Active Directory Trust

Hi Jagan,

The scenario says that you have to implement a security policy in which the cloud-based users are prevented from accessing the on-premises systems. The on-premises data center contains the administrator accounts that must have access to the AWS resources (RDS and EC2 instances). Therefore, we need a one-way trust relationship that allows requests from on-premises users to access the VPC resources.

It also depends on your “Direction of Trust” setting which could be One-way:incoming or One-way:outgoing type.

Just as mentioned in the explanation, there are three trust relationship directions:

1. One-way:incoming – Users in the specified realm will not be able to access any resources in this domain.

2. One-way:outgoing – Users in this domain will not be able to access any resources in the specified realm.

3. Two-way (Bi-directional) – Users in this domain and users in the specified realm will be able to access resources in either domain or realm.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754706(v=ws.11)

I understand what you are saying since the correct option doesn’t mention the “Trust Direction” for the Active Directory integration. This is best represented by this diagram:

https://dmhnzl5mp9mj6.cloudfront.net/security_awsblog/images/RonCully_trustdiagram.png

For example, let’s say you have two domains: VPC-Domain and On-Prem-Domain. A one-way trust from VPC-Domain to On-Prem-Domain means that users authenticated in On-Prem-Domain are trusted in VPC-Domain (the trust direction indicated by the purple arrow in the above diagram). A one-way trust from On-Prem-Domain to VPC-Domain (the trust direction indicated by the green arrow in the above diagram) means users authenticated in VPC-Domain are trusted in On-Prem-Domain.

Reference:

https://aws.amazon.com/blogs/security/how-to-enable-windows-integrated-authentication-for-rds-for-sql-server-using-on-premises-active-directory/

I believe that you are referring to the relationship described above. So when you read the correct option: “Set up a one-way trust relationship from the existing Active Directory in the on-premises data center to the new Active Directory service in AWS.” – the “trust” seems reversed. The provided answer didn’t mention if it is an incoming or outgoing One-way trust.

Since this is more of an advanced Microsoft Active Directory setup, I chose to simplify the terms in the options to focus more on the AWS-side of things. The correct option simply means that we need a one-way trust relationship that allows requests from on-premises users to access the VPC resources, but not vice-versa.

Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!

Regards,

Jon Bonso @ Tutorials Dojo

The method of Domain trusts has been consistent (though poorly explained) since NT 4.0.
Example: “I am trusting you with my car”, where “I” am the owner (Domain Admin) of a “car” (resource in the Resource Domain) and “you” are a user (in the Users Domain)

– The car resides in the Resource Domain.

– You reside in the Users domain. You are in the Users Domain & want access to the resource

– “I” am admin of the Resource Domain, and I provide access to you in the users domain by creating the one-way trust.

The users are on-premise, the resources are in AWS, and the one-way trust is provided from the AWS AD –> to the on-premise AD

Hence: “Set up a one-way trust relationship from the new Active Directory in AWS to the existing Active Directory service in the on-premises data center.” is the correct answer.

• This reply was modified 3 years, 11 months ago by  k-booth.
• This reply was modified 3 years, 11 months ago by  k-booth.
• This reply was modified 3 years, 11 months ago by  k-booth.

This is a very technical discussion, really great read. Thank you Jon for shedding light on this item.