Q10 — AWS SAP-C02 Ch.1

Question 10 of 75 | ← Chapter 1

Q85. A company wants to use a third-party software-as-a-service (SaaS) application. The third-party SaaS application is consumed through several API calls. The third-party SaaS application also runs on AWS inside a VPC.The company will consume the third-party SaaS application from inside a VPC. The company has internal security policies that mandate the use of private connectivity that does not traverse the internet No resources that run in the company VPC are allowed to be accessed from outside the company's VPC. All permissions must conform to the principles of least privilege.Which solution meets these requirements?

Correct Answer: A. Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application provides. Create a security group to limit the access to the endpoint.Associate the security group with the endpoint.

Explanation

The solution that meets the requirements of using private connectivity without traversing the internet and conforming to the principles of least privilege is: A. Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application provides. Create a security group to limit the access to the endpoint. Associate the security group with the endpoint. Explanation: Option A: Create an AWS PrivateLink interface VPC endpoint. AWS PrivateLink allows you to securely access services hosted on AWS privately, without traversing the internet. By creating an interface VPC endpoint, you can connect directly to the endpoint service provided by the third-party SaaS application inside your VPC. This ensures that the traffic remains within the AWS network and does not go over the internet. Additionally, you can create a security group to limit the access to the endpoint, ensuring that only the necessary resources within your VPC can communicate with the third-party SaaS application. Option B is incorrect because creating a Site-to-Site VPN connection would involve traversing the internet, which contradicts the requirement of private connectivity that does not traverse the internet. Additionally, configuring network ACLs would not provide the level of granular control required to conform to the principles of least privilege. Option C is incorrect because VPC peering connects two separate VPCs, and in this scenario, the third-party SaaS application is already running inside a VPC. Creating a VPC peering connection would not provide the required private connectivity without traversing the internet. Option D is incorrect because creating an AWS PrivateLink endpoint service is used when you want to provide access to your own service hosted in your VPC to other AWS accounts. In this scenario, you are the consumer of the third-party SaaS application, and the SaaS provider should be responsible for creating the necessary endpoint for their service. Therefore, the correct solution is A: Create an AWS PrivateLink interface VPC endpoint, connect it to the endpoint service of the third-party SaaS application, and configure a security group to limit access to the endpoint, ensuring private connectivity within your VPC and adhering to the principles of least privilege.You can change the security groups that are associated with the network interfaces for your interface endpoint. The security group rules control the traffic that is allowed to the endpoint network interface from the resources in your VPC.