Home › Forums › AWS › AWS Certified Security – Specialty › Active Directory Trust › Reply To: Active Directory Trust
-
<div>Your answer is just a repeat of your original assertion, and the documentation you provide does not support the answer you’ve given.
</div>Multiple users have come to this page to explain the answer is incorrect.
My colleague Jordan who has passed this exam twice (because of renewal) answered the same. I asked him blindly without explaining to him there was a difference of opinion.
Chat-GPT answers the same way as all of the many people that have said the current answer is wrong.
Chat-GPT has provided an explanation below of why the document you provided does not support your assertion.
Conclusion:
The Microsoft document does not support TutorialsDojo’s assertion. Instead, it reinforces the correct approach: the trust direction should be such that AWS (Domain B) trusts the on-premises AD (Domain A). This setup allows on-premises administrators to manage AWS resources securely without allowing cloud-based users to access on-premises systems. The Microsoft documentation supports this configuration as the more secure and aligned approach to maintaining distinct authentication domains and minimizing access risks.
Let’s break down the response from TutorialsDojo, analyze the Microsoft documentation they provided, and assess whether it supports their assertion or the original interpretation.
TutorialsDojo’s Explanation Recap:
- One-Way Trust from On-Premises AD (Domain A) to AWS AD (Domain B):
- Claim: Domain A (on-premises) trusts Domain B (AWS). According to their interpretation, this means cloud users in Domain B can authenticate against AWS AD but do not have access to on-premises resources in Domain A.
Analyzing the Microsoft Documentation:
The document provided in the Microsoft link is about “Concepts: Forest and Domain Trusts” for Azure AD Domain Services. It explains various types of trusts, including one-way and two-way trusts, and the implications of trust relationships between different domains and forests.
-
One-Way Trust Explanation (According to Microsoft):
- In a one-way trust, the trusting domain (let’s call it Domain A) trusts the trusted domain (Domain B).
- Implication: This means that users from Domain B can be granted access to resources in Domain A, provided they have the necessary permissions. Conversely, users in Domain A cannot access resources in Domain B unless there’s a reciprocal trust.
- Example (from the document): If Domain A trusts Domain B, Domain B’s users can access resources in Domain A, but Domain A’s users cannot access Domain B’s resources.
-
Assessing TutorialsDojo’s Interpretation:
- TutorialsDojo claims that when Domain A (on-premises) trusts Domain B (AWS), it prevents cloud users from accessing on-premises resources. However, according to the Microsoft documentation, this setup would actually allow users from Domain B (AWS) to potentially access resources in Domain A (on-premises) if permissions are granted.
- Therefore, the Microsoft document does not support their assertion. Instead, it indicates that a one-way trust in this direction would allow cloud users (from AWS AD) to access on-premises resources, which contradicts the security requirement to prevent this.
Correct Interpretation and Alignment with Microsoft Documentation:
- One-Way Trust from AWS AD (Domain B) to On-Premises AD (Domain A):
- Microsoft’s Guidance: If Domain B (AWS) trusts Domain A (on-premises), it means that on-premises users can access resources in AWS (Domain B), but not vice versa.
- Security Alignment: This setup ensures that on-premises users (administrators) can manage AWS resources, while cloud-based users are contained within the AWS domain and do not have access to on-premises systems.
This interpretation directly aligns with the Microsoft documentation and supports the original recommendation:
- Using AWS Directory Service, set up an AWS Managed Microsoft AD to manage the RDS databases and EC2 instances.
- Set up a one-way incoming trust relationship in the new Active Directory in AWS and a one-way outgoing trust in the existing on-premises Active Directory.
Conclusion:
The Microsoft document does not support TutorialsDojo’s assertion. Instead, it reinforces the correct approach: the trust direction should be such that AWS (Domain B) trusts the on-premises AD (Domain A). This setup allows on-premises administrators to manage AWS resources securely without allowing cloud-based users to access on-premises systems. The Microsoft documentation supports this configuration as the more secure and aligned approach to maintaining distinct authentication domains and minimizing access risks.
- One-Way Trust from On-Premises AD (Domain A) to AWS AD (Domain B):