Logo
AWS Certified Solutions Architect - Associate / Question #1969 of 1019

Question #1969

A solutions architect must establish a secure hybrid connection between an organization's on-premises data center and their AWS VPC. The solution must encrypt all traffic at both the network layer and session layer, while implementing granular security controls to restrict unauthorized access between on-premises systems and AWS resources. Which solution meets these requirements?

A

Implement IAM policies to restrict AWS Management Console access to specific on-premises IP addresses. Enforce least-privilege access using IAM roles and policies.
B

Deploy AWS Direct Connect to establish a dedicated network connection to the VPC. Use VPC route tables to permit or deny traffic between AWS and on-premises systems.
C

Configure an AWS Site-to-Site VPN connection to the VPC. Update route tables to direct on-premises traffic to the VPC. Apply security groups and network ACLs to allow only necessary traffic from on-premises.
D

Use AWS Transit Gateway to interconnect the VPC and on-premises network. Configure route tables for traffic routing. Enforce security groups and network ACLs to restrict access to required on-premises traffic.

Explanation

Option D is correct because AWS Transit Gateway provides a centralized hub to interconnect the VPC and on-premises network via a Site-to-Site VPN, ensuring encryption at the network layer (using IPsec). Transit Gateway's integration with security groups and network ACLs allows granular control over traffic at the transport/session layers (e.g., restricting ports/protocols).

Other options fail as follows:
- A: IAM policies only manage AWS API/console access, not network traffic encryption or controls.
- B: Direct Connect lacks built-in encryption; route tables alone cannot enforce session-layer security.
- C: While Site-to-Site VPN encrypts traffic, Transit Gateway offers centralized routing and advanced security controls across hybrid architectures, making D more scalable and comprehensive.

Key Points:
1. Transit Gateway + VPN ensures network-layer encryption.
2. Security groups/NACLs enforce transport/session-layer controls.
3. Transit Gateway simplifies hybrid network management with centralized routing.

Answer

The correct answer is: D