Home › Forums › AWS › AWS Certified Security – Specialty › Timed Mode Set 1 – AWS Certified Security Specialty Question 16, Ans not correct › Reply To: Timed Mode Set 1 – AWS Certified Security Specialty Question 16, Ans not correct
-
Hi Varun,
The scenario says that you have to implement a security policy in which the cloud-based users are prevented from accessing the on-premises systems. The on-premises data center contains the administrator accounts that must have access to the AWS resources (RDS and EC2 instances). Therefore, we need a one-way trust relationship that allows requests from on-premises users to access the VPC resources.
It also depends on your “Direction of Trust” setting which could be One-way:incoming or One-way:outgoing type.
Just as mentioned in the explanation, there are three trust relationship directions:
1. One-way:incoming – Users in the specified realm will not be able to access any resources in this domain.
2. One-way:outgoing – Users in this domain will not be able to access any resources in the specified realm.
3. Two-way (Bi-directional) – Users in this domain and users in the specified realm will be able to access resources in either domain or realm.
I understand what you are saying since the correct option doesn’t mention the “Trust Direction” for the Active Directory integration. This is best represented by this diagram:
https://dmhnzl5mp9mj6.cloudfront.net/security_awsblog/images/RonCully_trustdiagram.png
For example, let’s say you have two domains: VPC-Domain and On-Prem-Domain. A one-way trust from VPC-Domain to On-Prem-Domain means that users authenticated in On-Prem-Domain are trusted in VPC-Domain (the trust direction indicated by the purple arrow in the above diagram). A one-way trust from On-Prem-Domain to VPC-Domain (the trust direction indicated by the green arrow in the above diagram) means users authenticated in VPC-Domain are trusted in On-Prem-Domain.
Reference:
I believe that you are referring to the relationship described above. So when you read the correct option: “Set up a one-way trust relationship from the existing Active Directory in the on-premises data center to the new Active Directory service in AWS.” – the “trust” seems reversed. The provided answer didn’t mention if it is an incoming or outgoing One-way trust.
Since this is more of an advanced Microsoft Active Directory setup, I chose to simplify the terms in the options to focus more on the AWS-side of things. The correct option simply means that we need a one-way trust relationship that allows requests from on-premises users to access the VPC resources, but not vice-versa.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Regards,
Jon Bonso @ Tutorials Dojo