exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 717 discussion

A company wants to provide desktop as a service (DaaS) to a number of employees using Amazon WorkSpaces. WorkSpaces will need to access files and services hosted on premises with authorization based on the company's Active Directory. Network connectivity will be provided through an existing AWS Direct
Connect connection.
The solution has the following requirements:
✑ Credentials from Active Directory should be used to access on-premises files and services.
✑ Credentials from Active Directory should not be stored outside the company.
✑ End users should have single sign-on (SSO) to on-premises files and services once connected to WorkSpaces.
Which strategy should the solutions architect use for end user authentication?

  • A. Create an AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) directory within the WorkSpaces VPC. Use the Active Directory Migration Tool (ADMT) with the Password Export Server to copy users from the on-premises Active Directory to AWS Managed Microsoft AD. Set up a one- way trust allowing users from AWS Managed Microsoft AD to access resources in the on-premises Active Directory. Use AWS Managed Microsoft AD as the directory for WorkSpaces.
  • B. Create a service account in the on-premises Active Directory with the required permissions. Create an AD Connector in AWS Directory Service to be deployed on premises using the service account to communicate with the on-premises Active Directory. Ensure the required TCP ports are open from the WorkSpaces VPC to the on-premises AD Connector. Use the AD Connector as the directory for WorkSpaces.
  • C. Create a service account in the on-premises Active Directory with the required permissions. Create an AD Connector in AWS Directory Service within the WorkSpaces VPC using the service account to communicate with the on-premises Active Directory. Use the AD Connector as the directory for WorkSpaces.
  • D. Create an AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) directory in the AWS Directory Service within the WorkSpaces VPC. Set up a one-way trust allowing users from the on-premises Active Directory to access resources in the AWS Managed Microsoft AD. Use AWS Managed Microsoft AD as the directory for WorkSpaces. Create an identity provider with AWS Identity and Access Management (IAM) from an on-premises ADFS server. Allow users from this identity provider to assume a role with a policy allowing them to run WorkSpaces.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
heyheyhei
Highly Voted 3 years, 2 months ago
C should be correct. One of the requirement is “Credentials from Active Directory should not be stored outside the company”, where AD Connector will not cache any information in the cloud. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html
upvoted 22 times
...
Jaypdv
Highly Voted 3 years, 2 months ago
C. First clue: "AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. " (https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html) which includes pretty much everything needed in the question Other clue: one-way trust do not work with AWS SSO (https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html) that would eliminate D.
upvoted 9 times
...
SkyZeroZx
Most Recent 1 year, 5 months ago
Selected Answer: C
AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html
upvoted 2 times
...
MikeyJ
2 years, 4 months ago
Selected Answer: C
AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html
upvoted 3 times
...
hilft
2 years, 4 months ago
C. Not D. it says credential shoudn't leave outside.
upvoted 2 times
...
asfsdfsdf
2 years, 4 months ago
I will go with C ... Caching is not being done on cloud... Also it requires two-way trust in order to implement D https://docs.aws.amazon.com/workspaces/latest/adminguide/launch-workspace-trusted-domain.html taking look at the documentation creating it with one-way trust is done using AD connector: https://docs.aws.amazon.com/workspaces/latest/adminguide/launch-workspace-ad-connector.html And https://d1.awsstatic.com/Projects/deploy-amazon-workspaces-one-way-trust-with-aws-directory-service.pdf
upvoted 1 times
...
aandc
2 years, 5 months ago
Selected Answer: D
"AWS SSO" is a AWS service which dose not support one way trust. But in this Q, The SSO is the general term. hence D
upvoted 2 times
...
prathima
2 years, 7 months ago
Answer is D
upvoted 1 times
...
nimodaytona
2 years, 8 months ago
C, https://docs.aws.amazon.com/workspaces/latest/adminguide/launch-workspace-ad-connector.html
upvoted 1 times
...
lucesarano
2 years, 11 months ago
There’s no need to “ensure the required TCP ports are open from the WS VPC to the on-prem AD Connector” The connector is on aws, meaning B is wrong. A is wrong, it violates 2nd req. D is wrong because there’s no need to create an additional AD on AWS. C is the only feasible answer.
upvoted 1 times
...
andylogan
3 years, 1 month ago
It's C
upvoted 1 times
...
tgv
3 years, 1 month ago
CCC ---
upvoted 1 times
...
blackgamer
3 years, 1 month ago
C to me.
upvoted 2 times
...
Kopa
3 years, 1 month ago
AD connector for this case, im going for C
upvoted 2 times
...
WhyIronMan
3 years, 1 month ago
I'll go with C
upvoted 4 times
...
DashL
3 years, 1 month ago
B The document https://docs.aws.amazon.com/whitepapers/latest/best-practices-deploying-amazon-workspaces/best-practices-deploying-amazon-workspaces.pdf provides various scenarios of deploying Workspace. In this document, there is a note: Regardless of its location (on premises or remote), the device running the Amazon WorkSpaces client uses the same two ports for connectivity to the Amazon WorkSpaces service. The client uses port 443 (HTTPS port) for all authentication and session-related information, and port 4172 (PCoIP port), with both Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), for pixel streaming to a given WorkSpace and network health checks. Looks like it is required to open TCP Ports.
upvoted 1 times
DashL
3 years, 1 month ago
I guess, I was wrong. Option B says open "TCP ports are open from the WorkSpaces VPC to the on-premises AD Connector". The AD connector is on AWS, not on-prem. Ans should be C.
upvoted 3 times
...
...
hk436
3 years, 1 month ago
C is my answer!!
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...