Which solution meets these requirements with the MOST operational efficiency?
Create an IP access control group rule with the list of public addresses from the branch offices. Associate the IP access control group with the WorkSpaces directory.
Use AWS Firewall Manner to create a web ACL rule with an IPSet with the list of public addresses from the branch office locations. Associate the web ACL with the WorkSpaces directory.
Use AWS Certificate Manager (ACM) to issue trusted device certificates to the machines deployed in the branch office locations. Enable restricted access on the WorkSpaces directory.
Create a custom WorkSpace image with Windows Firewall configured to restrict access to the public addresses of the branch offices. Use the image to deploy the WorkSpaces.
Explanations:
Creating an IP access control group rule that lists the public addresses of the branch offices allows only those locations to access the WorkSpaces. Associating this control group with the WorkSpaces directory effectively restricts access according to the corporate security policy. This method is efficient and easy to manage, especially with the planned addition of a new branch office, as updating the IP list is straightforward.
AWS Firewall Manager can manage rules, but using it to create a web ACL rule with an IPSet specifically for WorkSpaces is not the most direct approach. WorkSpaces access should be controlled directly through directory-level settings, making this option less efficient and unnecessarily complex for the stated requirements.
Using AWS Certificate Manager to issue trusted device certificates does not align with the requirement of restricting access by location. While it adds a layer of security by validating devices, it does not prevent access from unauthorized locations. This method would not satisfy the corporate security policy effectively.
Creating a custom WorkSpace image with Windows Firewall restrictions is not optimal for operational efficiency. This method requires additional management of images and firewall configurations and does not dynamically account for new branch office locations or changes in public IP addresses. It also does not address the specific requirement for location-based access control efficiently.