4 Answers
A and E. For on Prem AD connectivity you need to have or AD Connector or Managed AD. Due to this answer A is correct.
And you need 2 way trust https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_setup_trust.html
I think it should be AD.
Direction of trust
When do we need 1-way and when do we need 2-way trust?
Also, a lot of related topic on talk and pop-out in Q & A section of this video:
I’ll throw in 2 cents worth (A and C). I agree with the others on letter "A." This seems to make sense since cloud users should have no on-prem access. If you created a new on-prem AD domain, the cloud users would at least have to access the on-prem AD server to authenticate for their cloud access. This is low risk, but if it’s not needed then it’s better to keep the cloud authentication completely separate and completely in AWS as in answer "A." However, when it comes to the second choice, letter "C" makes the most sense to me. I don’t believe there is any reason for the on-prem AD to trust the AWS managed AD. However, it is necessary for the AWS Managed AD to trust the on-prem AD for the on-prem AD administrator EC2 instance access. This leads me to the conclusion that letter "C" is the best choice for the one-way trust to go from the on-prem AD to the AWS managed AD.
Your answer choice C is contradicting your reasoning: "I don’t believe there is any reason for the on-prem AD to trust the AWS managed AD"
Can someone from ACG team help with the correct answer?
That’s my take as well. The use case says "On-prem AD administrators shall be able to access DB and instances in AWS" which makes E one of the correct answers.