A company manages multiple AWS accounts and wants to provide access to AWS from a single management account using an existing on-premises Microsoft Active Directory domain. Which solution will meet these requirements with the LEAST amount of effort?
A.
Create an Active Directory connector using AWS Directory Service. Create IAM users in the target accounts with the appropriate trust policy.
B.
Create an Active Directory connector using AWS Directory Service. Associate the directory with AWS Single Sign-On (AWS SSO). Configure user access to target accounts through AWS SSO.
C.
Create an Amazon Cognito federated identity pool. Associate the pool identity with the on-premises directory. Configure the IAM roles with the appropriate trust policy.
D.
Create an identity provider in AWS IAM associated with the on-premises directory. Create IAM roles in the target accounts with the appropriate trust policy.
Option B provides a straightforward and efficient way to achieve the goal of providing access to AWS from a single management account using an existing on-premises Microsoft Active Directory domain with the least amount of effort.
Correct Answer: B
AD Connector is designed to give you an easy way to establish a trusted relationship between your Active Directory and AWS.
"D" is right too, but the question is asking for the LEAST amount of effort.
B. Create an Active Directory connector using AWS Directory Service. Associate the directory with AWS Single Sign-On (AWS SSO). Configure user access to target accounts through AWS SSO.
B
"AWS SSO is an AWS service that enables you to makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. AWS SSO allows you to create and manage user identities in AWS SSO’s identity store, or easily connect to your existing identity source, including Microsoft Active Directory, Okta Universal Directory, and Azure Active Directory (Azure AD)."
I will vote for B. (IAM & ADFS not require)
With AWS Microsoft AD, you can grant your on-premises users permissions to resources such as the AWS Management Console instead of adding AWS Identity and Access Management (IAM) user accounts or configuring AD Federation Services (AD FS) with Security Assertion Markup Language (SAML)
https://aws.amazon.com/blogs/security/how-to-access-the-aws-management-console-using-aws-microsoft-ad-and-your-on-premises-credentials/
https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html
With SSO, you basically manage user and group inside SSO, not the role in IAM
I prefer B
I agree with MrDEVOPS. That is the correct way to connect AD but best practice is to use roles, not users. B is wrong because not user access. C is wrong because Cognito is Google/Facebook/Twitter for apps. D is very vague on the setup apart from the roles part.
100% agree.
-A seems the best choice.
-Why not D? Because compared 'identity provider' in choice D with 'AD connector' in choice A, we can see identity provider is third party's but AD connector is AWS owned. Absolutely we should choose AD connector here:-)
-Why not B? Because 'AD Connector' is simpler than 'AD Connector + SSO', and the question ask for a solution 'with the LEAST amount of effort'.
Sorry, here is another link which I think is more reasonable. Both A&B have create user statement, but actually the only created is role that can be assumed by the user. From below link, D might be the most suitable answer.
https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Pirulou
Highly Voted 2 years, 9 months agoMrDEVOPS
Highly Voted 2 years, 9 months agoalbert_kuo
Most Recent 11 months, 2 weeks agogulu73
1 year, 5 months agoTroyMcLure
2 years, 8 months agoRicardoD
2 years, 8 months agoabhishek_m_86
2 years, 8 months agokkdd
2 years, 8 months agokenkct
2 years, 8 months agoapwangzh
2 years, 8 months agojackdryan
2 years, 9 months agoPolu
2 years, 9 months agovob
2 years, 9 months agoANS0908431
2 years, 8 months agoshowmetheanswer
2 years, 9 months agoshowmetheanswer
2 years, 9 months ago