How would the organization manage its resources in the MOST secure manner?
(Choose two.)
Configure an AWS Managed Microsoft AD to manage the cloud resources.
Configure an additional on-premises Active Directory service to manage the cloud resources.
Establish a one-way trust relationship from the existing Active Directory to the new Active Directory service.
Establish a one-way trust relationship from the new Active Directory to the existing Active Directory service.
Establish a two-way trust between the new and existing Active Directory services.
Explanations:
AWS Managed Microsoft AD is a fully managed service that integrates with AWS services, and it is suitable for managing cloud-based resources separately from on-premises resources, satisfying the requirement of separating authentication domains.
Configuring an additional on-premises Active Directory to manage cloud resources would not meet the security requirements as it does not provide the needed isolation between cloud and on-premises resources.
A one-way trust relationship from the existing Active Directory to the new Active Directory would allow on-premises users to authenticate to cloud resources, but cloud users still wouldn’t have proper isolation from on-premises resources.
Establishing a one-way trust relationship from the new Active Directory to the existing Active Directory ensures that cloud-based users are isolated and only the on-premises administrators can access the cloud resources. This meets both requirements.
A two-way trust relationship between the new and existing Active Directory services would allow bidirectional access, which violates the security requirement of isolating cloud-based users from on-premises systems.