AWS Certified Security – Specialty — Question 313

A company needs a cloud-based, managed desktop solution for its workforce of remote employees. The company wants to ensure that the employees can access the desktops only by using company-provided devices. A security engineer must design a solution that will minimize cost and management overhead.

Which solution will meet these requirements?

Answer options

• A. Deploy a custom virtual desktop infrastructure (VDI) solution with a restriction policy to allow access only from corporate devices.
• B. Deploy a fleet of Amazon EC2 instances. Assign an instance to each employee with certificate-based device authentication that uses Windows Active Directory.
• C. Deploy Amazon WorkSpaces. Set up a trusted device policy with IP blocking on the authentication gateway by using AWS Identity and Access Management (IAM).
• D. Deploy Amazon WorkSpaces. Create client certificates, and deploy them to trusted devices. Enable restricted access at the directory level.

Correct answer: D

Explanation

Amazon WorkSpaces is a managed desktop service that minimizes overhead compared to custom VDI solutions or managing individual Amazon EC2 instances. To restrict access to trusted devices, WorkSpaces natively supports importing client certificates and enforcing restricted access at the directory level. Other options either introduce high management overhead or use incorrect authentication mechanisms that do not natively validate trusted devices.