Exam AWS Certified Security - Specialty topic 1 question 365 discussion

Voting for B. See this repost: https://repost.aws/questions/QUAVB2guDnTwCGCSGbbaxNyw/aws-sso-with-microsoft-ad-as-id-p I don't know why so many people chose C? The question asks for "least overhead" and you use a self-managed AD? Really?

https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html Create a two-way trust relationship – When two-way trust relationships are created between AWS Managed Microsoft AD and a self-managed directory in AD, users in your self-managed directory in AD can sign in with their corporate credentials to various AWS services and business applications. One-way trusts do not work with IAM Identity Center.

B is the logical answer. C is more less operationally efficient than B, unsure why it's been selected.

Only B makes sense... A. You can't use both user directory and AD C. you need AD connector for this solution D. One-way trust is not supported by AWS SSO

SSO needs to look up objects in AD in order to work, so u need a two-way trust.(Search for Scenario 2 in below link). Be aware that there are services like FSx for Windows Fileserver which do not require a 2-way trust. https://aws.amazon.com/blogs/security/everything-you-wanted-to-know-about-trusts-with-aws-managed-microsoft-ad/

Option A is not operationally efficient because it requires the creation of a separate user directory, which would require additional user management and potentially increase the risk of account lockout and identity management issues. Option C requires the deployment and management of a self-managed Active Directory instance, which could be costly and resource-intensive. Option D is not operationally efficient because a one-way trust relationship would require manual user management, and the user's Active Directory credentials would not be synchronized with the AWS environment.

AWS Managed with two way trust for existing AD.

B - the same as C but less admin over head.

Answer B, as self managed AD still require AD connector or AWS Managed AD. If you want to use your self-managed Active Directory credentials to access AWS Services or third-party services, you can integrate your self-managed AD with AWS IAM and AWS Single Sign-On using AWS AD Connector or AWS Managed AD through a trust relationship. In these cases, AD Connector or AWS Managed AD must be deployed in the management account of your organization. https://docs.aws.amazon.com/whitepapers/latest/active-directory-domain-services//design-considerations-for-running-active-directory-on-ec2-instances.html

Because of the SSO (IAM Identity center) we need to create two way trust. If we compare B and C, at C it is self managed, whereas at B it is aws managed. Therefore it is B

You can configure one and two-way external and forest trust relationships between your AWS Directory Service for Microsoft Active Directory and self-managed (on-premises) directories, as well as between multiple AWS Managed Microsoft AD directories in the AWS cloud. AWS Managed Microsoft AD supports all three trust relationship directions: Incoming, Outgoing and Two-way (Bi-directional). Reference: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_setup_trust.html

Unclear to me if AWS SSO (now IAM Identity Center) can have a direct relationship with the existing on prem AD instance. A - If it is possible to establish a direct (two way) trust relationship between AWS SSO (now IAM Identity Center) and the existing on prem AD instance then this would be the most operationally efficient solution. If A is not possible then B is probably the best answer as it seems to be supported and would be less operational overhead than C C I don't see that this would be more operationally efficient than B D Not supported as one way trust https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html

C- Correct

AWS Directory service is the only need here.. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_single_sign_on.html

Why not A? Just set up the SSO and Federate with on prem AD using SAML.

AWS Managed = less operational overhead Two-way trust needed as per this article: https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html

why not B ?AWS managed AD?