Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 326 discussion

I support B as well per this link where EC2 is recommended: https://docs.aws.amazon.com/workspaces/latest/adminguide/directory_administration.html

B is correct. The question mention "Windows EC2", no "Windows user desktops". Maybe the Windows EC2 can be Windows Servers.

B is right The company wants to join all Windows EC2 instances to an Active Directory domain on AWS, which requires a full-featured Active Directory service. Using AWS Directory Service for Microsoft Active Directory (Enterprise edition) meets this requirement by providing a managed directory service that can be used to manage and secure EC2 instances. Launching an EC2 instance allows the development team to configure and test domain security configurations in a controlled environment, which is essential for ensuring the correct configuration of the Active Directory

Option A meets the requirements by using AWS Directory Service for Microsoft Active Directory, a managed service for hosting a full Active Directory domain. It also leverages Amazon WorkSpaces, a managed desktop service supporting MFA, for secure administrative access to configure the Active Directory domain, aligning with the company's preference for managed AWS services. Option B: While creating an AWS Directory Service for Microsoft Active Directory implementation is correct, launching an EC2 instance for domain security configuration tasks is not the most suitable approach. EC2 instances require additional management overhead, and the company wants to use managed services wherever possible.

Add a vote to B as it is dangerously swaying to A. The EC2 instances referred to should be the managed domain controller to manage EC2 instances that join the domain, to push down GPO policies etc. You can launch more than one for HA. https://aws.amazon.com/blogs/security/how-to-increase-the-redundancy-and-performance-of-your-aws-directory-service-for-microsoft-ad-directory-by-adding-domain-controllers/

Answer is A: Amazon WorkSpaces is a managed desktop-as-a-service solution that aligns with the requirement to use managed services: - Provides a managed alternative to running EC2 instances - Integrates seamlessly with AWS Managed Microsoft AD. - Reduces administrative overhead compared to managing EC2 instances

B is correct, it is application infrastructure, not for desktop.

I will go for A based on this "RADIUS MFA is applicable only to authenticate access to the AWS Management Console, or to Amazon Enterprise applications and services such as WorkSpaces, Amazon QuickSight, or Amazon Chime. It does not provide MFA to Windows workloads running on EC2 instances, or for signing into an EC2 instance" https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_mfa.html

A is correct

Technically, you can use AWS Workspace for domain security configuration tasks. So A is correct

A is right answer

A is right answer as the Amazon WorkSpaces provides a managed desktop-as-a-service solution that allows you to access a Windows desktop environment in the AWS Cloud

A. Amazon WorkSpaces is more secure and managed,

You can managed AD Admin tasks from Workspace. The requirement is to use AWS Managed Services where possible. So answer is A - nothing you can manage AD wise on EC2 that you can't do on the Windows Workspace

A - correct.

Option A - Three requirements, 1. join AD domain, 2. enable MFA, 3. Use AWS managed service. Nothing about cost or any additional requirements. Option A checks all the boxes from the article information - https://aws.amazon.com/blogs/security/how-to-enable-multi-factor-authentication-for-amazon-workspaces-and-amazon-quicksight-by-using-microsoft-ad-and-on-premises-credentials/

Because managed services.