AWS Certified Solutions Architect – Associate (SAA-C03) — Question 52

A company is migrating applications to AWS. The applications are deployed in different accounts. The company manages the accounts centrally by using AWS Organizations. The company's security team needs a single sign-on (SSO) solution across all the company's accounts. The company must continue managing the users and groups in its on-premises self-managed Microsoft Active Directory.
Which solution will meet these requirements?

Answer options

• A. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console. Create a one-way forest trust or a one-way domain trust to connect the company's self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory.
• B. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console. Create a two-way forest trust to connect the company's self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory.
• C. Use AWS Directory Service. Create a two-way trust relationship with the company's self-managed Microsoft Active Directory.
• D. Deploy an identity provider (IdP) on premises. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console.

Correct answer: B

Explanation

The correct answer is B because establishing a two-way forest trust allows for seamless authentication and user management between the self-managed Microsoft Active Directory and AWS SSO. Option A is incorrect as a one-way trust does not provide the necessary bi-directional access needed for user management. Option C lacks SSO capabilities and does not integrate directly with AWS SSO, while option D does not incorporate the required trust relationship for Microsoft Active Directory integration.