ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 1.2: Security ControlsSecurityIdentity CenterActive Directory

AWS SAP-C02 · Question 46 · Domain 1.2: Security Controls

An enterprise is migrating its on-premises Active Directory (AD) to AWS. They want to use AWS IAM Identity Center (successor to AWS SSO) to manage access to their 100+ AWS accounts. They want to maintain their existing AD as the single source of truth for user identities and passwords. Which architecture provides the MOST reliable and lowest latency authentication experience?

Answer options:

A.

Deploy AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) in a central VPC. Establish a two-way trust with the on-premises AD. Connect IAM Identity Center to the Managed AD.

B.

Use AD Connector to connect IAM Identity Center directly to the on-premises AD over an AWS Site-to-Site VPN.

C.

Configure IAM Identity Center to use its internal identity store. Write a script to synchronize users and passwords from on-premises AD daily.

D.

Deploy an open-source SAML identity provider on EC2. Federate the on-premises AD to the SAML provider, and federate the SAML provider to IAM Identity Center.

How to approach this question

Look for the architecture that caches/proxies authentication locally in AWS (Managed AD) for reliability, while maintaining the on-prem source of truth (Trust).

Full Answer

A.Deploy AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) in a central VPC. Establish a two-way trust with the on-premises AD. Connect IAM Identity Center to the Managed AD.✓ Correct
Deploy AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) in a central VPC. Establish a two-way trust with the on-premises AD. Connect IAM Identity Center to the Managed AD.
To provide the most reliable and low-latency experience, you should deploy AWS Managed Microsoft AD in AWS and establish a trust relationship with your on-premises AD. IAM Identity Center connects to the AWS Managed AD. When users log in, the authentication request is routed over the trust to the on-premises AD. If the connection drops, AWS Managed AD can cache credentials (if configured) or at least provide a robust, managed infrastructure within AWS.

Common mistakes

Choosing AD Connector, which is simpler but less resilient to network drops.
45All questions47

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

75 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A global enterprise is redesigning its AWS network architecture across 50 AWS accounts and 3 AWS ...HardQ02A company uses AWS Organizations to manage multiple accounts. The security team mandates that no ...MediumQ03A financial institution requires a disaster recovery strategy for its critical trading applicatio...HardQ04An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They nee...MediumQ05A company has a complex AWS environment with hundreds of linked accounts under AWS Organizations....Hard
View all 75 questions →