AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A financial-services company needs to migrate its legacy SFTP server to AWS. External partners must continue to authenticate by using credentials that reside in the company's on-premises Microsoft Active Directory (AD). A key security requirement is that all file-transfer traffic from the partners' data centers must traverse the existing AWS Direct Connect connection and must never traverse the public internet. The solution must also be highly available.
Deploy an AWS Transfer Family server configured with a VPC-hosted (VPC-Internal) endpoint type that uses AWS Directory Service as its identity provider. Deploy an AD Connector across two Availability Zones to connect to the on-premises Active Directory. Place the endpoint's network interfaces in private subnets in the same Availability Zones.
Configure an AWS Transfer Family server with a publicly accessible endpoint. Use AWS WAF to allow only the partners' public IP addresses and use an AD Connector for authentication.
Deploy an AWS Transfer Family server with a VPC-hosted endpoint and use the service-managed user directory to create separate partner accounts that are synchronized manually from the on-premises Active Directory.
Deploy an AWS Storage Gateway in File Gateway mode on-premises. Point the partners to the gateway's SMB endpoint to upload files directly to Amazon S3.
Use AWS Transfer Family with a VPC-hosted (VPC-Internal) endpoint so that the server is reachable only over private IP addresses that can be routed through Direct Connect. Integrate the server with AWS Directory Service by deploying an AD Connector in two subnets across separate Availability Zones. AD Connector proxies authentication requests to the on-premises AD without storing credentials in AWS and is created in a Multi-AZ configuration by default, providing high availability. This design meets the private-traffic requirement, reuses existing AD credentials, and relies entirely on managed services with minimal operational overhead.
A public or VPC-Internet endpoint would still expose the service over the internet. A service-managed identity store would break the AD-integration requirement. AWS Storage Gateway (File Gateway) does not provide an SFTP interface, so it cannot satisfy the protocol requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Transfer Family, and how is it used in this solution?
Open an interactive chat with Bash
What is an AD Connector, and how does it work in this setup?
Open an interactive chat with Bash
Why is a VPC-hosted (VPC-Internal) endpoint necessary for this scenario?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Accelerate Workload Migration and Modernization
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access