What should the solutions architect recommend?
Use AWS Directory Service to create a managed Active Directory. Uninstall Active Directory on the current EC2 instance.
Create another EC2 instance in the same subnet and reinstall Active Directory on it. Uninstall Active Directory.
Use AWS Directory Service to create an Active Directory connector. Proxy Active Directory requests to the Active domain controller running on the current EC2 instance.
Enable AWS Single Sign-On (AWS SSO) with Security Assertion Markup Language (SAML) 2.0 federation with the current Active Directory controller. Modify the EC2 instance’s security group to deny public access to Active Directory.
Explanations:
Using AWS Directory Service to create a managed Active Directory improves security by offloading management tasks and separating the directory service from public-facing components. Uninstalling Active Directory from the EC2 instance reduces risk.
Creating another EC2 instance with Active Directory still leaves the architecture vulnerable by having the directory service on EC2. It also increases administrative overhead without improving security.
Using an Active Directory connector does not improve the security of the architecture as it still relies on the existing EC2 instance, which is public-facing, and could expose sensitive information.
While enabling AWS SSO and modifying security groups improves some aspects of security, it does not address the fundamental issue of having a domain controller on a public-facing instance. This option still leaves the architecture vulnerable.