AWS Certified Developer – Associate (DVA-C02) — Question 505

A company is developing a new application that uses Amazon EC2, Amazon S3, and AWS Lambda resources. The company wants to allow employees to access the AWS Management Console by using existing credentials that the company stores and manages in an on-premises Microsoft Active Directory. Each employee must have a specific level of access to the AWS resources that is based on the employee’s role.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Configure AWS Directory Service to create an Active Directory in AWS Directory Service for Microsoft Active Directory. Establish a trust relationship with the on-premises Active Directory. Configure IAM roles and trust policies to give the employees access to the AWS resources.
• B. Use LDAP to directly integrate the on-premises Active Directory with AWS Identity and Access Management (IAM). Map Active Directory groups to IAM roles to control access to AWS resources.
• C. Implement a custom identity broker to authenticate users into the on-premises Active Directory. Configure the identity broker to use AWS Security Token Service (AWS STS) to grant authorized users IAM role based access to the AWS resources.
• D. Configure Amazon Cognito to federate users into the on-premises Active Directory. Use Cognito user pools to manage user identities and to manage user access to the AWS resources.

Correct answer: A

Explanation

Option A is correct because AWS Directory Service for Microsoft Active Directory can establish a trust relationship with an on-premises Active Directory, allowing seamless console access with minimal operational overhead. Option B is incorrect because IAM does not natively support direct LDAP integration. Options C and D are incorrect because building a custom identity broker or using Amazon Cognito increases operational complexity and administrative overhead for administrative console access.