I hit this question on some practice test looks similar to this:
A big MNC with existing on-prem AD with following security requirements:
Cloud users must be in another authentication domain
Cloud users shall not access on-prem systems
On-prem AD administrators shall be able to access DB and instances in AWS.
How to do it with MOST secure way? (Choose 2)
A. Config AWS Managed AD for managing on cloud side.
B. Config another on-prem AD for managing the cloud.
C. Make one-way trust from on-prem AD to new AD
D. Make one-way trust from new AD to on-prem AD
E. Make 2-way trust between on-prem AD and new AD
Based on the lecture, I picked option A and E but really not sure if the registered cloud users would be able to login in on-prem side, neither have AD really to simulate the scenario above. Would you mind to help it out?
A and E. For on Prem AD connectivity you need to have or AD Connector or Managed AD. Due to this answer A is correct.
And you need 2 way trust https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_setup_trust.html
I think it should be AD.
Direction of trust
When do we need 1-way and when do we need 2-way trust?
Also, a lot of related topic on talk and pop-out in Q & A section of this video:
I’ll throw in 2 cents worth (A and C). I agree with the others on letter "A." This seems to make sense since cloud users should have no on-prem access. If you created a new on-prem AD domain, the cloud users would at least have to access the on-prem AD server to authenticate for their cloud access. This is low risk, but if it’s not needed then it’s better to keep the cloud authentication completely separate and completely in AWS as in answer "A." However, when it comes to the second choice, letter "C" makes the most sense to me. I don’t believe there is any reason for the on-prem AD to trust the AWS managed AD. However, it is necessary for the AWS Managed AD to trust the on-prem AD for the on-prem AD administrator EC2 instance access. This leads me to the conclusion that letter "C" is the best choice for the one-way trust to go from the on-prem AD to the AWS managed AD.
Can someone from ACG team help with the correct answer?