Which solution meets these requirements with the MOST operational efficiency?
Create an IP access control group rule with the list of public addresses from the branch offices. Associate the IP access control group with the WorkSpaces directory.
Use AWS Firewall Manager to create a web ACL rule with an IPSet with the list of public addresses from the branch office locations. Associate the web ACL with the WorkSpaces directory.
Use AWS Certificate Manager (ACM) to issue trusted device certificates to the machines deployed in the branch office locations. Enable restricted access on the WorkSpaces directory.
Create a custom WorkSpace image with Windows Firewall configured to restrict access to the public addresses of the branch offices. Use the image to deploy the WorkSpaces.
Explanations:
Creating an IP access control group rule allows the company to define which IP addresses are permitted to access the WorkSpaces. By associating this rule with the WorkSpaces directory, the company can ensure that only users from specific branch office locations can access the applications, meeting the corporate security policy requirements effectively. This method provides operational efficiency as it centrally manages access without requiring extensive modifications to the existing infrastructure.
AWS Firewall Manager is primarily used for managing firewall rules across AWS accounts and resources at scale. However, it is not specifically designed to control access to WorkSpaces directly. Using a web ACL with an IPSet may not offer the same level of operational efficiency and would complicate the access control management process, especially since it requires additional configuration and monitoring.
AWS Certificate Manager (ACM) issues certificates for securing communications, not for access control. While trusted device certificates can help ensure secure connections, they do not restrict access to specific IP addresses or locations. Enabling restricted access on the WorkSpaces directory without appropriate access controls does not fulfill the requirement of limiting application access solely to branch office locations.
While creating a custom WorkSpace image with Windows Firewall configured can restrict access based on IP addresses, this solution is less efficient operationally. It requires custom image management and maintenance for each update or change in access policies. Additionally, it does not provide a scalable solution for adding new branch offices, as it would necessitate further image modifications and redeployments.