AWS Certified Solutions Architect – Professional — Question 722

A company's solutions architect needs to provide secure Remote Desktop connectivity to users for Amazon EC2 Windows instances that are hosted in a VPC. The solution must integrate centralized user management with the company's on-premises Active Directory. Connectivity to the VPC is through the internet. The company has hardware that can be used to establish an AWS Site-to-Site VPN connection.

Which solution will meet these requirements MOST cost-effectively?

Answer options

• A. Deploy a managed Active Directory by using AWS Directory Service for Microsoft Active Directory. Establish a trust with the on-premises Active Directory. Deploy an EC2 instance as a bastion host in the VPC. Ensure that the EC2 instance is joined to the domain. Use the bastion host to access the target instances through RDP.
• B. Configure AWS Single Sign-On to integrate with the on-premises Active Directory by using the AWS Directory Service for Microsoft Active Directory AD Connector. Configure permission sets against user groups for access to AWS Systems Manager. Use Systems Manager Fleet Manager to access the target instances through RDP.
• C. Implement a VPN between the on-premises environment and the target VPEnsure that the target instances are joined to the on-premises Active Directory domain over the VPN connection. Configure RDP access through the VPN. Connect from the company's network to the target instances.
• D. Deploy a managed Active Directory by using AWS Directory Service for Microsoft Active Directory. Establish a trust with the on-premises Active Directory. Deploy a Remote Desktop Gateway on AWS by using an AWS Quick Start. Ensure that the Remote Desktop Gateway is joined to the domain. Use the Remote Desktop Gateway to access the target instances through RDP.

Correct answer: B

Explanation

Option B is the most cost-effective solution because using AWS Systems Manager Fleet Manager allows secure RDP access via the AWS Console without needing to deploy and pay for additional EC2 instances for bastion hosts or Remote Desktop Gateways. Furthermore, using an AD Connector is a low-cost, lightweight directory gateway that redirects requests to the on-premises Active Directory without the high hourly cost of running a full AWS Managed Microsoft AD. Options A, C, and D are significantly more expensive due to the licensing, storage, and instance costs associated with Managed AD, bastion hosts, and RD Gateway infrastructure.