Tricky question!!! forget one-way or two-way. In this scenario, AWS applications (Amazon Chime, Amazon Connect, Amazon QuickSight, AWS Single Sign-On, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces, AWS Client VPN, AWS Management Console, and AWS Transfer Family) need to be able to look up objects from the on-premises domain in order for them to function. This tells you that authentication needs to flow both ways. This scenario requires a two-way trust between the on-premises and AWS Managed Microsoft AD domains. It is a requirement of the application Scenario 2: https://aws.amazon.com/es/blogs/security/everything-you-wanted-to-know-about-trusts-with-aws-managed-microsoft-ad/

Answer B as we have AWS SSO which requires two way trust. As per documentation - A two-way trust is required for AWS Enterprise Apps such as Amazon Chime, Amazon Connect, Amazon QuickSight, AWS IAM Identity Center (successor to AWS Single Sign-On), Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces, and the AWS Management Console. AWS Managed Microsoft AD must be able to query the users and groups in your self-managed AD. Amazon EC2, Amazon RDS, and Amazon FSx will work with either a one-way or two-way trust.

B for sure

Options A is enough and will make it work.

Option A suggests enabling AWS SSO and using a one-way trust, which allows AWS SSO to rely on the on-premises Microsoft Active Directory for authentication while keeping the management centralized in AWS SSO. This is a common and recommended approach for integrating on-premises Active Directory with AWS SSO.

For the sake of exam options A is enough. Option B rather increases security risk surface.

I'll go for B as A feels incomplete C Can be done but company wants SSO, not a fill director service D On prem already has a IDP so no.

Answer-B

D is better and more applicable in real-world context where everyone chooses simplicity over a overhaul solution; Where Organizations may prefer to continue using their existing, trusted on-premises IdP solutions for authentication, especially if they have specific security policies or compliance requirements.

Two-way trust or AD Connector. IAM Identity Center only works with those two. "One-way trusts do not work with IAM Identity Center." https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html

Two-way trust or AD Connector. IAM Identity Center only works with those two. "One-way trusts do not work with IAM Identity Center." https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html

From AWS Documentation: A two-way trust is required for AWS Enterprise Apps such as Amazon Chime, Amazon Connect, Amazon QuickSight, AWS IAM Identity Center, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces, and the AWS Management Console. AWS Managed Microsoft AD must be able to query the users and groups in your self-managed AD. Amazon EC2, Amazon RDS, and Amazon FSx will work with either a one-way or two-way trust.

Option a- and why not option B -Option B, which suggests a two-way forest trust, is generally not recommended unless there are specific reasons for requiring a two-way trust, as it increases complexity and potential security risks.

B https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html

A two-way trust is required for AWS Enterprise Apps such as Amazon Chime, Amazon Connect, Amazon QuickSight, "AWS IAM Identity Center (successor to AWS Single Sign-On)", Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces, and the AWS Management Console

Option B is the correct choice because it aligns with the AWS documentation, which states that a two-way trust relationship is needed between AWS Managed Microsoft AD and a self-managed AD for users to sign in with their corporate credentials to AWS services. This solution integrates AWS SSO, AWS Directory Service for Microsoft AD, and centralized account management through AWS Organizations. Read until the end "Create a two-way trust relationship – When two-way trust relationships are created between AWS Managed Microsoft AD and a self-managed directory in AD, users in your self-managed directory in AD can sign in with their corporate credentials to various AWS services and business applications. One-way trusts do not work with IAM Identity Center." https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html

Explanation: To route users to the Region with the lowest latency, we can use Amazon Route 53 latency-based routing with health checks. We can deploy a Network Load Balancer (NLB) associated with the Auto Scaling group and create an Amazon Route 53 latency record that points to aliases for each NLB. To enable automated failover between Regions, we can configure Route 53 with failover routing policy. With failover routing policy, active-active or active-passive configurations can be configured between the Regions. Lastly, we can create an Amazon CloudFront distribution that uses the latency record as an origin which will improve the delivery performance of content to the end-users.