AWS IAM Identity Center (formerly AWS SSO) is the recommended service for centrally managing workforce access to multiple AWS accounts and applications. It integrates seamlessly with AWS Organizations, allowing for scalable management. IAM Identity Center can connect to an external identity provider (IdP), enabling employees to use their existing corporate credentials to sign in. Users and groups can be provisioned from the IdP into IAM Identity Center, and then permission sets are used to grant role-based access to the various AWS accounts within the organization. This solution directly meets all the requirements for centralized, federated access for thousands of users across multiple accounts.

A. Creating individual IAM users for thousands of employees across 10 accounts is not scalable and is a significant management overhead. Federation provides temporary credentials to assume roles, not to authenticate IAM users.

B. Using the root user for regular access is a major security anti-pattern. The root user should be highly secured and used only for specific account management tasks, not for general employee access.

D. AWS Resource Access Manager (AWS RAM) is used for sharing specific AWS resources (e.g., subnets, Transit Gateways) across accounts, not for managing user identities or providing federated access to accounts.

1. AWS IAM Identity Center User Guide

"What is AWS IAM Identity Center?": "AWS IAM Identity Center (IAM Identity Center) helps you to securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications." This document also details connecting to an external identity provider under the "Choose your identity source" section.

2. AWS IAM Identity Center User Guide

"Manage access to AWS accounts": This section explains how IAM Identity Center uses permission sets to control access to AWS accounts within an AWS Organization

which is the core of the solution required by the question.

3. AWS IAM User Guide

"Identity providers and federation": This guide explains that federation allows you to manage user identities outside of AWS and grant them temporary credentials to access AWS resources by assuming IAM roles. This contrasts with creating permanent IAM users.

4. AWS Security Best Practices Whitepaper

"AWS Identity and Access Management" section: This whitepaper emphasizes using IAM Identity Center for managing human user access

stating

"For human users that require access to your AWS accounts and workloads

we recommend that you use AWS IAM Identity Center to provide a single sign-on experience." (Page 10).

5. AWS Resource Access Manager User Guide

"What is AWS Resource Access Manager?": "AWS Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization." This confirms RAM's purpose is resource sharing

not identity federation.

Amazon Elastic File System (EFS) is the ideal solution for this scenario. It provides a fully managed, scalable, and high-performance Network File System (NFS) that can be concurrently mounted by thousands of Amazon EC2 instances. EFS is a regional service, meaning it stores data across multiple Availability Zones (AZs) for high availability. By creating EFS mount targets in the subnets of each AZ where the EC2 instances are running, all instances can share the same file system seamlessly. All data traffic between the EC2 instances and the EFS file system remains within the Virtual Private Cloud (VPC), satisfying the security requirement.

A. Amazon S3 is an object storage service, not a file system. Accessing data via API calls is fundamentally different from a mounted file system and may not be suitable or performant for applications expecting POSIX-compliant file access.

B. Amazon S3 cannot be natively mounted as a volume on EC2 instances. This would require a third-party utility or a service like AWS Storage Gateway, which adds unnecessary complexity for this use case.

C. An Amazon EBS volume is block-level storage that is zonal; it can only be attached to instances within the same single Availability Zone. It cannot be mounted across instances in multiple AZs.

1. Amazon EFS User Guide

"What is Amazon EFS?": This document states

"Amazon EFS is a regional service

storing data within and across multiple Availability Zones (AZs) for high availability and durability... It provides massively parallel shared access to thousands of Amazon EC2 instances." This directly supports the use of EFS for shared access across multiple AZs.

2. Amazon EC2 User Guide for Linux Instances

"Amazon EBS volumes": This guide clarifies the limitation of EBS

stating

"EBS volumes are specific to an Availability Zone and can only be attached to instances in that same Availability Zone." This confirms why option C is incorrect.

3. Amazon EFS User Guide

"Mounting EFS file systems": This section explains how EFS works within a VPC: "You access your Amazon EFS file system from your VPC by connecting to a mount target... Traffic from your EC2 instance to the mount target is routed according to the VPC routing rules

" which ensures data stays within the VPC.

4. Amazon S3 User Guide

"What is Amazon S3?": This document defines S3 as "an object storage service" and notes that data is accessed via "the Amazon S3 REST API." This highlights the difference between S3's object-based access and the file-system access required by the scenario

making options A and B less suitable.

This solution correctly addresses both secure connectivity and granular access control with minimal operational overhead. A gateway VPC endpoint for Amazon S3 allows EC2 instances to access S3 using private IP addresses, keeping traffic within the AWS network and avoiding the public internet. This is more secure and cost-effective than using a NAT gateway.

