AWS Certified SysOps Administrator – Associate (legacy) — Question 872

A company requires that all access from on-premises applications to AWS services go over its AWS Direct Connect connection rather than the public internet.
How would a SysOps Administrator implement this requirement?

Answer options

• A. Implement an IAM policy that uses the aws:sourceConnection condition to allow access from the AWS Direct Connect connection ID only
• B. Set up a public virtual interface on the AWS Direct Connect connection
• C. Configure AWS Shield to protect the AWS Management Console from being accessed by IP addresses other than those within the data center ranges
• D. Update all the VPC network ACLs to allow access from the data center IP ranges

Correct answer: D

Explanation

Updating the VPC network ACLs to allow traffic from the data center IP ranges ensures that only network traffic originating from the on-premises environment via the AWS Direct Connect connection is allowed into the VPC subnets. Other options, such as using AWS Shield or a non-existent IAM condition key like aws:sourceConnection, do not provide network-level access control for securing VPC boundaries. Therefore, modifying the network ACLs is the correct administrative action to enforce this connectivity requirement.