MemberMay 26, 2020 at 12:52 pm
An organization is implementing a security policy in which their cloud-based users must be contained in a separate authentication domain and prevented from accessing on-premises systems. Their IT Operations team is launching and maintaining a number of Amazon RDS for SQL Server databases and EC2 instances. The organization also has an on-premises Active Directory service that contains the administrator accounts that must have access to the databases and EC2 instances.
How would the Security Engineer manage the AWS resources of the organization in the MOST secure manner? (Select TWO.)
Answer: Set up a one-way trust relationship from the existing Active Directory in the on-premises data center to the new Active Directory service in AWS.
Answer:Using AWS Directory Service, set up an AWS Managed Microsoft AD to manage the RDS databases and EC2 instances.
In a normal AD enviroment, if domain A trusts Domain B, users in Domain B can access resources in domain A. However, the answer says Domain A trusts domain B, therefore users in Domain A can access resources in domain B, am i missing something specific about AD logic in cloud?
AdministratorMay 26, 2020 at 8:01 pm
The scenario says that you have to implement a security policy in which the cloud-based users are prevented from accessing the on-premises systems. The on-premises data center contains the administrator accounts that must have access to the AWS resources (RDS and EC2 instances). Therefore, we need a one-way trust relationship that allows requests from on-premises users to access the VPC resources.
It also depends on your “Direction of Trust” setting which could be One-way:incoming or One-way:outgoing type.
Just as mentioned in the explanation, there are three trust relationship directions:
1. One-way:incoming – Users in the specified realm will not be able to access any resources in this domain.
2. One-way:outgoing – Users in this domain will not be able to access any resources in the specified realm.
3. Two-way (Bi-directional) – Users in this domain and users in the specified realm will be able to access resources in either domain or realm.
I understand what you are saying since the correct option doesn’t mention the “Trust Direction” for the Active Directory integration. This is best represented by this diagram:
For example, let’s say you have two domains: VPC-Domain and On-Prem-Domain. A one-way trust from VPC-Domain to On-Prem-Domain means that users authenticated in On-Prem-Domain are trusted in VPC-Domain (the trust direction indicated by the purple arrow in the above diagram). A one-way trust from On-Prem-Domain to VPC-Domain (the trust direction indicated by the green arrow in the above diagram) means users authenticated in VPC-Domain are trusted in On-Prem-Domain.
I believe that you are referring to the relationship described above. So when you read the correct option: “Set up a one-way trust relationship from the existing Active Directory in the on-premises data center to the new Active Directory service in AWS.” – the “trust” seems reversed. The provided answer didn’t mention if it is an incoming or outgoing One-way trust.
Since this is more of an advanced Microsoft Active Directory setup, I chose to simplify the terms in the options to focus more on the AWS-side of things. The correct option simply means that we need a one-way trust relationship that allows requests from on-premises users to access the VPC resources, but not vice-versa.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Jon Bonso @ Tutorials Dojo
MemberMay 27, 2020 at 3:17 am
The method of Domain trusts has been consistent (though poorly explained) since NT 4.0.
Example: “I am trusting you with my car”, where “I” am the owner (Domain Admin) of a “car” (resource in the Resource Domain) and “you” are a user (in the Users Domain)
– The car resides in the Resource Domain.
– You reside in the Users domain. You are in the Users Domain & want access to the resource
– “I” am admin of the Resource Domain, and I provide access to you in the users domain by creating the one-way trust.
The users are on-premise, the resources are in AWS, and the one-way trust is provided from the AWS AD –> to the on-premise AD
Hence: “Set up a one-way trust relationship from the new Active Directory in AWS to the existing Active Directory service in the on-premises data center.” is the correct answer.
MemberMay 28, 2020 at 9:17 pm
This is a very technical discussion, really great read. Thank you Jon for shedding light on this item.
Log in to reply.