Ends in
00
days
00
hrs
00
mins
00
secs
LEARN MORE

SALE! Extra $2 OFF our Practice Test + eBook Bundles. Valid until May 19, 2021 6PM UTC+8

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Timed Mode Set 1 – AWS Certified Security Specialty Question 16, Ans not correct

  • varunkumar

    Member
    June 29, 2020 at 10:57 pm

    An organization is implementing a security policy in which their cloud-based users must be contained in a separate authentication domain and prevented from accessing on-premises systems. Their IT Operations team is launching and maintaining a number of Amazon RDS for SQL Server databases and EC2 instances. The organization also has an on-premises Active Directory service that contains the administrator accounts that must have access to the databases and EC2 instances.

    How would the Security Engineer manage the AWS resources of the organization in the MOST secure manner? (Select TWO.)

    Here are correct option is given as
    “Set up a one-way incoming trust relationship from the existing Active Directory in the on-premises data center to the new Active Directory service in AWS.”
    which i think wrong as it violate the principal which says “The Direction of the trust is opposite to the direction of access”
    so going by the above logic correct answer is “Set up a one-way incoming trust relationship from the new Active Directory in AWS to the existing Active Directory service in the on-premises data center.”

    please check and clarify this.

  • TutorialsDojo-Support

    Member
    July 14, 2020 at 8:11 pm

    Hi Varunkumar,

    Thank you for you feedback.

    Can you provide the AWS document reference where the “The Direction of the trust is opposite to the direction of access” is discussed?

    We will review it and update the answer accordingly base on the document.

    Thanks and Regards,

    Kenneth Samonte @ Tutorials Dojo

  • varunkumar

    Member
    July 15, 2020 at 11:26 am
  • Jon-Bonso

    Administrator
    July 16, 2020 at 8:10 am

    Hi Varun,

    The scenario says that you have to implement a security policy in which the cloud-based users are prevented from accessing the on-premises systems. The on-premises data center contains the administrator accounts that must have access to the AWS resources (RDS and EC2 instances). Therefore, we need a one-way trust relationship that allows requests from on-premises users to access the VPC resources.

    It also depends on your “Direction of Trust” setting which could be One-way:incoming or One-way:outgoing type.

    Just as mentioned in the explanation, there are three trust relationship directions:

    1. One-way:incoming – Users in the specified realm will not be able to access any resources in this domain.

    2. One-way:outgoing – Users in this domain will not be able to access any resources in the specified realm.

    3. Two-way (Bi-directional) – Users in this domain and users in the specified realm will be able to access resources in either domain or realm.

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754706(v=ws.11)

    I understand what you are saying since the correct option doesn’t mention the “Trust Direction” for the Active Directory integration. This is best represented by this diagram:

    https://dmhnzl5mp9mj6.cloudfront.net/security_awsblog/images/RonCully_trustdiagram.png

    For example, let’s say you have two domains: VPC-Domain and On-Prem-Domain. A one-way trust from VPC-Domain to On-Prem-Domain means that users authenticated in On-Prem-Domain are trusted in VPC-Domain (the trust direction indicated by the purple arrow in the above diagram). A one-way trust from On-Prem-Domain to VPC-Domain (the trust direction indicated by the green arrow in the above diagram) means users authenticated in VPC-Domain are trusted in On-Prem-Domain.

    Reference:

    https://aws.amazon.com/blogs/security/how-to-enable-windows-integrated-authentication-for-rds-for-sql-server-using-on-premises-active-directory/

    I believe that you are referring to the relationship described above. So when you read the correct option: “Set up a one-way trust relationship from the existing Active Directory in the on-premises data center to the new Active Directory service in AWS.” – the “trust” seems reversed. The provided answer didn’t mention if it is an incoming or outgoing One-way trust.

    Since this is more of an advanced Microsoft Active Directory setup, I chose to simplify the terms in the options to focus more on the AWS-side of things. The correct option simply means that we need a one-way trust relationship that allows requests from on-premises users to access the VPC resources, but not vice-versa.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!

    Regards,

    Jon Bonso @ Tutorials Dojo

  • jacky-shu

    Member
    February 15, 2021 at 10:22 am

    I also think the proposed answer is wrong.

    The direction of one-way trust from trust/resource domain to trusted/user domain, so it is the opposite to the direction resource is managed.

    • Caloy

      Member
      February 15, 2021 at 8:28 pm

      Hello jacky-shu,

      There are two ADs in this scenario — on-premises and AWS. The on-premises AD needs to manage resources in AWS. For this to happen, you have to configure a one-way incoming trust in the on-premises AD. This allows authentication requests that are sent by users in the on-premises domain to be routed successfully to resources in the other domain (AWS.)

      The direction of trust is the opposite of the direction of access.

      • This reply was modified 3 months ago by  Caloy.
    • robin-cher

      Member
      February 28, 2021 at 2:55 pm

      This is the answer i picked and it was incorrect.

      Set up a one-way incoming trust relationship from the new Active Directory in AWS to the existing Active Directory service in the on-premises data center.

      Maybe it will be clear if its is mentioned as one-way outgoing, instead of one-way incoming from AWS AD to on-Prem AD

      Could the options for answer be clearer ? Not sure if its AWS intention to play with words and have us making assumption to questions.

      • This reply was modified 2 months, 2 weeks ago by  robin-cher.
      • Carlo-TutorialsDojo

        Member
        March 1, 2021 at 5:58 pm

        Hello robin,

        I fail to see how it’d be clearer had the correct option is just “one-way outgoing”.

        Outgoing and incoming are relative directions.

        “outgoing to where?, incoming from where?”

        They depend on a point of reference. Hence, the need to say where the trust is coming from.

        In this scenario, we want the on-premises AD to control resources in AWS and must be authenticated by another AD on AWS. The direction of access is On-prem AD -> AWS AD, therefore the direction of trust is the opposite.

        I think the improvement that can be done here is to simply state the point of reference.

        e.g, Set up a one-way incoming trust in the existing on-premises Active Directory a one-way outgoing trust in the AWS Active Directory.

        Let me know your thoughts.

        Regards,

        Carlo

Log in to reply.

Original Post
0 of 0 posts June 2018
Now