SAP-C02 Exam - Question 325

Question

A company is rearchitecting its applications to run on AWS. The company’s infrastructure includes multiple Amazon EC2 instances. The company's development team needs different levels of access. The company wants to implement a policy that requires all Windows EC2 instances to be joined to an Active Directory domain on AWS. The company also wants to implement enhanced security processes such as multi-factor authentication (MFA). The company wants to use managed AWS services wherever possible.

Which solution will meet these requirements?

Examice · Accepted Answer

To meet the requirement of having all Windows EC2 instances joined to an Active Directory domain on AWS, as well as implementing multi-factor authentication and using managed AWS services wherever possible, the best solution is to create an AWS Directory Service for Microsoft Active Directory implementation. Using Amazon WorkSpaces for domain security configuration tasks is a fully managed service that provides a Windows desktop environment in the AWS Cloud, making it easier to manage and secure compared to setting up and configuring an EC2 instance manually.

HappyPrince · Answer

I support B as well per this link where EC2 is recommended:
https://docs.aws.amazon.com/workspaces/latest/adminguide/directory_administration.html

nublit · Answer

B is correct. The question mention "Windows EC2", no "Windows user desktops". Maybe the Windows EC2 can be Windows Servers.

07c2d2a · Answer

"The company wants to implement a policy that requires all Windows EC2 instances to be joined to an Active Directory domain on AWS". Workspaces are automatically domain joined. EC2 aren't going to be automatically domain joined without some extra steps. I feel like that's what they're getting at here...

dankositzke · Answer

I would choose A over B because of the last requirement: “The company wants to use managed AWS services wherever possible.”

TonytheTiger · Answer

Option A -  Three requirements,  1. join AD domain, 2. enable MFA, 3. Use AWS managed service.  Nothing about cost or any additional requirements.  Option A checks all the boxes from the article information -  https://aws.amazon.com/blogs/security/how-to-enable-multi-factor-authentication-for-amazon-workspaces-and-amazon-quicksight-by-using-microsoft-ad-and-on-premises-credentials/

chelbsik · Answer

A seems better, as it uses managed Workspaces, which we can apply different security controls to despite what some people here say https://docs.aws.amazon.com/whitepapers/latest/best-practices-deploying-amazon-workspaces/security.html

Jay_2pt0_1 · Answer

It can't be an EC2. It says to use AWS services. I'm even torn on wether or not we should use simple AD

career360guru · Answer

Option B. Workspace Windows servers can not be used for Domain Security tasks.

Dgix · Answer

Because managed services.

titi_r · Answer

A - correct.

markovr6 · Answer

You can managed AD Admin tasks from Workspace. The requirement is to use AWS Managed Services where possible. So answer is A - nothing you can manage AD wise on EC2 that you can't do on the Windows Workspace

paderni · Answer

A. Amazon WorkSpaces is more secure and managed,

9f02c8d · Answer

A is right answer as the Amazon WorkSpaces provides a managed desktop-as-a-service solution that allows you to access a Windows desktop environment in the AWS Cloud

9f02c8d · Answer

A is right answer

trungtd · Answer

Technically, you can use AWS Workspace for domain security configuration tasks. So A is correct

Win007 · Answer

A is correct

junehc · Answer

I will go for A based on this "RADIUS MFA is applicable only to authenticate access to the AWS Management Console, or to Amazon Enterprise applications and services such as WorkSpaces, Amazon QuickSight, or Amazon Chime. It does not provide MFA to Windows workloads running on EC2 instances, or for signing into an EC2 instance" https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_mfa.html

SAP-C02 Exam - Question 325

Discussion