Tagged: –, #RDS, A, access, accessing, accounts, Active, administrator, also, Amazon, an, and, authentication, aws, be, Certified, cloud-based, contained, contains, databases, Directory, domain, EC2, Engineer, for, from, has, have, How, implementing, in, instances., is, IT, launching, maintaining, manage, MOST, must, number, of, on-premises, Operations, policy, prevented, resources, secure, Security, separate, Server, service, sql, systems., team, that, the, their, to, users, which, would
Timed Mode Set 1 – AWS Certified Security Specialty Question 16, Ans not correctCarlo-TutorialsDojo updated 2 months, 2 weeks ago 7 Members · 8 Posts
MemberJune 29, 2020 at 10:57 pm
An organization is implementing a security policy in which their cloud-based users must be contained in a separate authentication domain and prevented from accessing on-premises systems. Their IT Operations team is launching and maintaining a number of Amazon RDS for SQL Server databases and EC2 instances. The organization also has an on-premises Active Directory service that contains the administrator accounts that must have access to the databases and EC2 instances.
How would the Security Engineer manage the AWS resources of the organization in the MOST secure manner? (Select TWO.)
Here are correct option is given as
“Set up a one-way incoming trust relationship from the existing Active Directory in the on-premises data center to the new Active Directory service in AWS.”
which i think wrong as it violate the principal which says “The Direction of the trust is opposite to the direction of access”
so going by the above logic correct answer is “Set up a one-way incoming trust relationship from the new Active Directory in AWS to the existing Active Directory service in the on-premises data center.”
please check and clarify this.
MemberJuly 14, 2020 at 8:11 pm
Thank you for you feedback.
Can you provide the AWS document reference where the “The Direction of the trust is opposite to the direction of access” is discussed?
We will review it and update the answer accordingly base on the document.
Thanks and Regards,
Kenneth Samonte @ Tutorials Dojo
- This reply was modified 10 months, 1 week ago by TutorialsDojo-Support.
MemberJuly 15, 2020 at 11:26 am
please check this.
AdministratorJuly 16, 2020 at 8:10 am
The scenario says that you have to implement a security policy in which the cloud-based users are prevented from accessing the on-premises systems. The on-premises data center contains the administrator accounts that must have access to the AWS resources (RDS and EC2 instances). Therefore, we need a one-way trust relationship that allows requests from on-premises users to access the VPC resources.
It also depends on your “Direction of Trust” setting which could be One-way:incoming or One-way:outgoing type.
Just as mentioned in the explanation, there are three trust relationship directions:
1. One-way:incoming – Users in the specified realm will not be able to access any resources in this domain.
2. One-way:outgoing – Users in this domain will not be able to access any resources in the specified realm.
3. Two-way (Bi-directional) – Users in this domain and users in the specified realm will be able to access resources in either domain or realm.
I understand what you are saying since the correct option doesn’t mention the “Trust Direction” for the Active Directory integration. This is best represented by this diagram:
For example, let’s say you have two domains: VPC-Domain and On-Prem-Domain. A one-way trust from VPC-Domain to On-Prem-Domain means that users authenticated in On-Prem-Domain are trusted in VPC-Domain (the trust direction indicated by the purple arrow in the above diagram). A one-way trust from On-Prem-Domain to VPC-Domain (the trust direction indicated by the green arrow in the above diagram) means users authenticated in VPC-Domain are trusted in On-Prem-Domain.
I believe that you are referring to the relationship described above. So when you read the correct option: “Set up a one-way trust relationship from the existing Active Directory in the on-premises data center to the new Active Directory service in AWS.” – the “trust” seems reversed. The provided answer didn’t mention if it is an incoming or outgoing One-way trust.
Since this is more of an advanced Microsoft Active Directory setup, I chose to simplify the terms in the options to focus more on the AWS-side of things. The correct option simply means that we need a one-way trust relationship that allows requests from on-premises users to access the VPC resources, but not vice-versa.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Jon Bonso @ Tutorials Dojo
MemberFebruary 15, 2021 at 10:22 am
I also think the proposed answer is wrong.
The direction of one-way trust from trust/resource domain to trusted/user domain, so it is the opposite to the direction resource is managed.
MemberFebruary 15, 2021 at 8:28 pm
There are two ADs in this scenario — on-premises and AWS. The on-premises AD needs to manage resources in AWS. For this to happen, you have to configure a one-way incoming trust in the on-premises AD. This allows authentication requests that are sent by users in the on-premises domain to be routed successfully to resources in the other domain (AWS.)
The direction of trust is the opposite of the direction of access.
- This reply was modified 3 months ago by Caloy.
MemberFebruary 28, 2021 at 2:55 pm
This is the answer i picked and it was incorrect.
Set up a one-way incoming trust relationship from the new Active Directory in AWS to the existing Active Directory service in the on-premises data center.
Maybe it will be clear if its is mentioned as one-way outgoing, instead of one-way incoming from AWS AD to on-Prem AD
Could the options for answer be clearer ? Not sure if its AWS intention to play with words and have us making assumption to questions.
- This reply was modified 2 months, 2 weeks ago by robin-cher.
MemberMarch 1, 2021 at 5:58 pm
I fail to see how it’d be clearer had the correct option is just “one-way outgoing”.
Outgoing and incoming are relative directions.
“outgoing to where?, incoming from where?”
They depend on a point of reference. Hence, the need to say where the trust is coming from.
In this scenario, we want the on-premises AD to control resources in AWS and must be authenticated by another AD on AWS. The direction of access is On-prem AD -> AWS AD, therefore the direction of trust is the opposite.
I think the improvement that can be done here is to simply state the point of reference.
e.g, Set up a one-way incoming trust in the existing on-premises Active Directory a one-way outgoing trust in the AWS Active Directory.
Let me know your thoughts.
Log in to reply.