Exam AWS Certified Security - Specialty topic 1 question 64 discussion

A and D are correct. Deploy a new forest/domain on AWS with one-way trust. If you are planning on leveraging credentials from an on-premises AD on AWS member servers, you must establish at least a one-way trust to the Active Directory running on AWS. In this model, the AWS domain becomes the resource domain where computer objects are located and on-premises domain becomes the account domain. Ref: https://d1.awsstatic.com/whitepapers/adds-on-aws.pdf

It's A&D "The direction of trust is opposite to the direction of access. Trust relationship from A to B, will give B's users access to A" Thanks Josellama2000

Correct answers are AD. Cut the crap.

B & C is correct answer. B is creating a new Active Directory Service. C & D bulid trust between existing Active Directory Service and New Directory Service. C is trust from existing AD to New AD. So option A is not to create a new Active Directory Service.

One-way trusts are a single-direction trust that allows authentication referrals from one side of the trust only. A one-way trust is either outgoing or incoming, but not both (that would be a two-way trust). plz see the link for further informations : https://aws.amazon.com/fr/blogs/security/everything-you-wanted-to-know-about-trusts-with-aws-managed-microsoft-ad/

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html

Holy shit there are so many trust options my head is spinning: https://aws.amazon.com/blogs/security/everything-you-wanted-to-know-about-trusts-with-aws-managed-microsoft-ad/ This is a really good article about one-way AD trust relationships

A and D Link: https://aws.amazon.com/blogs/security/everything-you-wanted-to-know-about-trusts-with-aws-managed-microsoft-ad/#:~:text=An%20outgoing%20trust%20allows%20users,domain%20(Example.com).

A -(Support url) https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_best_practices.html D-(Support Url) https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731404(v=ws.11)

AD are correct. I am going to copy/paste the comment of one of our colleagues because it is super descriptive: ""The direction of trust is opposite to the direction of access. Trust relationship from A to B, will give B's users access to A""

A and C are correct. You are required to establish one way trust From Existing AD to New Directory Service.. https://docs.aws.amazon.com/whitepapers/latest/active-directory-domain-services//security-considerations.html

Direction of trust is opposite to the access required, so it is D.

D : direction of the trust is opposite to the direction of the access. if X trusts Y , Y can access to X

A and D are correct

Truts w opposite to permission so D and a new aws directory is needed so A

Interesting - Learnt something new today. Initially wrote this as A, C However, it should be A, D https://blogs.msmvps.com/acefekay/2016/11/02/active-directory-trusts/ "For an analogy, if you were to give your car keys to a friend to allow him or her to use your car, you are establishing a trust between you and your friend. In this case, you are the trusting friend, or domain, and the friend is the trusted friend, or domain. Once the keys have been provided, then the next step is to allow access to your resource, or car, by providing permissions to use the car. However, this trust is only in one direction, you trust your friend. If you want your friend to trust you, your friend, or the other domain, must be initiated by your friend, or the other domain."

A&D: "A one-way trust allows bidirectional authentication. This is false. One-way trusts allow authentications to traverse in one direction only. Users or objects from the trusted domain are able to authenticate and, if they are delegated, to access resources in the trusting domain. Users in the trusting domain can’t authenticate into the trusted domain, and aren’t granted permissions to access resources. Let’s say there is an Amazon FSx file system in Example.local and a one-way trust between Example.com (outgoing trust direction) and Example.local (incoming trust direction). A user in Example.com can’t be delegated permission to the Amazon FSx file system Example.local with the current trust configuration. That’s the nature of a one-way trust."