Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Active Directory Trust

  • Active Directory Trust

  • Jag92jshwhwhs

    Member
    May 26, 2020 at 12:52 pm

    An organization is implementing a security policy in which their cloud-based users must be contained in a separate authentication domain and prevented from accessing on-premises systems. Their IT Operations team is launching and maintaining a number of Amazon RDS for SQL Server databases and EC2 instances. The organization also has an on-premises Active Directory service that contains the administrator accounts that must have access to the databases and EC2 instances.

    How would the Security Engineer manage the AWS resources of the organization in the MOST secure manner? (Select TWO.)

    Answer: Set up a one-way trust relationship from the existing Active Directory in the on-premises data center to the new Active Directory service in AWS.

    Answer:Using AWS Directory Service, set up an AWS Managed Microsoft AD to manage the RDS databases and EC2 instances.

    In a normal AD enviroment, if domain A trusts Domain B, users in Domain B can access resources in domain A. However, the answer says Domain A trusts domain B, therefore users in Domain A can access resources in domain B, am i missing something specific about AD logic in cloud?

  • Jon-Bonso

    Administrator
    May 26, 2020 at 8:01 pm

    Hi Jagan,

    The scenario says that you have to implement a security policy in which the cloud-based users are prevented from accessing the on-premises systems. The on-premises data center contains the administrator accounts that must have access to the AWS resources (RDS and EC2 instances). Therefore, we need a one-way trust relationship that allows requests from on-premises users to access the VPC resources.

    It also depends on your “Direction of Trust” setting which could be One-way:incoming or One-way:outgoing type.

    Just as mentioned in the explanation, there are three trust relationship directions:

    1. One-way:incoming Users in the specified realm will not be able to access any resources in this domain.

    2. One-way:outgoingUsers in this domain will not be able to access any resources in the specified realm.

    3. Two-way (Bi-directional) – Users in this domain and users in the specified realm will be able to access resources in either domain or realm.

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754706(v=ws.11)

    I understand what you are saying since the correct option doesn’t mention the “Trust Direction” for the Active Directory integration. This is best represented by this diagram:

    https://dmhnzl5mp9mj6.cloudfront.net/security_awsblog/images/RonCully_trustdiagram.png

    For example, let’s say you have two domains: VPC-Domain and On-Prem-Domain. A one-way trust from VPC-Domain to On-Prem-Domain means that users authenticated in On-Prem-Domain are trusted in VPC-Domain (the trust direction indicated by the purple arrow in the above diagram). A one-way trust from On-Prem-Domain to VPC-Domain (the trust direction indicated by the green arrow in the above diagram) means users authenticated in VPC-Domain are trusted in On-Prem-Domain.

    Reference:

    https://aws.amazon.com/blogs/security/how-to-enable-windows-integrated-authentication-for-rds-for-sql-server-using-on-premises-active-directory/

    I believe that you are referring to the relationship described above. So when you read the correct option: “Set up a one-way trust relationship from the existing Active Directory in the on-premises data center to the new Active Directory service in AWS.” – the “trust” seems reversed. The provided answer didn’t mention if it is an incoming or outgoing One-way trust.

    Since this is more of an advanced Microsoft Active Directory setup, I chose to simplify the terms in the options to focus more on the AWS-side of things. The correct option simply means that we need a one-way trust relationship that allows requests from on-premises users to access the VPC resources, but not vice-versa.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!

    Regards,

    Jon Bonso @ Tutorials Dojo

  • k-booth

    Member
    May 27, 2020 at 3:17 am

    The method of Domain trusts has been consistent (though poorly explained) since NT 4.0.
    Example: “I am trusting you with my car”, where “I” am the owner (Domain Admin) of a “car” (resource in the Resource Domain) and “you” are a user (in the Users Domain)

    – The car resides in the Resource Domain.

    – You reside in the Users domain. You are in the Users Domain & want access to the resource

    – “I” am admin of the Resource Domain, and I provide access to you in the users domain by creating the one-way trust.

    The users are on-premise, the resources are in AWS, and the one-way trust is provided from the AWS AD –> to the on-premise AD

    Hence: “Set up a one-way trust relationship from the new Active Directory in AWS to the existing Active Directory service in the on-premises data center.” is the correct answer.

    • This reply was modified 3 years, 9 months ago by  k-booth.
    • This reply was modified 3 years, 9 months ago by  k-booth.
    • This reply was modified 3 years, 9 months ago by  k-booth.
  • james

    Member
    May 28, 2020 at 9:17 pm

    This is a very technical discussion, really great read. Thank you Jon for shedding light on this item.

Viewing 1 - 4 of 4 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now