An IAM instance profile attached to the EC2 instances is the standard method for granting permissions. The associated IAM policy can be configured to grant access only to specific S3 buckets, enforcing the principle of least privilege. By using wildcards in the bucket ARN (e.g., arn:aws:s3:::company-customer-), the policy can automatically apply to new customer buckets without modification, thus ensuring low operational overhead.

B: A NAT gateway routes traffic over the public internet to reach S3, which is less secure than a VPC endpoint. It also fails to specify how access control to specific buckets would be enforced.

C: While a gateway endpoint is correct, this option describes an incomplete policy. A Deny policy acts as a guardrail but does not grant permissions. An explicit Allow action is still required for the instances to access any buckets.

D: Using a NAT gateway is inefficient for this use case. Furthermore, managing individual bucket policies for every customer bucket creates significant operational overhead compared to managing a single IAM role policy.

1. AWS Documentation - VPC Endpoints for Amazon S3: "A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service... Gateway endpoints are supported for Amazon S3 and DynamoDB." This confirms the use of a gateway endpoint for private S3 access. (Source: AWS VPC User Guide

"Gateway VPC endpoints").

2. AWS Documentation - IAM Roles for Amazon EC2: "Applications must sign their API requests with AWS credentials. Therefore

if you are an application developer

you need a strategy for managing credentials for your applications that run on EC2 instances... We recommend that you use IAM roles for Amazon EC2." (Source: AWS IAM User Guide

"IAM roles for Amazon EC2").

3. AWS Documentation - Policies and Permissions in Amazon S3: "You can use wildcards () as part of the resource ARN... For example

you can use the following Resource element to grant permission to objects in a specific bucket where the object keys are prefixed with logs/." This supports using wildcards in an IAM policy for low-overhead management. (Source: Amazon S3 User Guide

"Policies and permissions in Amazon S3"

section on "Specifying resources in a policy").

4. AWS Documentation - aws:ResourceAccount Condition Key: "Use this key to compare the AWS account ID of the resource in the request with the account ID that you specify in the policy." While this key is valid for creating account-level guardrails

option C's reliance solely on a Deny policy makes it an incomplete solution for granting access. (Source: AWS IAM User Guide

"AWS global condition context keys").

This solution correctly addresses all requirements with the least operational effort. AWS Glue is a fully managed ETL service, which significantly reduces operational overhead compared to managing an Amazon EMR cluster. Creating a separate Glue job for each customer ensures logical separation. The requirement to encrypt data where it is processed and before storing it in Amazon S3 points to a client-side encryption strategy. Using client-side encryption with AWS KMS managed keys (CSE-KMS) allows the Glue job (the "client") to encrypt data using customer-specific KMS keys before writing the data to S3, fulfilling the encryption and key management requirements with minimal operational burden.

A: Server-side encryption with S3-managed keys (SSE-S3) does not use customer-specific keys, failing a key requirement.

B: Amazon EMR requires more operational effort than AWS Glue. Furthermore, using a custom client-side root key (CSE-Custom) adds significant key management overhead.

D: Amazon EMR has higher operational overhead than AWS Glue. Also, server-side encryption (SSE-KMS) encrypts data upon arrival at S3, not necessarily during processing on the cluster itself.

1. AWS Glue Developer Guide - Security configurations on the AWS Glue console: "You can use security configurations to encrypt your data at rest... When you specify a security configuration for an AWS Glue job

you can specify a KMS key to encrypt at-rest data that is written to local disks by ETL jobs when spilling data." This supports encrypting data "where it is processed".

2. Amazon S3 User Guide - Protecting data using client-side encryption: "Client-side encryption is the act of encrypting your data locally... The AWS Encryption SDK supports client-side encryption with AWS KMS." This document explains that the application (in this case

the AWS Glue job script) performs encryption before upload

which aligns with the CSE-KMS strategy.

3. AWS Glue FAQs: "AWS Glue is a fully-managed ETL service that makes it simple and cost-effective to categorize your data... You don’t need to create and manage the infrastructure." This confirms that AWS Glue is the choice for the least operational effort compared to Amazon EMR.

The most effective and secure method to grant granular AWS permissions to specific pods within an Amazon EKS cluster is by using IAM Roles for Service Accounts (IRSA). This approach adheres to the principle of least privilege. The solution involves creating distinct Kubernetes service accounts for the UI and the data services. Corresponding IAM roles are then created, one with a policy granting only DynamoDB access and the other with a policy granting only S3 access. Each service account is configured to assume its respective IAM role. When a pod is deployed with a specific service account, it automatically receives temporary credentials for the associated IAM role, ensuring it can only access the intended AWS service.

