AWS Certified Database – Specialty — Question 318

A company is planning to use Amazon RDS for SQL Server for one of its critical applications. The company's security team requires that the users of the RDS for
SQL Server DB instance are authenticated with on-premises Microsoft Active Directory credentials.
Which combination of steps should a database specialist take to meet this requirement? (Choose three.)

Answer options

• A. Extend the on-premises Active Directory to AWS by using AD Connector.
• B. Create an IAM user that uses the AmazonRDSDirectoryServiceAccess managed IAM policy.
• C. Create a directory by using AWS Directory Service for Microsoft Active Directory.
• D. Create an Active Directory domain controller on Amazon EC2.
• E. Create an IAM role that uses the AmazonRDSDirectoryServiceAccess managed IAM policy.
• F. Create a one-way forest trust from the AWS Directory Service for Microsoft Active Directory directory to the on-premises Active Directory.

Correct answer: C, E, F

Explanation

To enable Windows Authentication for Amazon RDS for SQL Server using on-premises credentials, you must deploy AWS Directory Service for Microsoft Active Directory and establish a one-way forest trust from the AWS Managed AD to the on-premises directory. Additionally, you must configure an IAM role with the AmazonRDSDirectoryServiceAccess managed policy so that the RDS instance can interact with the directory service. Using AD Connector, EC2-hosted domain controllers, or attaching the policy directly to an IAM user are incorrect because they do not meet the integration requirements for Amazon RDS.