Topic 1 Question 160
3 つ選択An ecommerce company needs to implement additional security controls on all its domain names that are hosted in Amazon Route 53. The company's new policy requires data authentication and data integrity verification for all queries to the company’s domain names. The current Route 53 architecture has four public hosted zones.
A network engineer needs to implement DNS Security Extensions (DNSSEC) signing and validation on the hosted zones. The solution must include an alert capability.
Which combination of steps will meet these requirements?
Enable DNSSEC signing for Route 53 Request that Route 53 create a key-signing key (KSK) based on a customer managed key in AWS Key Management Service (AWS KMS).
Enable DNSSEC signing for Route 53 Request that Route 53 create a zone-signing key (ZSK) based on a customer managed key in AWS Key Management Service (AWS KMS).
Create a chain of trust for the hosted zones by adding a Delegation Signer (DS) record for each subdomain
Create a chain of trust for the hosted zones by adding a Delegation Signer (DS) record to the parent zone.
Set up an Amazon CloudWatch alarm that provides an alert whenever a DNSSECInternalFailure error or DNSSECKeySigningKeysNeedingAction error is detected.
Set up an AWS CloudTrail alarm that provides an alert whenever a DNSSECInternalFailure error or DNSSECKeySigningKeysNeedingAction error is detected.
ユーザの投票
コメント(2)
- 正解だと思う選択肢: ADE👍 3Neo002023/07/25
- 正解だと思う選択肢: ADE
Option B: While it is true that DNSSEC uses zone-signing keys (ZSKs) in addition to KSKs, AWS Key Management Service (KMS) is not involved in creating ZSKs for DNSSEC in Route 53.
Option C: Delegation Signer (DS) records are used to establish a chain of trust from a parent zone to a child zone, not between subdomains within a zone.
👍 2Certified1012023/08/03
シャッフルモード