A: Attaching policies to the EC2 instance profile grants permissions to all pods on that node, which violates the principle of least privilege as the UI pod could access S3 and vice-versa.

B: IAM policies cannot be attached directly to EKS pods. Policies are associated with IAM identities (like roles), which pods can then assume via a service account.

D: This option correctly identifies the IRSA mechanism but incorrectly maps the permissions. It grants S3 access to the UI and DynamoDB access to the data services, which is the reverse of the stated requirement.

1. AWS EKS User Guide

"IAM roles for service accounts": This document states

"With IAM roles for service accounts

you can associate an IAM role with a Kubernetes service account. This service account can then provide AWS permissions to the containers in any pod that uses that service account." This directly supports the mechanism of associating a role with a service account as described in the correct answer. (Source: AWS Official Documentation

Amazon EKS User Guide

Section: Identity and access management > IAM roles for service accounts).

2. AWS EKS Best Practices Guides

"IAM Roles for Service Accounts (IRSA)": This guide explicitly recommends

"We recommend using IAM Roles for Service Accounts (IRSA) to assign IAM permissions to your pods." It further warns against attaching permissions to nodes: "Avoid assigning IAM permissions directly to nodes. This would grant those permissions to any pod that is scheduled on that node." This directly refutes option A and endorses the approach in option C. (Source: AWS Official Documentation

Amazon EKS Best Practices Guide for Security

Section: Identity and Access Management > IAM Roles for Service Accounts (IRSA)).

3. AWS Whitepaper

"Amazon Elastic Kubernetes Service (EKS) running on AWS Fargate Security Overview": While focused on Fargate

the principle is identical for EC2 nodes. Page 10 discusses IRSA

explaining that it allows for "fine-grained permission management" by associating IAM roles with Kubernetes service accounts

which is the core concept of the correct solution. (Source: AWS Whitepapers & Guides

Document ID: AWS-EKS-Fargate-Security-Overview-2020

Page 10

Section: IAM Roles for Service Accounts).

The scenario requires DNS queries originating from an on-premises network to be resolved for resources within an AWS VPC. Amazon Route 53 Resolver is the service designed for this hybrid cloud DNS integration. An inbound endpoint for Route 53 Resolver provides one or more elastic network interfaces (ENIs) within the VPC. The on-premises DNS server can then be configured to conditionally forward DNS queries for the VPC's domain to the IP addresses of these ENIs. The inbound endpoint allows Route 53 Resolver to receive these queries from the on-premises network over the Direct Connect connection and resolve them using the VPC's DNS.

A. AWS Verified Access is a service for providing secure, VPN-less access to corporate applications. It is not a general-purpose DNS resolution service for hybrid networks.

B. AWS Direct Connect provides the private network connectivity between the on-premises data center and the VPC, but it does not have built-in DNS resolution capabilities.

C. A Route 53 Resolver outbound endpoint is used for the opposite direction: forwarding DNS queries from the VPC to an on-premises DNS server.

1. Amazon Route 53 Developer Guide: Under the section "Resolving DNS queries between VPCs and your network

" it states

"To forward DNS queries from your network to Route 53 Resolver

you create a Route 53 Resolver inbound endpoint in a VPC... Then you configure your on-premises DNS resolver to forward the applicable DNS queries to the IP addresses for the inbound endpoint." (See: How Route 53 Resolver works with your network).

2. Amazon Route 53 Developer Guide: The guide clarifies the function of endpoints: "Inbound Resolver endpoints allow DNS queries to your VPC from your on-premises network or another VPC." (See: Managing Resolver endpoints).

3. AWS Documentation - What is AWS Verified Access?: This service is described as one that "provides secure access to your corporate applications without requiring a VPN." This confirms it is an application access service

not a DNS resolver. (See: AWS Verified Access User Guide

Introduction).

4. AWS Documentation - What is AWS Direct Connect?: This service is defined as a way "to establish a dedicated network connection from your premises to AWS." It is a networking service

not a DNS service. (See: AWS Direct Connect User Guide

Introduction).

The requirement is to encrypt personally identifiable information (PII) at rest for an application running on Amazon EC2 and its Amazon RDS database, with minimal infrastructure changes. Amazon EBS encryption is a native feature that encrypts data at rest for volumes attached to EC2 instances. Similarly, Amazon RDS encryption encrypts the underlying database storage, automated backups, read replicas, and snapshots. Both services seamlessly integrate with AWS Key Management Service (KMS) to manage the encryption keys. Enabling these features is a straightforward configuration change, directly addressing the compliance requirement for both tiers of the application with the least operational overhead.

