ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 483 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 483
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company is building an AWS landing zone and has asked a Solutions Architect to design a multi-account access strategy that will allow hundreds of users to use corporate credentials to access the AWS Console. The company is running a Microsoft Active Directory, and users will use an AWS Direct Connect connection to connect to AWS. The company also wants to be able to federate to third-party services and providers, including custom applications.
Which solution meets the requirements by using the LEAST amount of management overhead?

  • A. Connect the Active Directory to AWS by using single sign-on and an Active Directory Federation Services (AD FS) with SAML 2.0, and then configure the Identity Provider (IdP) system to use form-based authentication. Build the AD FS portal page with corporate branding, and integrate third-party applications that support SAML 2.0 as required.
  • B. Create a two-way Forest trust relationship between the on-premises Active Directory and the AWS Directory Service. Set up AWS Single Sign-On with AWS Organizations. Use single sign-on integrations for connections with third-party applications.
  • C. Configure single sign-on by connecting the on-premises Active Directory using the AWS Directory Service AD Connector. Enable federation to the AWS services and accounts by using the IAM applications and services linking function. Leverage third-party single sign-on as needed.
  • D. Connect the company's Active Directory to AWS by using AD FS and SAML 2.0. Configure the AD FS claim rule to leverage Regex and a common Active Directory naming convention for the security group to allow federation of all AWS accounts. Leverage third-party single sign-on as needed, and add it to the AD FS server.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by awsec2 at Sept. 14, 2019, 8:41 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
sb333
Highly Voted 3 years, 9 months ago
B is the correct answer and fully supports the requirements of the question with very little management. Managing an AD FS implementation is not a LEAST overhead solution. If you have had to support AD FS, you know this. Support for B is here: https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
upvoted 19 times
Smart
3 years, 9 months ago
Agreed. I wasn't sure about two-way relationship. https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html
upvoted 5 times
...
...
donathon
Highly Voted 3 years, 9 months ago
D A: Adds complexity to the SSO. https://aws.amazon.com/blogs/security/how-to-implement-a-general-solution-for-federated-apicli-access-using-saml-2-0/ B: You will need to manage AWS Directory Service which is additional overhead. C: As an alternative to AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD), AD Connector is an Active Directory proxy for AWS created applications and services only. You configure the proxy to use a specified Active Directory domain. When the application must look up a user or group in Active Directory, AD Connector proxies the request to the directory. Similarly, when a user logs in to the application, AD Connector proxies the authentication request to the directory. There are no third-party applications that work with AD Connector. D: https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/
upvoted 18 times
Kopa
3 years, 8 months ago
With AWS SSO, you can enable a highly available SSO service with just a few clicks. There is no additional infrastructure to deploy or AWS account to set up. AWS SSO is a highly available and a completely secure infrastructure that scales to your needs and does not require software or hardware to manage. AWS SSO records all sign-in activity in AWS CloudTrail, giving you the visibility to monitor and audit SSO activity in one place.
upvoted 2 times
...
...
maxh8086
Most Recent 2 years, 5 months ago
A B - Two way forest trust is not a solution for SSO C - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html AD Connector cannot be shared with other AWS accounts. If this is a requirement, consider using AWS Managed Microsoft AD to Share your directory. AD Connector is also not multi-VPC aware, which means that AWS applications like WorkSpaces are required to be provisioned into the same VPC as your AD Connector. D - could have been a option, if Groups as claim are required but its not a requirement here.
upvoted 1 times
hollie
2 years, 5 months ago
A two-way trust is required for AWS Enterprise Apps such as Amazon Chime, Amazon Connect, Amazon QuickSight, AWS IAM Identity Center (successor to AWS Single Sign-On), Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces, and the AWS Management Console. AWS Managed Microsoft AD must be able to query the users and groups in your self-managed AD.(https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_setup_trust.html)
upvoted 1 times
...
...
robertohyena
2 years, 6 months ago
C&D has "Leverage third-party single sign-on as needed." not optimal solution. B is correct
upvoted 1 times
...
Ni_yot
2 years, 9 months ago
B sounds good as an option. The AWS AD workshop uses this method.
upvoted 1 times
...
aandc
3 years ago
B, ADFS means complexity
upvoted 2 times
...
gunjan229
3 years, 3 months ago
Selected Answer: B
Requirement is LEAST amount of administrative overhead. Managed Services AWS Active Directory and SSO will have less Administrative overhead. So B is perfect.
upvoted 2 times
...
jyrajan69
3 years, 4 months ago
First you must consider the requirement for a multi-account strategy, before least overhead. Answer D does not involve AWS Organizations, and it involves more complications, so based on all this the answer has to be B
upvoted 2 times
...
cannottellname
3 years, 5 months ago
Selected Answer: B
B is corret with least operational overhead. D does not even mention SSO & the article mentioned in the link just connects with 1 AWS account - not multiple. AWS SSO is managed and easily linked with new users using Microsoft AD. B is correct.
upvoted 1 times
...
peddyua
3 years, 5 months ago
B doesn't involve SAML 2.0 which is a must. So I'll go with D
upvoted 1 times
...
vbal
3 years, 6 months ago
D is perfect.
upvoted 1 times
...
AzureDP900
3 years, 7 months ago
Create a two-way Forest trust relationship between the on-premises Active Directory and the AWS Directory Service. This is right so my answer is B
upvoted 2 times
...
nodogoshi
3 years, 7 months ago
B is minimum management overhead.
upvoted 2 times
...
DerekKey
3 years, 8 months ago
B correct - this is a solution that I am using on a daily basis
upvoted 3 times
...
WhyIronMan
3 years, 8 months ago
I'll go with D
upvoted 1 times
...
Akhil254
3 years, 8 months ago
B Correct
upvoted 1 times
...
Waiweng
3 years, 8 months ago
B is the correct Answer https://aws.amazon.com/solutions/implementations/aws-landing-zone/ https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
upvoted 7 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel