AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company's compliance team needs to move its file shares to AWS. The shares run on a Windows Server SMB file share. A self-managed on-premises Active Directory controls access to the files and folders.

The company wants to use Amazon FSx for Windows File Server as part of the solution. The company must ensure that the on-premises Active Directory groups restrict access to the FSx for Windows File Server SMB compliance shares, folders, and files after the move to AWS. The company has created an FSx for Windows File Server file system.

Which solution will meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create an Active Directory Connector to connect to the Active Directory. Map the Active Directory groups to IAM groups to restrict access.

Assign a tag with a Restrict tag key and a Compliance tag value. Map the Active Directory groups to IAM groups to restrict access.

Create an IAM service-linked role that is linked directly to FSx for Windows File Server to restrict access.

Join the file system to the Active Directory to restrict access.

Explanation:

Explanation

The correct answer is D. Join the file system to the Active Directory to restrict access.

Why this is correct:

FSx for Windows File Server integration with Active Directory: Amazon FSx for Windows File Server is designed to integrate seamlessly with Microsoft Active Directory. When you create an FSx file system, you can join it to your existing Active Directory domain.
Preserving existing access controls: By joining the FSx file system to the on-premises Active Directory, all existing Active Directory groups, users, and permissions are preserved. The file shares, folders, and files will continue to use the same Active Directory-based access controls that were used on-premises.
SMB protocol compatibility: FSx for Windows File Server uses the SMB protocol, which is fully compatible with Active Directory authentication and authorization mechanisms.

Why the other options are incorrect:

A. Create an Active Directory Connector to connect to the Active Directory. Map the Active Directory groups to IAM groups to restrict access.

While Active Directory Connector can be used for some AWS services, FSx for Windows File Server doesn't require this approach for authentication.
Mapping AD groups to IAM groups would create a complex and unnecessary translation layer when FSx can directly use AD authentication.

B. Assign a tag with a Restrict tag key and a Compliance tag value. Map the Active Directory groups to IAM groups to restrict access.

AWS resource tags are for resource management and cost allocation, not for file-level access control.
Tags cannot restrict access to SMB shares, folders, or files within an FSx file system.

C. Create an IAM service-linked role that is linked directly to FSx for Windows File Server to restrict access.

IAM service-linked roles are for AWS service-to-service communication, not for file-level access control.
IAM roles cannot control access to SMB shares, folders, or files within an FSx file system.

Key AWS Service Knowledge:

Amazon FSx for Windows File Server: Provides fully managed Windows file servers with native SMB protocol support
Active Directory integration: FSx can join your existing Active Directory domain for authentication and authorization
Access control: File-level permissions are managed through Windows ACLs, not AWS IAM
Migration path: This approach allows seamless migration of Windows file shares while preserving existing security models

Powered ByGPT-5.2

Comments

Loading comments...