While preparing for the SAA-C03, many candidates get confused by hybrid identity integration patterns and Active Directory trust relationships. In the real world, this is fundamentally a decision about centralized authentication complexity vs. operational overhead. Let’s drill into a simulated scenario.
The Scenario #
GlobalTech Industries is modernizing its infrastructure by migrating legacy applications to AWS. The company operates 12 AWS accounts organized under AWS Organizations, each representing different business units (Finance, HR, Engineering, Sales).
The IT Security team has established a clear mandate: all AWS access must use Single Sign-On (SSO), but user identities and group memberships must remain managed in the existing on-premises Microsoft Active Directory infrastructure. The security team is unwilling to migrate identity management to the cloud or maintain duplicate user databases.
The architecture must support seamless authentication across all 12 AWS accounts while preserving the current AD-based identity governance processes.
Key Requirements #
Implement a centralized SSO solution for all AWS accounts that authenticates users against the on-premises self-managed Microsoft Active Directory, without migrating identity management to AWS.
The Options #
- A) Enable AWS Single Sign-On (AWS SSO) from the console, create a two-way forest trust through AWS Directory Service for Microsoft Active Directory to connect the self-managed on-premises Active Directory with AWS SSO.
- B) Enable AWS Single Sign-On (AWS SSO) from the console, create a one-way forest trust or one-way domain trust through AWS Directory Service for Microsoft Active Directory to connect the self-managed on-premises Active Directory with AWS SSO.
- C) Use AWS Directory Service to create a two-way trust relationship directly with the self-managed on-premises Microsoft Active Directory.
- D) Deploy an on-premises Identity Provider (IdP) and enable AWS Single Sign-On (AWS SSO) from the console.
Correct Answer #
Option B.
The Architect’s Analysis #
Correct Answer #
Option B - Enable AWS SSO with a one-way trust through AWS Managed Microsoft AD.
Step-by-Step Winning Logic #
This solution represents the optimal trade-off between security, operational simplicity, and AWS integration:
- AWS SSO (IAM Identity Center) provides native multi-account access management across AWS Organizations
- AWS Managed Microsoft AD acts as the bridge between AWS services and on-premises AD
- One-way trust is sufficient: AWS Managed AD trusts on-premises AD to authenticate users, but on-premises AD doesn’t need to trust AWS resources
- Minimal attack surface: One-way trusts prevent AWS-based resources from authenticating back into on-premises infrastructure
- Centralized identity source: Users and groups remain fully managed in on-premises AD as required
Why one-way vs. two-way? AWS SSO only needs to consume identity information from on-premises AD for authentication. It doesn’t need to write back or establish reverse authentication paths, making two-way trust unnecessary and architecturally inefficient.
The Traps (Distractor Analysis) #
-
Why not Option A? A two-way forest trust is operationally more complex and introduces unnecessary security risks. AWS Managed AD would be trusted by on-premises AD, potentially allowing compromised AWS resources to authenticate back into on-premises systems. This violates the principle of least privilege and expands the attack surface without providing functional benefits for the SSO use case. Two-way trusts are typically needed when resources in both environments need to authenticate against each other—not the case here.
-
Why not Option C? This option is architecturally incomplete. AWS Directory Service alone doesn’t provide SSO capabilities across AWS accounts. You would still need AWS SSO (IAM Identity Center) to manage multi-account access. Additionally, creating a “direct” two-way trust without AWS Managed AD as an intermediary is not the standard AWS pattern and complicates network connectivity requirements.
-
Why not Option D? While deploying a SAML-based on-premises IdP (like ADFS) is technically viable, it introduces significant operational overhead:
- Requires maintaining high-availability infrastructure on-premises
- Adds complexity for certificate management and SAML configuration
- Increases latency for authentication flows
- Creates a single point of failure outside AWS
- When AWS provides native integration (AWS Managed AD + AWS SSO), custom IdP deployment is unnecessarily complex for this requirement
The Architect Blueprint #
Diagram Note: AWS SSO queries AWS Managed AD, which maintains a one-way trust to the on-premises AD for identity verification, enabling centralized multi-account access without bidirectional authentication requirements.
Real-World Practitioner Insight #
Exam Rule #
“For the SAA-C03 exam, when you see AWS Organizations + on-premises AD + SSO requirement, always choose AWS SSO with AWS Managed Microsoft AD using one-way trust. Remember: AWS only needs to read from on-premises AD, not write back—one-way trust is sufficient and more secure.”
Real World #
In production environments, we typically implement additional considerations:
- Network connectivity: Establish redundant VPN or Direct Connect connections between on-premises and AWS VPC hosting Managed AD
- Multi-region resilience: Deploy AWS Managed AD in multiple Availability Zones (automatic) and consider cross-region replication for disaster recovery
- Conditional access policies: Layer AWS SSO permission sets with group-based access control maintained in on-premises AD
- Monitoring integration: Forward AWS Managed AD logs to CloudWatch and correlate with on-premises SIEM for unified security visibility
- Hybrid scenarios: For organizations with Azure AD, consider AWS SSO’s external identity provider integration instead of Managed AD
The one-way trust model shown in Option A remains the foundation, but production deployments add operational resilience layers not tested in SAA-C03.