AWS Certified SysOps Administrator – Associate (legacy) — Question 544

Each SysOps Administrator at a company has a unique IAM user account. Each user is a member of the SysOps IAM group that has an IAM policy applied. A recent change to the IT security policy states that employees must now use their on-premises Active Directory user accounts to access the AWS Management
Console.
Which solution should be used to satisfy these requirements?

Answer options

• A. Configure the on-premises Active Directory to use AWS Direct Connect.
• B. Enable an Active Directory federation in an Amazon Route 53 private zone.
• C. Implement a VPN tunnel and configure an Active Directory connector.
• D. Implement multi-factor authentication for IAM and Active Directory.

Correct answer: C

Explanation

To allow users to access the AWS Management Console using their on-premises credentials, AWS Directory Service AD Connector can be used to redirect directory requests to the on-premises Active Directory, which requires a secure connection such as a VPN tunnel. Option C provides the necessary secure network path and the identity integration service required for this setup. The other options are incorrect because AWS Direct Connect alone does not handle directory integration, Route 53 is a DNS service, and MFA does not federalize on-premises identities.