While preparing for the SAA-C03, many candidates get confused by how to modernize file transfer without rebuilding identity. In the real world, this is fundamentally a decision about managed service operations vs. “lift-and-host” control, with cost and identity constraints shaping the design. Let’s drill into a simulated scenario.
The Scenario #
NorthBridge Logistics runs a long-lived, on-prem SFTP server used by internal staff to exchange files with partners. The company is moving file storage to Amazon S3 to reduce storage cost and scale seamlessly, but it must keep using the existing on-prem Microsoft Active Directory (AD) credentials. Leadership also wants to preserve the current authentication and access model as much as possible, while keeping ongoing operational work to a minimum.
Key Requirements #
- Provide SFTP access for users
- Store files in Amazon S3
- Authenticate users with existing on-prem AD (no new credential store)
- Minimize operational overhead (managed where possible)
- Preserve the “same basic” authentication and access mechanism (AD-backed access)
The Options #
- A) Deploy AWS Storage Gateway (File Gateway) and create SMB shares authenticated by the existing AD
- B) Run an SFTP server on EC2 in an Auto Scaling group; scale out at 60% CPU
- C) Create an AWS Transfer Family server with an SFTP endpoint, choose AWS Directory Service as the identity provider, and use AD Connector to connect to on-prem AD
- D) Create an AWS Transfer Family SFTP endpoint and configure the endpoint to use AWS Directory Service as an identity provider to connect the existing AD (without specifying AD Connector)
Correct Answer #
C
The Winning Logic #
AWS Transfer Family is the managed, purpose-built service for SFTP/FTPS/FTP into AWS storage (including Amazon S3). To keep on-prem AD credentials, you use AWS Directory Service AD Connector, which “proxies” authentication requests to the on-prem AD without requiring directory synchronization or managing domain controllers in AWS.
This meets all constraints with the least ops:
- No EC2 fleet to patch, harden, scale, or monitor for the SFTP layer
- Direct SFTP to S3 integration (no custom upload pipelines needed)
- AD-backed auth via AD Connector, preserving identity operations where they already live
From a FinOps lens (associate-level): managed services typically cost more per unit than DIY compute at tiny scale, but they avoid hidden people-cost (patching, incident response, scaling mistakes) and reduce risk of security drift—often the real “largest line item.”
💎 Professional-Level Analysis #
This section breaks down the scenario from a professional exam perspective, focusing on constraints, trade-offs, and the decision signals used to eliminate incorrect options.
🔐 Expert Deep Dive: Why Options Fail #
This walkthrough explains how the exam expects you to reason through the scenario step by step, highlighting the constraints and trade-offs that invalidate each incorrect option.
Prefer a quick walkthrough before diving deep?
[Video coming soon] This short walkthrough video explains the core scenario, the key trade-off being tested, and why the correct option stands out, so you can follow the deeper analysis with clarity.
🔐 The Traps (Distractor Analysis) #
This section explains why each incorrect option looks reasonable at first glance, and the specific assumptions or constraints that ultimately make it fail.
The difference between the correct answer and the distractors comes down to one decision assumption most candidates overlook.
- Why not A (File Gateway + SMB)?
This changes the protocol to SMB, not SFTP. It may integrate with AD, but it does not satisfy the SFTP requirement and shifts clients/processes. - Why not B (EC2 Auto Scaling SFTP)?
It’s a classic “lift-and-host.” You own the OS, SFTP hardening, key/cipher policy, scaling behavior, availability design, patching cadence, and logging. It can work, but it’s higher ops than Transfer Family. - Why not D (Transfer Family + Directory Service, vague)?
It’s incomplete/incorrect as stated: to “connect existing on-prem AD,” you typically need AD Connector (or Managed Microsoft AD with trust). The option that explicitly uses AD Connector is the exam-safe, lowest-ops choice.
🔐 The Solution Blueprint #
This blueprint visualizes the expected solution, showing how services interact and which architectural pattern the exam is testing.
Seeing the full solution end to end often makes the trade-offs—and the failure points of simpler options—immediately clear.
graph TD
U[Employees / Partners using SFTP clients] --> TF[AWS Transfer Family
SFTP Endpoint]
TF --> S3[(Amazon S3 Bucket)]
TF --> DS[AWS Directory Service
AD Connector]
DS --> AD[(On-prem Microsoft AD)]
- Diagram Note: Users authenticate to the Transfer Family SFTP endpoint; Transfer Family validates credentials via AD Connector against on-prem AD, then reads/writes files directly to S3.
🔐 Real-World Practitioner Insight #
This section connects the exam scenario to real production environments, highlighting how similar decisions are made—and often misjudged—in practice.
This is the kind of decision that frequently looks correct on paper, but creates long-term friction once deployed in production.
Exam Rule #
On SAA-C03, when you see “SFTP to S3” + “lowest operational overhead”, default to AWS Transfer Family. When you also see “use existing on-prem AD credentials,” add Directory Service AD Connector.
Real World #
In production, you’ll also validate:
- Network path to AD (VPN or Direct Connect), plus redundancy so authentication doesn’t become a single point of failure
- Authorization mapping (how AD users/groups map to S3 prefixes/roles) and auditing requirements
- Whether you need Managed Microsoft AD + trust instead of AD Connector (more capability, more cost/ops)