AWS Certified Security – Specialty (SCS-C02) — Question 240

A company hired an external consultant who needs to use a laptop to access the company’s VPCs. Specifically, the consultant needs access to two VPCs that are peered together in the same AWS Region. The company wants to provide the consultant with access to these VPCs without also providing any unnecessary access to other network resources.

Which solution will meet these requirements?

Answer options

• A. Create an AWS Site-to-Site VPN endpoint in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule.
• B. Create an AWS account. Use the VPC sharing feature through AWS Resource Access Manager to allow the consultant to access the VPCs.
• C. Create an AWS Client VPN endpoint in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule.
• D. Create a gateway VPC endpoint in the same Region as the VPCs. Configure access through an appropriate subnet and authorization rule.

Correct answer: C

Explanation

The correct answer is C because an AWS Client VPN endpoint allows for secure remote access to VPCs while maintaining strict access controls. Option A, the Site-to-Site VPN, is typically used for connecting on-premises networks to AWS rather than for individual users. Option B, VPC sharing, would not provide the desired level of security and access control for a consultant. Option D, a gateway VPC endpoint, is designed for services like S3 and DynamoDB, not for providing direct access to VPCs.