AWS Certified Security – Specialty — Question 18

A financial institution has the following security requirements:
✑ Cloud-based users must be contained in a separate authentication domain.
✑ Cloud-based users cannot access on-premises systems.
As part of standing up a cloud environment, the financial institution is creating a number of Amazon managed databases and Amazon EC2 instances. An Active
Directory service exists on-premises that has all the administrator accounts, and these must be able to access the databases and instances.
How would the organization manage its resources in the MOST secure manner? (Choose two.)

Answer options

• A. Configure an AWS Managed Microsoft AD to manage the cloud resources.
• B. Configure an additional on-premises Active Directory service to manage the cloud resources.
• C. Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.
• D. Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.
• E. Establish a two-way trust between the new and existing Active Directory services.

Correct answer: A, D

Explanation

The correct answers are A and D. Configuring an AWS Managed Microsoft AD allows the organization to manage cloud resources securely while keeping the cloud-based users isolated. Establishing a one-way trust from the new Active Directory to the existing Active Directory ensures that on-premises administrator accounts can access the cloud resources without allowing cloud users access to on-premises systems, which aligns with the security requirements.