AWS Certified Advanced Networking – Specialty ANS-C00 – Question378

A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a unique random session key.
What should the network engineer do to meet this requirement?

A.
Change the ALB security policy to a policy that supports TLS 1.2 protocol only.
B. Use AWS Key Management Service (AWS KMS) to encrypt session keys.
C. Associate an AWS WAF web ACL with the ALBs, and create a security rule to enforce forward secrecy (FS).
D. Change the ALB security policy to a policy that supports forward secrecy (FS).