Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 326 discussion

I support B as well per this link where EC2 is recommended: https://docs.aws.amazon.com/workspaces/latest/adminguide/directory_administration.html

B is correct. The question mention "Windows EC2", no "Windows user desktops". Maybe the Windows EC2 can be Windows Servers.

A and B both work, but A is definitely more managed, so it has to be A

This is the most secure, scalable, and cost-effective solution that meets all of the technical and operational requirements.

The other options either lack required features (Simple AD options) or use less managed services (EC2 options), making them less suitable for the company's requirements.

There is nothing in the requirements that remotely sways to Workspaces. Amazon Workspaces is costly, requires support to implement/maintain, and is much more complex.

The question does mention EC2 specifically, which makes the WorkSpaces solution a little less direct. However, the requirement to use managed AWS services "wherever possible" strongly suggests WorkSpaces for MFA. It's the most managed way to get that done. So, while EC2 is mentioned, the emphasis on managed services and the need for MFA makes WorkSpaces the most likely answer. It's a trade-off, but the question is probably prioritizing managed services over strict adherence to only using EC2 for everything.

use AWS managed services wherever possible. While both A and B are feasible, A matches the question at most.

The company wants to use managed AWS services wherever possible. https://docs.aws.amazon.com/workspaces/latest/adminguide/directory_administration.html You'll perform most administrative tasks for your WorkSpaces directory using directory management tools, such as the Active Directory Administration Tools. However, you'll use the WorkSpaces console to perform some directory-related tasks.

B is right The company wants to join all Windows EC2 instances to an Active Directory domain on AWS, which requires a full-featured Active Directory service. Using AWS Directory Service for Microsoft Active Directory (Enterprise edition) meets this requirement by providing a managed directory service that can be used to manage and secure EC2 instances. Launching an EC2 instance allows the development team to configure and test domain security configurations in a controlled environment, which is essential for ensuring the correct configuration of the Active Directory

Option A meets the requirements by using AWS Directory Service for Microsoft Active Directory, a managed service for hosting a full Active Directory domain. It also leverages Amazon WorkSpaces, a managed desktop service supporting MFA, for secure administrative access to configure the Active Directory domain, aligning with the company's preference for managed AWS services. Option B: While creating an AWS Directory Service for Microsoft Active Directory implementation is correct, launching an EC2 instance for domain security configuration tasks is not the most suitable approach. EC2 instances require additional management overhead, and the company wants to use managed services wherever possible.

Add a vote to B as it is dangerously swaying to A. The EC2 instances referred to should be the managed domain controller to manage EC2 instances that join the domain, to push down GPO policies etc. You can launch more than one for HA. https://aws.amazon.com/blogs/security/how-to-increase-the-redundancy-and-performance-of-your-aws-directory-service-for-microsoft-ad-directory-by-adding-domain-controllers/

Answer is A: Amazon WorkSpaces is a managed desktop-as-a-service solution that aligns with the requirement to use managed services: - Provides a managed alternative to running EC2 instances - Integrates seamlessly with AWS Managed Microsoft AD. - Reduces administrative overhead compared to managing EC2 instances

B is correct, it is application infrastructure, not for desktop.

I will go for A based on this "RADIUS MFA is applicable only to authenticate access to the AWS Management Console, or to Amazon Enterprise applications and services such as WorkSpaces, Amazon QuickSight, or Amazon Chime. It does not provide MFA to Windows workloads running on EC2 instances, or for signing into an EC2 instance" https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_mfa.html

A is correct

Technically, you can use AWS Workspace for domain security configuration tasks. So A is correct