AWS Certified Solutions Architect – Associate (SAA-C02) — Question 19

A company is performing an AWS Well-Architected Framework review of an existing workload deployed on AWS. The review identified a public-facing website running on the same Amazon EC2 instance as a Microsoft Active Directory domain controller that was install recently to support other AWS services. A solutions architect needs to recommend a new design that would improve the security of the architecture and minimize the administrative demand on IT staff.
What should the solutions architect recommend?

Answer options

• A. Use AWS Directory Service to create a managed Active Directory. Uninstall Active Directory on the current EC2 instance.
• B. Create another EC2 instance in the same subnet and reinstall Active Directory on it. Uninstall Active Directory.
• C. Use AWS Directory Service to create an Active Directory connector. Proxy Active Directory requests to the Active domain controller running on the current EC2 instance.
• D. Enable AWS Single Sign-On (AWS SSO) with Security Assertion Markup Language (SAML) 2.0 federation with the current Active Directory controller. Modify the EC2 instance's security group to deny public access to Active Directory.

Correct answer: A

Explanation

The correct answer is A because using AWS Directory Service for a managed Active Directory significantly enhances security and reduces administrative tasks compared to managing it on an EC2 instance. Options B and C do not eliminate the security risks associated with running a public-facing website alongside Active Directory. Option D does not remove the Active Directory from the EC2 instance, which is still a security concern.