SAP-C01 Exam QuestionsBrowse all questions from this exam
Go to Exam

SAP-C01 Exam - Question 906

A company wants to use a hybrid cloud architecture between an on-premises data center and AWS. The company already has deployed a multi-account structure in AWS Organizations while following the AWS Well-Architected Framework.

Due to strict security requirements, connectivity between the data center and AWS must be encrypted in transit. Only a single entry point into AWS is permitted from the data center. The data center must be able to access all the AWS accounts.

Which solution meets these requirements?

Show Answer
Correct Answer: A

To meet the company's strict security requirements for encrypted connectivity between the data center and AWS, an AWS Site-to-Site VPN connection should be used as it leverages IPsec to provide encryption in transit. Using AWS Transit Gateway allows for a single entry point into AWS and enables routing traffic from the data center to all AWS accounts. VPC peering does not support transitive routing, and AWS Direct Connect alone does not provide encrypted traffic by default without additional configuration, which was not mentioned. Therefore, the appropriate solution is to connect the AWS accounts with AWS Transit Gateway and establish a Site-to-Site VPN connection from the data center.

Discussion

8 comments
Sign in to comment
AwsBRFanOption: A
Sep 7, 2022

A. https://docs.aws.amazon.com/directconnect/latest/UserGuide/encryption-in-transit.html

RVDOption: A
Sep 2, 2022

Encryption in transit is possible by ipsec not DX

pixepe
Sep 4, 2022

Answer - A. Requirement - "connectivity between the data center and AWS must be encrypted in transit" means it's VPN. VPN: "VPN connections use IPsec to establish encrypted network connectivity between your intranet and an Amazon VPC over the public internet." Direct connect: By DEFAULT traffic is unencrypted. Of course, we can encrypt by additional step, but it's NOT mentioned in answer-D. Hence, correct answer is A.

rajvee
Sep 5, 2022

A. 1. For the transit to be encrypted, Site to Site VPN is required i.e. IPSec. 2. For the single point of entry from DC, only Transit GW will work. Because VPC Peering does not allow traffic to transit i.e. https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html

ToanVN1988Option: A
Oct 27, 2022

A or D but need to encrypt in transit . Directconnect not correct. Answer is A

Rocketeer
Sep 3, 2022

VPN goes through internet and hence need encryption. DX is direct connection from on-prem to AWS. Using https provided the needed encryption. My answer is D

zdlt
Oct 28, 2022

Selected Answer: A Because of transit encryption, site to site vpn (using IPSec) should be created instead of direct connect, mentioned in D

WhyIronManOption: A
Jul 15, 2024

A) as need encryption and it is not mention in D) as direct connect uses no encryption by default