Logo
AWS Certified Solutions Architect - Professional / Question #927 of 529

Question #927

A company hosts a sensitive database on Amazon RDS within a VPC. Developers working remotely from home and multiple office locations need to access the database directly from their local machines for development tasks. The solution must ensure all data remains within the VPC and provides secure access.

A

Configure an AWS Client VPN endpoint associated with the VPC, set up a self-service portal, and instruct developers to connect using the VPN client.
B

Create a transit gateway connected to the VPC, establish an AWS Site-to-Site VPN, and instruct developers to use an OpenVPN client.
C

Order an AWS Direct Connect connection with a public VIF, associate it with a transit gateway, and instruct developers to connect via Direct Connect.
D

Deploy a bastion host in a public subnet, configure its security group to allow SSH access from company IP ranges, and instruct developers to connect via SSH tunneling.

Explanation

Answer A is correct because:
- AWS Client VPN establishes a secure TLS-based connection, ensuring data encryption and keeping traffic within the VPC.
- It allows developers to connect from any location (home/office) without requiring fixed IPs, aligning with the requirement for remote access.
- A self-service portal simplifies certificate distribution and client configuration.

Other options are incorrect because:
- B (Transit Gateway + Site-to-Site VPN): Site-to-Site VPN connects entire networks (e.g., office locations), not individual remote users. OpenVPN is not typically used for Site-to-Site VPNs (IPsec is standard).
- C (Direct Connect + Public VIF): Direct Connect requires physical infrastructure (e.g., colocation) and a public VIF connects to public AWS services (e.g., S3), not the VPC.
- D (Bastion Host): A bastion host in a public subnet exposes it to the internet, increasing attack surface. Managing IP ranges for dynamic home/office IPs is impractical and insecure.

Key Points: Use AWS Client VPN for secure, scalable remote access to VPC resources without public exposure. Avoid bastion hosts or Site-to-Site VPNs for individual remote users.

Answer

The correct answer is: A