AWS Certified Security – Specialty — Question 324

A company’s security engineer is configuring AWS Single Sign-On (AWS SSO) to give employees the ability to access multiple AWS accounts that are part of an organization in AWS Organizations. Persistent network connectivity exists between the organization's management account where AWS SSO is configured and an existing on-premises Active Directory instance. The security engineer wants to enable employee authentication by using the existing on-premises Active Directory instance.

What is the MOST operationally efficient solution that meets these requirements?

Answer options

• A. Deploy the default AWS SSO user directory. Establish a two-way trust relationship between AWS SSO and the existing Active Directory instance.
• B. Deploy an AWS managed Active Directory instance in the organization's management account. Establish a two-way trust relationship with the existing Active Directory instance.
• C. Deploy a self-managed Active Directory instance in the organization's management account. Establish a two-way trust relationship with the existing Active Directory instance.
• D. Deploy an AWS managed Active Directory instance in the organization's management account. Establish a one-way trust relationship with the existing Active Directory instance.

Correct answer: B

Explanation

Deploying AWS Managed Microsoft AD and establishing a forest trust is the standard, low-overhead method to connect AWS SSO to an on-premises Active Directory. Option B is correct because a two-way trust relationship is required to allow AWS SSO to authenticate users from the on-premises domain. Option C is less operationally efficient because it involves self-managing domain controllers, while Option A is not supported by the default AWS SSO identity store.