Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 28 discussion

Tricky question!!! forget one-way or two-way. In this scenario, AWS applications (Amazon Chime, Amazon Connect, Amazon QuickSight, AWS Single Sign-On, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces, AWS Client VPN, AWS Management Console, and AWS Transfer Family) need to be able to look up objects from the on-premises domain in order for them to function. This tells you that authentication needs to flow both ways. This scenario requires a two-way trust between the on-premises and AWS Managed Microsoft AD domains. It is a requirement of the application Scenario 2: https://aws.amazon.com/es/blogs/security/everything-you-wanted-to-know-about-trusts-with-aws-managed-microsoft-ad/

Answer B as we have AWS SSO which requires two way trust. As per documentation - A two-way trust is required for AWS Enterprise Apps such as Amazon Chime, Amazon Connect, Amazon QuickSight, AWS IAM Identity Center (successor to AWS Single Sign-On), Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces, and the AWS Management Console. AWS Managed Microsoft AD must be able to query the users and groups in your self-managed AD. Amazon EC2, Amazon RDS, and Amazon FSx will work with either a one-way or two-way trust.

No need for both ways communication.

A specific aws applications require two-way trust. To migrate to the aws, we need all apps are available. So I pick B

A. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console. Create a one-way forest trust or a one-way domain trust to connect the company's self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory. Two-way trust (as mentioned in option B) allows mutual trust between both environments, which is not necessary if the company only wants AWS to authenticate against the on-premises AD. A two-way trust is not necessary if the company only needs authentication from the on-premises AD. It may introduce unnecessary complexity and potential security risks since it requires trust in both directions.

Current version of this question (with Identity Center) doesn't even contain option A. https://www.examtopics.com/discussions/amazon/view/136806-exam-aws-certified-solutions-architect-associate-saa-c03/

key word: Self Managed. https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html

Two way trust is not required here.

Option B (enabling AWS SSO and creating a two-way forest trust) is the appropriate solution based on the requirement for a two-way trust to support AWS enterprise applications and provide single sign-on capabilities across all AWS accounts while integrating with the on-premises Microsoft Active Directory.

B for sure

Options A is enough and will make it work.

Option A suggests enabling AWS SSO and using a one-way trust, which allows AWS SSO to rely on the on-premises Microsoft Active Directory for authentication while keeping the management centralized in AWS SSO. This is a common and recommended approach for integrating on-premises Active Directory with AWS SSO.

For the sake of exam options A is enough. Option B rather increases security risk surface.

I'll go for B as A feels incomplete C Can be done but company wants SSO, not a fill director service D On prem already has a IDP so no.

Answer-B

D is better and more applicable in real-world context where everyone chooses simplicity over a overhaul solution; Where Organizations may prefer to continue using their existing, trusted on-premises IdP solutions for authentication, especially if they have specific security policies or compliance requirements.

Two-way trust or AD Connector. IAM Identity Center only works with those two. "One-way trusts do not work with IAM Identity Center." https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html