Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 319 discussion

I think this question is not really about Active Directory or AD Connector. A secure VPN connection is all you need in this question. The company has hardware can be used to establish an AWS S2S connection. In order to have a secure connection, the first thing you have to do is to implement a VPN connection between on-premise and target VPC. So C is the answer.

You cannot join an EC2 to On-prem AD just over the VPN. You should be having an AD connector for the same. https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/

✅ No need for a bastion host or VPN: AWS Systems Manager Fleet Manager enables secure RDP access without exposing instances to the internet. ✅ Cost-effective: No need for dedicated bastion hosts or Remote Desktop Gateway instances. AD Connector is cheaper than a fully managed AWS Directory Service. ✅ Seamless Active Directory integration: IAM Identity Center (AWS SSO) can integrate with on-premises AD via AD Connector. Users authenticate with existing AD credentials. ✅ More secure than direct RDP over VPN or bastion hosts: No public RDP exposure. No need for additional infrastructure like Remote Desktop Gateway.

IDC SSO + AWS Directory Service fof MS AD connector.

AWS IAM Identity Center (SSO) with On-Prem AD Authentication AD Connector allows AWS services and applications to authenticate users against on-prem Active Directory. When Not to Use AD Connector ❌ If you require high availability, since AD Connector depends on a stable connection to on-prem AD. ❌ If you need Group Policy Object (GPO) support in AWS, as AD Connector does not provide this. ❌ If you need Kerberos authentication or NTLM authentication within AWS, as it only forwards authentication requests. ❌ If you require full AD domain replication, consider AWS Managed Microsoft AD instead.

On-prem AD joining via VPN is the most cost effective compared to AD connector

Once VPN connectivity is established between on-prem and AWS. RDP should be sufficient to connect. Secure Remote Desktop connectivity: The VPN provides a secure, encrypted tunnel for RDP traffic between the on-premises network and the EC2 instances in the VPC. Integration with on-premises Active Directory: By joining the EC2 instances to the existing on-premises Active Directory domain, you leverage the centralized user management that's already in place.

The requirement is to use the on-prem AD integrated with the EC2. Although with VPN, RDP can't be established but the AD sync is not possible within EC2 without AD connector. Hence the right answer is B.

Questin aks to use the existing S2S Vpn. The Site-to-Site VPN ensures secure communication between the on-premises environment and the AWS VPC without exposing the EC2 instances to the internet. I will go with C

B would be correct if we were not told that hardware for creating a VPN is available.

B This solution integrates centralized user management with the company's on-premises Active Directory, meets the requirement of secure Remote Desktop connectivity, and is cost-effective. Configuring AWS Single Sign-On (SSO) with the AD Connector allows users to access EC2 Windows instances using their existing Active Directory credentials, which eliminates the need for additional infrastructure or configuration. Using Systems Manager Fleet Manager to access the target instances through RDP provides a secure and managed way to connect to EC2 instances without requiring a Remote Desktop Gateway or a bastion host.

Solution C is the most cost-effective: Implement a VPN between the on-premises environment and the target VPC, join the EC2 instances to the on-premises Active Directory domain over the VPN, configure RDP access through the VPN, and connect from the company's network. This approach leverages existing infrastructure, requires no additional managed services, utilizes existing hardware for the VPN, and provides direct connectivity without bastion hosts, minimizing costs.

1) using AD connector, AWS cloud IAM is authenticated against the on prem AD. extra Managed AD in AWS cloud is not required. 2) A cost effective, secure remote desktop setup is achieved with a fleet manager, accessed via console by IAM identity centre login against the on prem AD. Saving the cost of bastion host , vpn gateway or rdp gateway.

just c

I do not see any reasons why C would not work. And it is simpler than B.

C is the cheapest option

For me it's C. No need to Managed AD Connector. We have already a VPN, so we can leverage to spend less.