A company runs an application on AWS that needs to be accessed only by employees. Most employees work from the office, but others work remotely or travel. How can the Security Engineer protect this workload so that only employees can access it?
A.
Add each employee's home IP address to the security group for the application so that only those users can access the workload.
B.
Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.
C.
Use a VPN appliance from the AWS Marketplace for users to connect to, and restrict workload access to traffic from that appliance.
D.
Route all traffic to the workload through AWS WAF. Add each employee's home IP address into an AWS WAF rule, and block all other traffic.
C is the only correct answer . They want also remote workers, travellers and not only office users and this is why AWS private gateway is not a solution since it is site-to-site VPN with 2 tunnels. VPN cloud hub is the same as private VPN gateway but multiple site-to-site tunnels , so it is wrong.
your response albeit correct, does not make any sense. Who mentionned CloudHub ? what is it with the tunnels ?
B is incorrect because you cannot create a separate VPN connection for each user
Better to have each user connect to the VPN appliance. C
C is the best answer, yet it is very poorly written.
It give hints to SSL VPN, but a better description to AWS Client VPN (managed service) would've been better.
Still..C is the best answer.
C is correct
You can also choose to use a third-party VPN solution. Use a third-party solution if you require full access and management of the AWS side of the VPN connection.
see this link : https://repost.aws/knowledge-center/connect-vpc
Network Engineer here
Implemented thousands of VPNs so far
B is incorrect because for Clint-to-Site VPNs you need an "EC2 Client VPN endpoint" and not a "VPN Private Gateway" (VPN Private gateway is for Site-to-site Ipsec VPN tunnels)
That leaves us with Option C
Option A is not a good choice because home IP addresses frequently change, and it would be a significant administrative burden to constantly update security group rules.
Option B isn't practical, as creating a virtual gateway for each employee can become cumbersome and difficult to manage, especially for a large number of employees.
Option D would be expensive and might not offer the same level of protection and control as a dedicated VPN solution. AWS WAF is more suited to protecting against web exploits rather than managing access control for a large number of users.
So, using a VPN appliance from the AWS Marketplace for users to connect to and restricting workload access to traffic from that appliance is the most suitable option.
A. Definitely not suitable since there are employess are travelling and remote
B. Creating a virtual gateway for each employee would be a lot of effort and not scalable
D. AWS WAF is not suitable since it is for protecting web app
The remaining is only C. Use a VPN appliance is the most suitable option
virtual gateway for VPN connectivity for each employee? could someone please explain how's that even a solution in the entire security world, rest alone AWS?
A VPN solution is usually between two sites/domains or remote access endpoint VPN for users. The one possibility here is to get a VPN appliance from workplace.
The answer should be - C
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
INASR
Highly Voted 3 years, 7 months agosapien45
2 years, 8 months agopolo
Highly Voted 3 years, 8 months agoRaphaello
Most Recent 1 year, 3 months agoNuha_23
1 year, 9 months agoKRtoptech
1 year, 9 months agoSickcnt
1 year, 10 months agosandromechi
1 year, 10 months agopk0619
1 year, 10 months agoOCHT
1 year, 11 months agosandromechi
1 year, 10 months agoITGURU51
1 year, 11 months agovavofa5697
2 years agoceros399
3 years, 2 months agoRadhaghosh
3 years, 3 months agosam_live
3 years, 4 months agoChauPhan
3 years, 6 months agosanjaym
3 years, 6 months agoPaimon
3 years, 6 months ago