Logo
AWS Certified Solutions Architect - Associate / Question #1351 of 1019

Question #1351

A company needs to provide its employees with secure access to confidential research data stored on an on-premises Linux NFS server. The company wants to ensure that the data can be accessed only by authorized users and must be securely downloaded to employees’ devices. Due to an increase in remote collaboration, the NFS server is running out of capacity.

Which solution will meet these requirements?

A

Migrate the NFS server to an Amazon EC2 instance in a public subnet. Configure the security group to allow inbound traffic only from the company\u2019s IP range.
B

Migrate the data to an Amazon EFS file system. Integrate Amazon EFS with the on-premises Active Directory using AWS Directory Service. Configure AWS Client VPN for secure access.
C

Migrate the data to Amazon S3, create a private VPC endpoint, and generate presigned URLs for downloads.
D

Migrate the data to Amazon S3, create a public VPC endpoint, and authenticate users via AWS IAM Identity Center (AWS Single Sign-On).

Explanation

The correct answer is B. Here's why:

- Option B: Amazon EFS is a managed, scalable NFS solution that addresses the capacity issue. Integration with on-premises Active Directory via AWS Directory Service ensures only authorized users access data. AWS Client VPN encrypts data in transit, meeting secure download requirements.

- Option A: Hosting NFS on an EC2 instance in a public subnet exposes it to internet risks, even with IP restrictions. EC2 lacks auto-scaling, making it unsuitable for growing capacity needs.

- Option C: Amazon S3 is object storage, not NFS-compatible, requiring application changes. Presigned URLs provide temporary access but don’t support file system operations. A private VPC endpoint alone doesn’t secure remote access.

- Option D: A public VPC endpoint is insecure for confidential data. S3 isn’t NFS-compatible, and IAM Identity Center doesn’t integrate as seamlessly with on-premises AD as AWS Directory Service.

Key Points:
1. Use Amazon EFS for scalable, managed NFS storage.
2. Integrate with on-premises AD via AWS Directory Service for authorization.
3. Use AWS Client VPN for secure remote access and encryption in transit.

Answer

The correct answer is: B