Logo
AWS Certified Solutions Architect - Professional / Question #541 of 529

Question #541

A company needs to integrate a third-party SaaS solution hosted on AWS within the third-party's VPC. The company's security policies mandate that all communication must occur over private AWS networks without internet exposure. Additionally, no resources in the company's VPC can be accessible from outside the VPC, and all permissions must follow the principle of least privilege.

Which solution meets these requirements?

A

Create an AWS PrivateLink interface VPC endpoint in the company's VPC. Connect this endpoint to the third-party SaaS provider's endpoint service. Configure a security group to restrict access to the endpoint and associate it with the endpoint.
B

Establish an AWS Transit Gateway to connect the company's VPC and the third-party SaaS provider's VPC. Use VPN attachments for encryption and update route tables to enable communication between the VPCs.
C

Deploy an AWS Direct Connect connection with a private virtual interface (VIF) to link the company's VPC to the third-party SaaS provider's VPC. Use BGP routing to manage traffic paths.
D

Set up a VPC peering connection between the company's VPC and the third-party SaaS provider's VPC. Configure route tables to allow bidirectional traffic and apply network ACLs to restrict access.

Explanation

Option A is correct because AWS PrivateLink allows the company to create an interface VPC endpoint within their VPC, which connects privately to the third-party's endpoint service hosted in their VPC. This ensures all traffic stays within AWS's private network, avoiding the public internet. Security groups attached to the endpoint restrict access to only authorized resources, adhering to the principle of least privilege. The company's resources remain inaccessible from outside their VPC since PrivateLink only enables outbound connections to the third-party service.

Other options fail to meet all requirements:
- Option B: Transit Gateway with VPN uses internet-based VPNs, violating the 'no internet exposure' requirement.
- Option C: Direct Connect is designed for on-premises-to-AWS connectivity, not VPC-to-VPC within AWS.
- Option D: VPC peering allows bidirectional traffic, risking exposure of the company's resources unless tightly controlled, which is less secure than PrivateLink's one-way access.

Key Points:
1. PrivateLink ensures private, internet-free communication.
2. Interface endpoints use security groups for least privilege.
3. The company's VPC resources remain isolated from external access.

Answer

The correct answer is: A