AWS Certified Solutions Architect – Professional (SAP-C02) — Question 370

A company is building an application on AWS. The application sends logs to an Amazon OpenSearch Service cluster for analysis. All data must be stored within a VPC.

Some of the company’s developers work from home. Other developers work from three different company office locations. The developers need to access OpenSearch Service to analyze and visualize logs directly from their local development machines.

Which solution will meet these requirements?

Answer options

• A. Configure and set up an AWS Client VPN endpoint. Associate the Client VPN endpoint with a subnet in the VPC. Configure a Client VPN self-service portal. Instruct the developers to connect by using the client for Client VPN.
• B. Create a transit gateway, and connect it to the VPC. Create an AWS Site-to-Site VPN. Create an attachment to the transit gateway. Instruct the developers to connect by using an OpenVPN client.
• C. Create a transit gateway, and connect it to the VPOrder an AWS Direct Connect connection. Set up a public VIF on the Direct Connect connection. Associate the public VIF with the transit gateway. Instruct the developers to connect to the Direct Connect connection.
• D. Create and configure a bastion host in a public subnet of the VPC. Configure the bastion host security group to allow SSH access from the company CIDR ranges. Instruct the developers to connect by using SSH.

Correct answer: A

Explanation

AWS Client VPN is a managed client-based VPN service that allows individual remote users, such as work-from-home developers and office employees, to securely access resources inside an AWS VPC. Option D is incorrect because restricting SSH access to company CIDR ranges would lock out developers working from home. Options B and C are designed for network-to-network connectivity (like connecting an office to AWS) rather than accommodating individual, geographically dispersed remote users.