AWS Certified Solutions Architect – Professional (SAP-C02) — Question 461

A company wants to use Amazon WorkSpaces in combination with thin client devices to replace aging desktops. Employees use the desktops to access applications that work with Clinical trial data. Corporate security policy states that access to the applications must be restricted to only company branch office locations. The company is considering adding an additional branch office in the next 6 months.

Which solution meets these requirements with the MOST operational efficiency?

Answer options

• A. Create an IP access control group rule with the list of public addresses from the branch offices. Associate the IP access control group with the WorkSpaces directory.
• B. Use AWS Firewall Manager to create a web ACL rule with an IPSet with the list of public addresses from the branch office locations. Associate the web ACL with the WorkSpaces directory.
• C. Use AWS Certificate Manager (ACM) to issue trusted device certificates to the machines deployed in the branch office locations. Enable restricted access on the WorkSpaces directory.
• D. Create a custom WorkSpace image with Windows Firewall configured to restrict access to the public addresses of the branch offices. Use the image to deploy the WorkSpaces.

Correct answer: A

Explanation

Amazon WorkSpaces IP access control groups allow administrators to define rules that restrict access to WorkSpaces based on the user's public IP address, which is the most operationally efficient way to limit access to specific branch offices. Managing these rules at the directory level makes it easy to add new branch office IP ranges in the future. Other options, such as using Windows Firewall in custom images or deploying certificates to thin clients, introduce significant administrative overhead and complexity.