SAP-C02 Question #140: Real Exam Question with Answer & Explanation

Question

A software development company has multiple engineers who are working remotely. The company is running Active Directory Domain Services (AD DS) on an Amazon EC2 instance. The company's security policy states that all internal, nonpublic services that are deployed in a VPC must be accessible through a VPN Multi-factor authentication (MFA) must be used for access to a VPN. Whet should a solution architect do to meet these requirements?

Options

• ACreate an AWS Site-to-Site VPN connection Configure integration between a VPN and AD DS.
• BCreate an AWS Client VPN endpoint Create an AD Connector directory for integration with AD
• CCreate multiple AWS Site-to-Site VPN connections by using AWS VPN CloudHub.
• DCreate an Amazon WorkLink endpoint Configure integration between Amazon WorkLink and AD

Explanation

To provide remote engineers with VPN access to internal VPC services, including MFA, while authenticating against Active Directory running on an EC2 instance, an AWS Client VPN endpoint should be created and configured with an AD Connector directory.

Common mistakes.

• A. An AWS Site-to-Site VPN connects networks (on-premises datacenter to VPC), not individual remote users, and does not natively provide per-user authentication with MFA for remote access.
• C. AWS VPN CloudHub is an architecture for connecting multiple on-premises networks or VPCs using multiple Site-to-Site VPN connections, similar to Site-to-Site VPN, it's not for individual remote user access with MFA.
• D. Amazon WorkLink provides secure access to internal web applications from mobile devices without a VPN, but it does not provide general VPN access to all internal, nonpublic services for remote engineers with MFA.

Concept tested. Remote access VPN, AWS Client VPN, Directory Service, MFA

Reference. https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html

No community discussion yet for this question.