AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A global corporation is migrating its on-premises data center to AWS. The on-premises environment relies heavily on Microsoft Active Directory (AD) for user authentication and group management. The migration includes a large number of Windows Server-based applications that are domain-joined and require AD authentication. The company uses AWS Organizations to manage dozens of AWS accounts.
The solutions architect must design an identity solution that meets the following requirements:
On-premises AD must remain the authoritative source of truth for all user identities.
Users must use their existing corporate credentials for SSO access to both the migrated Windows applications on EC2 and for federated access to the AWS Management Console across all accounts.
The solution must be resilient to intermittent network connectivity disruptions between the on-premises data center and AWS.
The solution should avoid the creation and management of duplicate IAM users.
Which solution should the architect recommend?
Deploy AWS Managed Microsoft AD and establish a two-way forest trust with the on-premises AD. Configure AWS IAM Identity Center to use the AWS Managed Microsoft AD as the identity source.
Deploy Simple AD for the Windows applications to join. Create individual IAM users for all administrators and attach policies to grant them AWS Management Console access.
Establish a SAML 2.0 trust between an on-premises AD FS instance and AWS IAM. Manually create IAM roles for console access and join the EC2 instances to the on-premises domain via AWS Site-to-Site VPN.
Deploy AD Connector in the VPC and connect it to the on-premises AD. Configure AWS IAM Identity Center to use the AD Connector as the identity source.
The correct solution is to deploy AWS Managed Microsoft AD and establish a two-way forest trust with the on-premises AD. This creates a highly available, fully managed Active Directory inside AWS (two domain controllers across separate Availability Zones by default). Because the directory resides in AWS, Windows workloads can continue to authenticate locally even if the network link to the on-premises environment experiences temporary disruptions. When the link is available, the bidirectional trust allows users that live in the on-premises AD forest to obtain Kerberos referrals and access EC2-hosted resources without storing any credentials in AWS.
Next, configure AWS IAM Identity Center to use the AWS Managed Microsoft AD as its identity source. IAM Identity Center reads user and group metadata through the trust and issues short-lived roles via permission sets, providing federated, multi-account console access without the need to create individual IAM users.
Incorrect answers:
AD Connector functions only as a proxy and caches no credentials, so all authentications depend on a healthy network path to the on-premises AD, violating the resilience requirement.
Using AD FS federation addresses console access but leaves Windows applications dependent on the on-premises AD forest and adds operational complexity compared with IAM Identity Center.
Simple AD cannot form trusts with an external AD forest. It would require manually managing separate identities, which contravenes the single source-of-truth requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS Managed Microsoft AD, and why is it suited for this solution?
Open an interactive chat with Bash
How does a two-way forest trust work between AWS Managed Microsoft AD and on-premises AD?
Open an interactive chat with Bash
What role does AWS IAM Identity Center play in this architecture?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Accelerate Workload Migration and Modernization
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access