DVA-C02 · Question #513
DVA-C02 Question #513: Real Exam Question with Answer & Explanation
The correct answer is A: Configure AWS Directory Service to create an Active Directory in AWS Directory Service for. Option A describes using AWS Directory Service (AD Connector) integrated with IAM Identity Center, which proxies authentication requests directly to the on-premises Active Directory without requiring password synchronization or custom code - employees sign in with existing creden
Question
A company is developing a new application that uses Amazon EC2, Amazon S3, and AWS Lambda resources. The company wants to allow employees to access the AWS Management Console by using existing credentials that the company stores and manages in an on-premises Microsoft Active Directory. Each employee must have a specific level of access to the AWS resources that is based on the employee's role. Which solution will meet these requirements with the LEAST operational overhead?
Options
- AConfigure AWS Directory Service to create an Active Directory in AWS Directory Service for
- BUse LDAP to directly integrate the on-premises Active Directory with AWS Identity and Access
- CImplement a custom identity broker to authenticate users into the on-premises Active Directory.
- DConfigure Amazon Cognito to federate users into the on-premises Active Directory. Use Cognito
Explanation
Option A describes using AWS Directory Service (AD Connector) integrated with IAM Identity Center, which proxies authentication requests directly to the on-premises Active Directory without requiring password synchronization or custom code - employees sign in with existing credentials and receive console access based on permission sets mapped to their AD roles. This is the lowest-overhead approach because AWS fully manages the federation plumbing.
Option B is wrong because AWS IAM does not natively support direct LDAP integration - building that connection would require custom infrastructure and ongoing maintenance. Option C is wrong for a similar reason: a custom identity broker means writing, deploying, and maintaining your own auth service, which is the highest operational overhead of all four options. Option D is wrong because Amazon Cognito is designed for customer-facing application identity (external users), not for workforce access to the AWS Management Console - it's the wrong service for this use case and adds unnecessary complexity.
Memory tip: AD Connector = "bridge, don't copy" - it proxies auth to your on-premises AD without replicating any credentials into AWS, making it the go-to answer whenever you see "existing on-premises Active Directory + least overhead + AWS Console access."
Topics
Community Discussion
No community discussion yet for this question.