Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 326 discussion

I support B as well per this link where EC2 is recommended: https://docs.aws.amazon.com/workspaces/latest/adminguide/directory_administration.html

B is correct. The question mention "Windows EC2", no "Windows user desktops". Maybe the Windows EC2 can be Windows Servers.

This is so tough. The docs state if youre using more than 5 workspaces its better to manage security through a centralized EC2 instance which leads towards B. The question makes no claims of how big the environment is but it eludes to it being small by saying 'A workspace' which would mean just 1 user since its scoped to user. Nothing in the question highlights more than 5 or large teams either. It explicitly states managed services wherever possible. The workspace meets all of the technical requirements. It just doesnt scale well but the overhead for cost is minimal for a large organization, just a few dollars a workspace a month. Im going to assume if it was very large they would tell us and not pick 'a workspace' but rather say 'workspaces'. Going with A. Really tough one with the ambiguity.

I correct my answer after more searches It aligns with AWS best practices for centralized, robust AD administration using an Amazon EC2 instance. Why A (WorkSpaces) is not the best: Even though it's possible to install AD tools on a WorkSpace, AWS recommends against it for anything beyond minimal scale (5+ WorkSpaces). It’s less robust than using a dedicated EC2 instance. Choose Option B because: It uses AWS Managed Microsoft AD (required for MFA and full AD support). It aligns with AWS best practices for centralized, robust AD administration using an Amazon EC2 instance.

Going with A. The company wants to use managed AWS services wherever possible, its explicitly stated. The scope of tasks is well defined and small. I suspect the recommendation is for larger deployments it wouldn't have said 'for MFA' and highlight such lightweight services. https://docs.aws.amazon.com/workspaces/latest/adminguide/directory_administration.html

A and B both work, but A is definitely more managed, so it has to be A

This is the most secure, scalable, and cost-effective solution that meets all of the technical and operational requirements.

The other options either lack required features (Simple AD options) or use less managed services (EC2 options), making them less suitable for the company's requirements.

There is nothing in the requirements that remotely sways to Workspaces. Amazon Workspaces is costly, requires support to implement/maintain, and is much more complex.

The question does mention EC2 specifically, which makes the WorkSpaces solution a little less direct. However, the requirement to use managed AWS services "wherever possible" strongly suggests WorkSpaces for MFA. It's the most managed way to get that done. So, while EC2 is mentioned, the emphasis on managed services and the need for MFA makes WorkSpaces the most likely answer. It's a trade-off, but the question is probably prioritizing managed services over strict adherence to only using EC2 for everything.

use AWS managed services wherever possible. While both A and B are feasible, A matches the question at most.

The company wants to use managed AWS services wherever possible. https://docs.aws.amazon.com/workspaces/latest/adminguide/directory_administration.html You'll perform most administrative tasks for your WorkSpaces directory using directory management tools, such as the Active Directory Administration Tools. However, you'll use the WorkSpaces console to perform some directory-related tasks.

B is right The company wants to join all Windows EC2 instances to an Active Directory domain on AWS, which requires a full-featured Active Directory service. Using AWS Directory Service for Microsoft Active Directory (Enterprise edition) meets this requirement by providing a managed directory service that can be used to manage and secure EC2 instances. Launching an EC2 instance allows the development team to configure and test domain security configurations in a controlled environment, which is essential for ensuring the correct configuration of the Active Directory

Option A meets the requirements by using AWS Directory Service for Microsoft Active Directory, a managed service for hosting a full Active Directory domain. It also leverages Amazon WorkSpaces, a managed desktop service supporting MFA, for secure administrative access to configure the Active Directory domain, aligning with the company's preference for managed AWS services. Option B: While creating an AWS Directory Service for Microsoft Active Directory implementation is correct, launching an EC2 instance for domain security configuration tasks is not the most suitable approach. EC2 instances require additional management overhead, and the company wants to use managed services wherever possible.

Add a vote to B as it is dangerously swaying to A. The EC2 instances referred to should be the managed domain controller to manage EC2 instances that join the domain, to push down GPO policies etc. You can launch more than one for HA. https://aws.amazon.com/blogs/security/how-to-increase-the-redundancy-and-performance-of-your-aws-directory-service-for-microsoft-ad-directory-by-adding-domain-controllers/

Answer is A: Amazon WorkSpaces is a managed desktop-as-a-service solution that aligns with the requirement to use managed services: - Provides a managed alternative to running EC2 instances - Integrates seamlessly with AWS Managed Microsoft AD. - Reduces administrative overhead compared to managing EC2 instances

B is correct, it is application infrastructure, not for desktop.