A. AWS Certificate Manager (ACM) provides and manages SSL/TLS certificates for securing network communications (data in transit), not for encrypting data at rest on storage volumes.

B. AWS CloudHSM provides dedicated hardware security modules. While it can be used for encryption, it is a more complex and costly solution, violating the "least amount of changes" requirement.

C. This option incorrectly combines SSL encryption, which is for data in transit, with the task of encrypting database volumes at rest. SSL does not encrypt the underlying storage.

1. Amazon EBS encryption: "Amazon EBS encryption is a feature that offers a simple encryption solution for your EBS volumes without you having to build

maintain

and secure your own key management infrastructure. It uses AWS Key Management Service (AWS KMS) keys when creating encrypted volumes and snapshots."

Source: AWS Documentation

Amazon EC2 User Guide for Linux Instances

"Amazon EBS encryption"

Section: "How EBS encryption works".

2. Amazon RDS encryption: "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your DB instance. After your data is encrypted

Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You don't need to modify your database client applications to use encryption... Amazon RDS uses AWS Key Management Service (AWS KMS) to manage the encryption keys for your encrypted DB instances."

Source: AWS Documentation

Amazon RDS User Guide

"Encrypting Amazon RDS resources".

3. AWS KMS Integration: "AWS KMS integrates with many AWS services to help you protect the data that you store in those services. When you use an AWS service that is integrated with AWS KMS

you can use the service to encrypt your data."

Source: AWS Documentation

AWS Key Management Service Developer Guide

"How AWS services use AWS KMS".

4. AWS Certificate Manager Purpose: "AWS Certificate Manager is a service that lets you easily provision

manage

and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources."

Source: AWS Documentation

AWS Certificate Manager User Guide

"What is AWS Certificate Manager?".

The solution requires an API that supports robust user authentication and authorization, geographic access restriction, and minimal latency for users in the United States.

Amazon API Gateway REST APIs are better suited for this scenario than HTTP APIs because they offer more comprehensive, built-in features for authentication and authorization, such as IAM permissions, Cognito user pools, and Lambda authorizers.

To restrict access based on geography, AWS WAF is the appropriate service. A WAF geographic match rule can be configured to allow requests only from the United States. For a regional API Gateway endpoint, the AWS WAF web ACL must be deployed in the same AWS Region as the API. Deploying this regional API in a US region ensures minimal latency for the target user base.

B. This is incorrect. For a regional resource like an API Gateway HTTP API, the AWS WAF web ACL must be configured in the same Region, not a different one.

C. This describes a configuration for an edge-optimized API deployed in a region other than us-east-1. While valid, a regional API (as implied in option A) is a more direct and standard solution that fully meets the requirements.

D. While the WAF configuration is technically correct for an HTTP API, REST APIs provide a richer feature set for the specified "user authentication and authorization" requirements, making them the superior choice.

1. AWS Documentation - Choosing between HTTP APIs and REST APIs: "REST APIs provide a wide array of features for building and managing APIs... If you need features such as API keys

per-client throttling

request validation

AWS WAF integration

or private API endpoints

use a REST API." This supports the choice of a REST API for its richer feature set related to authorization.

Source: AWS API Gateway Developer Guide

"Choosing between HTTP APIs and REST APIs."

2. AWS Documentation - Associating a web ACL with an AWS resource: "For Amazon API Gateway

you can associate a web ACL with a regional API or an edge-optimized API... For a regional API

you must create your web ACL in the same AWS Region as your API." This confirms that for a regional API

the WAF must be in the same region

validating the configuration in option A and invalidating option B.

Source: AWS WAF Developer Guide

"Associating or disassociating a web ACL with an AWS resource."

3. AWS Documentation - Geographic match rule statement: "A geographic match rule statement inspects the source IP address of a web request against a list of countries that you specify." This confirms WAF's capability to meet the geographic restriction requirement.

Source: AWS WAF Developer Guide

"Rule statement basics

" section "Geographic match rule statement."

4. AWS Documentation - Choosing an API Gateway API endpoint type to set up: "Regional API endpoints are intended for clients in the same AWS Region. When clients are in the same Region as the API

a Regional API reduces connection overhead." This supports that a regional endpoint in the US provides low latency for US-based clients.

Source: AWS API Gateway Developer Guide

"Choosing an API Gateway API endpoint type to set up."

