Exam AWS Certified Database - Specialty topic 1 question 62 discussion

This question was asked in my exam. B,C and F seems the correct options.

C. ...to create an AWS Managed Microsoft AD. Create a trust relationship... E. ... to create an AD Connector. Create a trust relationship... Both option are correct. We should use AWS Managed Microsoft AD when have > 5000 users. We should use AD Connector or Simple AD when have < 5000 users. The question is not complete, or one of these answers should be excluded. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_best_practices.html

https://aws.amazon.com/blogs/security/how-to-enable-windows-integrated-authentication-for-rds-for-sql-server-using-on-premises-active-directory/#:~:text=The%20setup%201%20Step%201%3A%20Set%20up%20RDS,between%20your%20VPC%20domain%20and%20your%20on-premises%20domain

To fulfill the Security department's requirement for internal users to connect to the Amazon RDS for SQL Server DB instance using their corporate Active Directory credentials

Answer:BCF

x A. Disable Transparent Data Encryption (unrelated) B. Modify the RDS SQL Server DB instance to use the directory for Windows authentication. Create appropriate new logins.(would need reboot) C. Use the AWS Management Console to create an AWS Managed Microsoft AD. Create a trust relationship with the corporate AD. x D. Stop the RDS SQL Server DB instance, modify it to use the directory for Windows authentication, and start it again. Create appropriate new logins. (stop-start should be at end, not first) x E. Use the AWS Management Console to create an AD Connector. Create a trust relationship with the corporate AD. F. Configure the AWS Managed Microsoft AD domain controller Security Group.

I got this Question in exam.

Ans: BCF

BCF C&F is confirmed. Choosing B over D because modifying the RDS to enable windows authentication must be done when the RDS is in available status though it will be rebooted for it to take effect.

BCF is the answer - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_SQLServerWinAuth.html

BCF. No restart required. Connector is a proxy, no trust relationship can be established with it.

Ans: BEF

Sorry i made a mistake. According to https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html#USER_ModifyInstance.Settings , modifying domain or directory id parameter in AWS RDS SqlServer requires a bried outage . So correct answers are : C , D , F .

I would also vote for BCF. Nobody doubt that C anf F are correct. Regarding my choice B ( B or D ? ). We need to configure an existing DB ( stated in the question). According to https://aws.amazon.com/blogs/database/joining-your-amazon-rds-instances-across-accounts-to-a-single-shared-domain/ , there is no need to stop the RDS to join it to an AD ( step 3 )

CDF Here https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_SQLServerWinAuth.html

Answer is BDE

I will go with CDF https://www.powerupcloud.com/integrate-aws-sql-server-rds-with-multiple-ad/ https://www.sqlshack.com/advanced-windows-authentication-configurations-in-aws-rds-sql-server/ https://aws.amazon.com/blogs/security/how-to-enable-windows-integrated-authentication-for-rds-for-sql-server-using-on-premises-active-directory/ https://aws.amazon.com/blogs/aws/amazon-rds-for-sql-server-support-for-windows-authentication/