AWS Certified Solutions Architect – Associate (SAA-C02) — Question 410

A company with a single AWS account runs its internet-facing containerized web application on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster.
The EKS cluster is placed in a private subnet of a VPC. System administrators access the EKS cluster through a bastion host on a public subnet.
A new corporate security policy requires the company to avoid the use of bastion hosts. The company also must not allow internet connectivity to the EKS cluster.
Which solution meets these requirements MOST cost-effectively?

Answer options

• A. Set up an AWS Direct Connect connection.
• B. Create a transit gateway.
• C. Establish a VPN connection.
• D. Use AWS Storage Gateway.

Correct answer: C

Explanation

Establishing an AWS VPN connection provides a secure, private, and highly cost-effective method for administrators to access the private Amazon EKS cluster without relying on a bastion host or exposing the cluster to the public internet. While AWS Direct Connect also offers private connectivity, it is significantly more expensive and complex to provision. AWS Transit Gateway adds unnecessary cost and architectural overhead for a single-account setup, and AWS Storage Gateway is a storage service that does not address network connectivity needs.