Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 28 discussion

Tricky question!!! forget one-way or two-way. In this scenario, AWS applications (Amazon Chime, Amazon Connect, Amazon QuickSight, AWS Single Sign-On, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces, AWS Client VPN, AWS Management Console, and AWS Transfer Family) need to be able to look up objects from the on-premises domain in order for them to function. This tells you that authentication needs to flow both ways. This scenario requires a two-way trust between the on-premises and AWS Managed Microsoft AD domains. It is a requirement of the application Scenario 2: https://aws.amazon.com/es/blogs/security/everything-you-wanted-to-know-about-trusts-with-aws-managed-microsoft-ad/

Answer B as we have AWS SSO which requires two way trust. As per documentation - A two-way trust is required for AWS Enterprise Apps such as Amazon Chime, Amazon Connect, Amazon QuickSight, AWS IAM Identity Center (successor to AWS Single Sign-On), Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces, and the AWS Management Console. AWS Managed Microsoft AD must be able to query the users and groups in your self-managed AD. Amazon EC2, Amazon RDS, and Amazon FSx will work with either a one-way or two-way trust.

A one-way trust (rather than a two-way trust) is the recommended approach for security reasons: The on-premises AD remains the authoritative identity provider. AWS trusts the on-prem AD, but AD does not trust AWS. This setup ensures that AWS does not introduce potential security risks to the on-premises A two-way trust is unnecessary for SSO and can introduce security risks, as it allows AWS to authenticate users in the on-prem AD and vice versa. AWS best practices recommend using a one-way trust for such integrations.

A one-way trust is sufficient because AWS should trust the on-premises AD for authentication, but the on-premises AD does not need to trust AWS

AWS Single Sign-On can integrate with on-premises Microsoft Active Directory using AWS Directory Service for Microsoft Active Directory. A one-way trust relationship is sufficient for AWS SSO to authenticate users from the on-premises Active Directory without requiring changes to existing trust relationships in the on-premises environment.

Because we need to create two ways forest traffic

Resposta correta: B! Explicação revisada: Quando a empresa precisa integrar seu Microsoft Active Directory autogerenciado com o AWS SSO para logon único em múltiplas contas na AWS, uma relação de confiança de floresta bidirecional é necessária para permitir que usuários e grupos locais sejam autenticados e tenham acesso completo aos recursos da AWS. Essa abordagem garante interoperabilidade total entre o AD local e o AWS SSO.

AWS Single Sign-On (AWS SSO) allows centralized management of access to multiple AWS accounts, and it integrates with on-premises Active Directory via AWS Directory Service for Microsoft Active Directory. A one-way trust enables AWS Directory Service to authenticate users from the on-premises AD without giving AWS access to manage the on-premises AD. This is secure and follows best practices. This is the correct solution because it integrates the on-premises AD with AWS SSO and maintains the centralized management of users and groups in the on-premises AD.

AWS SSO (previously called Identity center) requires two way trust. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_setup_trust.html

AWS Single Sign-On (AWS SSO): Provides a centralized way to manage SSO access to multiple AWS accounts and business applications. It simplifies user access management across AWS Organizations. One-Way Trust: Creating a one-way trust with AWS Directory Service allows the on-premises Microsoft Active Directory to authenticate users without allowing AWS to initiate authentication requests to the on-premises directory. This maintains security and control. Minimal Operational Overhead: This approach leverages AWS managed services, reducing the complexity and overhead of managing SSO and directory services.

Application Context in This Scenario: AWS Applications Mentioned in the Scenario: The question focuses on AWS Single Sign-On (AWS SSO) and the use of SSO across AWS accounts. AWS SSO with AWS Organizations does not require AWS applications to look up or access on-premises AD objects beyond authentication. This scenario does not mention such AWS applications, so a one-way trust is sufficient for the SSO use case.

No need for both ways communication.

A specific aws applications require two-way trust. To migrate to the aws, we need all apps are available. So I pick B

A. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console. Create a one-way forest trust or a one-way domain trust to connect the company's self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory. Two-way trust (as mentioned in option B) allows mutual trust between both environments, which is not necessary if the company only wants AWS to authenticate against the on-premises AD. A two-way trust is not necessary if the company only needs authentication from the on-premises AD. It may introduce unnecessary complexity and potential security risks since it requires trust in both directions.

Current version of this question (with Identity Center) doesn't even contain option A. https://www.examtopics.com/discussions/amazon/view/136806-exam-aws-certified-solutions-architect-associate-saa-c03/

key word: Self Managed. https://docs.aws.amazon.com/singlesignon/latest/userguide/connectonpremad.html

Two way trust is not required here.