This solution provides the highest level of security by implementing a defense-in-depth strategy. Placing the Amazon RDS cluster in private subnets ensures it is not directly accessible from the public internet, which is a fundamental security best practice for databases. An AWS Site-to-Site VPN establishes a secure, encrypted IPsec tunnel between the company's on-premises office and the AWS VPC. This allows the desktop clients to communicate with the RDS cluster over a private, encrypted connection as if it were on the local network, without exposing any resources to the public internet. This combination of network isolation (private subnets) and encrypted transit (VPN) represents the most secure architecture for the given requirements.

A. Placing the RDS cluster in public subnets exposes it to the internet, which is a significant and unnecessary security risk, even with a VPN.

C. This option is incomplete. Security groups alone cannot establish connectivity from an on-premises network to private subnets within a VPC; a VPN or AWS Direct Connect is required.

D. This is the least secure option. It places the database in public subnets and relies only on security groups for network filtering, creating a direct attack surface on the internet.

1. AWS Documentation - Amazon RDS User Guide: Under "Security in Amazon RDS

" the section "Using Amazon RDS with Amazon VPC" states

"A common strategy is to have a public subnet with a web server that has access to the internet

and a private subnet with no internet access that contains your DB instances... We recommend that you run your DB instance in a private subnet." This supports placing RDS in private subnets for security.

2. AWS Documentation - AWS Site-to-Site VPN User Guide: The "What is AWS Site-to-Site VPN?" section explains

"By default

instances that you launch into an Amazon VPC can't communicate with your own (remote) network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection..." This confirms VPN is the correct tool for secure on-premises to VPC connectivity.

3. AWS Whitepapers - "Amazon Virtual Private Cloud Connectivity Options": This whitepaper details connectivity patterns. In the section "AWS Managed VPN

" it describes the service as a way to "establish an encrypted connection between your on-premises network and your Amazon VPCs over the internet." This validates the use of a VPN for secure

private communication.

4. AWS Documentation - Amazon VPC User Guide: The "Subnets for your VPC" section clarifies the distinction: "Resources in a private subnet can't be accessed from the internet." This reinforces why databases should be placed in private subnets to meet the "MOST securely" requirement.

The primary requirement is to migrate a Microsoft SQL Server database to AWS while optimizing costs. Babelfish for Aurora PostgreSQL is a capability of Amazon Aurora PostgreSQL-Compatible Edition that allows it to understand the SQL Server wire protocol (TDS) and T-SQL dialect. This enables migration from SQL Server to the cost-effective, open-source-compatible Aurora PostgreSQL engine with minimal to no application code changes. By moving away from the commercial SQL Server engine, the company eliminates expensive licensing fees, which is the most significant factor in cost optimization for this scenario. Aurora's managed nature also reduces operational overhead compared to self-managed solutions.

A. Migrating to SQL Server on EC2 still requires paying for Microsoft SQL Server licenses and adds the operational burden of managing the instance, making it less cost-optimized.

C. A direct migration to PostgreSQL on EC2 would require significant, costly application refactoring and schema conversion, and lacks the benefits of a managed database service.

D. Amazon RDS for Microsoft SQL Server is a managed service but still incurs licensing costs for the commercial SQL Server engine, failing to meet the primary goal of cost optimization.

1. AWS Documentation

"Working with Babelfish for Aurora PostgreSQL": In the section "What is Babelfish for Aurora PostgreSQL?"

it states

"With Babelfish

Aurora PostgreSQL now understands T-SQL

Microsoft SQL Server's proprietary SQL dialect

and supports the same communications protocol

so your apps that were originally written for SQL Server can now work with Aurora with fewer code changes." This confirms its suitability for migrating SQL Server applications.

2. AWS Documentation

"Migrating a SQL Server database to Babelfish for Aurora PostgreSQL": The overview section of this guide highlights the benefits

which include "Stop paying for expensive and restrictive database licenses." This directly addresses the cost optimization requirement of the question.

3. AWS Database Blog

"Modernize Microsoft SQL Server to Amazon Aurora with Babelfish": This article explains the value proposition: "Babelfish for Aurora PostgreSQL reduces the risk of migration projects by reducing the amount of code you have to change... It also helps you stop paying for expensive database licenses." This reinforces that Babelfish is the optimal path for cost-effective SQL Server modernization.

4. AWS Documentation

"Amazon Aurora Pricing": This page details the pricing for Aurora

which does not include commercial license fees

unlike RDS for SQL Server. It highlights cost-effectiveness through features like I/O-Optimized configurations and pay-per-use models

contrasting with the fixed licensing costs of commercial databases.