to-Site VPN with IPsec over Direct Connect meet the requirements?
Open an interactive chat with Bash
What are the differences between MACsec and TLS encryption in this context?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .