Question 19
Domain 3: Infrastructure SecurityA company runs an application on AWS that needs to be accessed only by employees. Most employees work from the office, but others work remotely or travel. How can the Security Engineer protect this workload so that only employees can access it?
Correct answer: C
Explanation
AWS exam content includes “Secure remote access” and “VPN technology, terminology, and usage,” so a VPN appliance lets remote employees authenticate into a private network path. Restricting the workload to traffic from that appliance enforces access only through the employee VPN, keeping the application off the public internet.
Why each option is right or wrong
A. Add each employee's home IP address to the security group for the application so that only those users can access the workload.
Security groups should not rely on individual home IPs for employee access control.
B. Create a virtual gateway for VPN connectivity for each employee, and restrict access to the workload from within the VPC.
VPN connectivity is not created as a separate virtual gateway for each employee.
C. Use a VPN appliance from the AWS Marketplace for users to connect to, and restrict workload access to traffic from that appliance.
AWS exam guidance explicitly calls out secure remote access and VPN technology as in-scope, and the network-security task statement includes AWS VPN and on-premises connectivity options. A VPN appliance from AWS Marketplace creates an authenticated private entry point for remote employees, and then a security group or network ACL can be scoped to allow the application only from that appliance’s source IP/CIDR, preventing direct public-internet access to the workload.
D. Route all traffic to the workload through AWS WAF. Add each employee's home IP address into an AWS WAF rule, and block all other traffic.
AWS WAF protects edge traffic; it is not the right control for employee-only VPN access.