AWS Certified Solutions Architect – Professional (SAP-C02) — Question 337

A company is rearchitecting its applications to run on AWS. The company’s infrastructure includes multiple Amazon EC2 instances. The company's development team needs different levels of access. The company wants to implement a policy that requires all Windows EC2 instances to be joined to an Active Directory domain on AWS. The company also wants to implement enhanced security processes such as multi-factor authentication (MFA). The company wants to use managed AWS services wherever possible.

Which solution will meet these requirements?

Answer options

• A. Create an AWS Directory Service for Microsoft Active Directory implementation. Launch an Amazon Workspace. Connect to and use the Workspace for domain security configuration tasks.
• B. Create an AWS Directory Service for Microsoft Active Directory implementation. Launch an EC2 instance. Connect to and use the EC2 instance for domain security configuration tasks.
• C. Create an AWS Directory Service Simple AD implementation. Launch an EC2 instance. Connect to and use the EC2 instance for domain security configuration tasks.
• D. Create an AWS Directory Service Simple AD implementation. Launch an Amazon Workspace. Connect to and use the Workspace for domain security configuration tasks.

Correct answer: B

Explanation

AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) is required because it supports multi-factor authentication (MFA), whereas Simple AD does not support MFA. To manage the Active Directory domain, deploying a Windows EC2 instance to run administrative tools is the standard and most cost-effective method. Using Amazon WorkSpaces for administrative tasks introduces unnecessary cost and management overhead compared to a dedicated EC2 management instance.