Acme Corp needs to securely access a third-party SaaS application, hosted by Initech Solutions within AWS, via private API calls from their VPC, adhering to strict security policies prohibiting internet traffic and external access, with all permissions following least privilege principles. Which solution meets Acme Corp's secure access requirements?