AWS Client VPN is a OpenVPN service from AWS. It allows anyone with the correct permissions the ability to create a network path into your VPC. While this is typically a good thing, Client VPN can also act as an end-run around the corporate VPN if your VPCs leverage DirectConnect or Site-to-Site VPN. Because it can leverage AWS Active Directory, it can be configured independent of your corporate identity system and provide back doors for third parties and departed employees.

VPCs are a fundamental building block in AWS. VPCs allow you to specify your own IP range. Many AWS Resources must be deployed into a VPC, and VPCs control the network security for those resources. VPCs can be connected to your corporate networks via the use of Direct Connect or VPN, and thus can be a back door path into your enterprise.