Topic 1 Question 1018
A company needs to give a globally distributed development team secure access to the company's AWS resources in a way that complies with security policies.
The company currently uses an on-premises Active Directory for internal authentication. The company uses AWS Organizations to manage multiple AWS accounts that support multiple projects.
The company needs a solution to integrate with the existing infrastructure to provide centralized identity management and access control.
Which solution will meet these requirements with the LEAST operational overhead?
Set up AWS Directory Service to create an AWS managed Microsoft Active Directory on AWS. Establish a trust relationship with the on-premises Active Directory. Use IAM rotes that are assigned to Active Directory groups to access AWS resources within the company's AWS accounts.
Create an IAM user for each developer. Manually manage permissions for each IAM user based on each user's involvement with each project. Enforce multi-factor authentication (MFA) as an additional layer of security.
Use AD Connector in AWS Directory Service to connect to the on-premises Active Directory. Integrate AD Connector with AWS IAM Identity Center. Configure permissions sets to give each AD group access to specific AWS accounts and resources.
Use Amazon Cognito to deploy an identity federation solution. Integrate the identity federation solution with the on-premises Active Directory. Use Amazon Cognito to provide access tokens for developers to access AWS accounts and resources.
ユーザの投票
コメント(6)
- 正解だと思う選択肢: A
Why not "A"? Check out the note of this link: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html
AD Connector cannot be shared with other AWS accounts. If this is a requirement, consider using AWS Managed Microsoft AD to Share your AWS Managed Microsoft AD. AD Connector is also not multi-VPC aware, which means that AWS applications like WorkSpaces are required to be provisioned into the same VPC as your AD Connector.
And I think managing multiple aws accounts is, indeed, a requirement
👍 3GOTJ2024/12/26 - 正解だと思う選択肢: C
A - On-premises Active Directory already exists. B - "Manually" ? Oh hell no. But MFA is something I guess. C - AD Connector seamlessly connects AWS to the on-premises Active Directory without the need to synchronize or replicate the directory. Identity Center (formerly AWS SSO) allows centralized access management across AWS accounts in an AWS Organizations setup. Permissions sets can be configured to map Active Directory groups to specific AWS accounts and resources, making access control easy and secure. D - Amazon Cognito is better suited for application-level identity management (like customer-facing apps), not for internal teams working across multiple AWS accounts.
👍 3LeonSauveterre2025/01/10 - 正解だと思う選択肢: C
Answer is C
👍 2aragon_saa2024/10/08
シャッフルモード