AWS Certified Solutions Architect – Associate (SAA-C03) — Question 873

A solutions architect needs to connect a company's corporate network to its VPC to allow on-premises access to its AWS resources. The solution must provide encryption of all traffic between the corporate network and the VPC at the network layer and the session layer. The solution also must provide security controls to prevent unrestricted access between AWS and the on-premises systems.

Which solution meets these requirements?

Answer options

• A. Configure AWS Direct Connect to connect to the VPC. Configure the VPC route tables to allow and deny traffic between AWS and on premises as required.
• B. Create an IAM policy to allow access to the AWS Management Console only from a defined set of corporate IP addresses. Restrict user access based on job responsibility by using an IAM policy and roles.
• C. Configure AWS Site-to-Site VPN to connect to the VPConfigure route table entries to direct traffic from on premises to the VPConfigure instance security groups and network ACLs to allow only required traffic from on premises.
• D. Configure AWS Transit Gateway to connect to the VPC. Configure route table entries to direct traffic from on premises to the VPC. Configure instance security groups and network ACLs to allow only required traffic from on premises.

Correct answer: C

Explanation

AWS Site-to-Site VPN automatically encrypts traffic at the network layer using IPsec, satisfying the requirement for secure transit between the corporate network and the VPC. Network ACLs and security groups provide the necessary stateful and stateless firewall controls to restrict traffic to only authorized sources. Other solutions like AWS Direct Connect do not provide native encryption by default without additional configuration.