AWS Certified Solutions Architect – Professional — Question 881

A company uses AWS CloudFormation to deploy applications within multiple VPCs that are all attached to a transit gateway. Each VPC that sends traffic to the public internet must send the traffic through a shared services VPC. Each subnet within a VPC uses the default VPC route table, and the traffic is routed to the transit gateway. The transit gateway uses its default route table for any VPC attachment.
A security audit reveals that an Amazon EC2 instance that is deployed within a VPC can communicate with an EC2 instance that is deployed in any of the company's other VPCs. A solutions architect needs to limit the traffic between the VPCs. Each VPC must be able to communicate only with a predefined, limited set of authorized VPCs.
What should the solutions architect do to meet these requirements?

Answer options

• A. Update the network ACL of each subnet within a VPC to allow outbound traffic only to the authorized VPCs. Remove all deny rules except the default deny rule.
• B. Update all the security groups that are used within a VPC to deny outbound traffic to security groups that are used within the unauthorized VPCs.
• C. Create a dedicated transit gateway route table for each VPC attachment. Route traffic only to the authorized VPCs.
• D. Update the main route table of each VPC to route traffic only to the authorized VPCs through the transit gateway.

Correct answer: C

Explanation

Creating a dedicated transit gateway route table for each VPC attachment provides the necessary isolation and fine-grained routing control directly at the transit gateway level. Security groups cannot reference security groups across a transit gateway in different VPCs, making Option B invalid. Modifying VPC route tables or network ACLs is operationally complex and does not prevent the transit gateway from routing traffic to unauthorized destinations once it receives the packets.