Logo
AWS Certified Solutions Architect - Professional / Question #1005 of 529

Question #1005

A company hosts its internal applications in an Amazon VPC and uses Active Directory Domain Services (AD DS) deployed on an EC2 instance. The company's security team mandates that all access to VPC-hosted services must occur through a VPN connection, and multi-factor authentication (MFA) must be enforced for VPN access. As a Solutions Architect, what should you recommend to comply with these requirements?

A

Deploy an AWS Site-to-Site VPN connection. Integrate the VPN with AD DS for authentication. Require engineers to use Amazon AppStream 2.0 with MFA enabled to establish the VPN connection.
B

Set up an AWS Client VPN endpoint. Create an AD Connector directory to integrate with the existing AD DS. Enable MFA on the AD Connector and configure the AWS Client VPN to use it for authentication.
C

Implement an AWS VPN CloudHub architecture with multiple Site-to-Site VPN connections. Integrate the VPN CloudHub with AD DS. Use AWS Directory Service with MFA enabled to authenticate VPN users.
D

Provision an Amazon WorkSpaces gateway. Configure integration between WorkSpaces and AD DS. Enable MFA in Amazon WorkSpaces and require users to connect via the WorkSpaces client to access VPC resources.

Explanation

Option B is correct because AWS Client VPN is designed for user-level VPN access, unlike Site-to-Site VPN (Options A and C), which connects networks, not individual users. AD Connector integrates with the existing AD DS (hosted on EC2) for authentication. MFA can be enforced via AD DS policies, aligning with the security mandate. Options A and C incorrectly use Site-to-Site VPN, which lacks user authentication. Option D uses Amazon WorkSpaces, which focuses on desktop access rather than VPN-based resource access. Client VPN (B) directly addresses the requirement for MFA-authenticated VPN access to VPC services.

Key Points:
- AWS Client VPN supports user authentication via AD Connector.
- MFA enforcement is managed through AD DS integration.
- Site-to-Site VPN does not authenticate individual users.
- WorkSpaces is not a VPN solution for VPC-hosted services.

Answer

The correct answer is: B