Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 470 discussion

A is correct. B is incorrect because WAF web ACLs don't work with Amazon Workspaces. A web access control list (web ACL) gives you fine-grained control over all of the HTTP(S) web requests that your protected resource responds to. You can protect Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, AWS App Runner, and AWS Verified Access resources. https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html

This is not usecase of AWS Firewall Manager and web ACL, and A work

B. AWS Firewall Manager and web ACL: While this could work, it is generally used for managing rules across multiple AWS accounts and resources, which might be an overcomplication for this specific use case. It is more complex to set up and manage compared to IP access control groups.

From an operational simplicity point of view (which is what is required) it is clearly B. It is much easier to manage IPs with Firewall manager than in a custom way, which by the way remains vague. For me, the correct answer is B.

Answer: A From the AWS Console: "Create an IP access control group that you can add to a WorkSpaces Directory. Users will only be able to access WorkSpaces from these IP addresses."

A https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-ip-access-control-groups.html

Using AWS Firewall Manager to create a web ACL rule with an IPSet containing the list of public addresses from the branch office locations and associating it with the WorkSpaces directory is the most operationally efficient solution. AWS Firewall Manager allows you to centrally manage and apply web access control lists (web ACLs) across multiple AWS resources, including WorkSpaces. This approach ensures that the access control policy is consistently applied across the WorkSpaces environment, and it can be easily updated as the company adds a new branch office location in the next 6 months.

According to ChatGPT: "Among these options, option B, using AWS Firewall Manager to create a web ACL rule with an IPSet, offers the most operational efficiency. It allows for centralized management of access control rules across multiple WorkSpaces and easily scales to accommodate future changes, such as adding a new branch office. Additionally, it aligns with the company's security policy by restricting access based on IP addresses. Therefore, option B is the best choice."

A https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces-ip-access-control-groups.html

Correct answer is A.

correct answer A , need to add ip public for the branch offices to restrict access from branch offices only

A is the correct answer. It is the most operationally efficient as it uses IP access control groups.

Trust me