What should a solutions architect do to meet these requirements?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A software development company has multiple engineers who are working remotely.The company is running Active Directory Domain Services (AD DS) on an Amazon EC2 instance.The company’s security policy states that all internal, nonpublic services that are deployed in a VPC must be accessible through a VPN.Multi-factor authentication (MFA) must be used for access to a VPN.

What should a solutions architect do to meet these requirements?

Create an AWS Site-to-Site VPN connection. Configure integration between a VPN and AD DS. Use an Amazon Workspaces client with MFA support enabled to establish a VPN connection.

Create an AWS Client VPN endpoint. Create an AD Connector directory for integration with AD DS. Enable MFA for AD Connector. Use AWS Client VPN to establish a VPN connection.

Create multiple AWS Site-to-Site VPN connections by using AWS VPN CloudHub. Configure integration between AWS VPN CloudHub and AD DS. Use AWS Copilot to establish a VPN connection.

Create an Amazon WorkLink endpoint. Configure integration between Amazon WorkLink and AD DS. Enable MFA in Amazon WorkLink. Use AWS Client VPN to establish a VPN connection.

Explanations:

While creating an AWS Site-to-Site VPN connection is a valid option for secure connectivity, it does not meet the requirement for remote access by individual engineers working from different locations. Integration with AD DS is not a typical feature of the Site-to-Site VPN, and using Amazon Workspaces for VPN connection is not standard. MFA support is not directly addressed through this option.

Creating an AWS Client VPN endpoint is the best approach for remote access. It allows individual users to connect securely to the VPC while providing MFA options. The AD Connector enables integration with AD DS for authentication, ensuring compliance with the security policy for access control. This option directly meets the requirements for VPN access and MFA.

While AWS VPN CloudHub could be used for connecting multiple VPCs, it is not suitable for providing remote access for individual users. The integration with AD DS is not as straightforward in this setup, and AWS Copilot does not pertain to establishing VPN connections. MFA is also not inherently supported in this scenario.

Amazon WorkLink is primarily designed for providing secure access to internal web applications on mobile devices and does not facilitate a VPN connection for general remote access. Although it can integrate with AD DS and enable MFA, it does not fulfill the requirement for creating a VPN endpoint for engineers to connect securely to the VPC.

Leave a Reply

Your email address will not be published. Required fields are marked *

five × two =