Answer-first summary for fast verification
Answer: Join the file system to the Active Directory to restrict access.
## Explanation The correct answer is **D. Join the file system to the Active Directory to restrict access.** ### Why this is correct: 1. **FSx for Windows File Server integration with Active Directory**: Amazon FSx for Windows File Server is designed to integrate seamlessly with Microsoft Active Directory. When you create an FSx file system, you can join it to your existing Active Directory domain. 2. **Preserving existing access controls**: By joining the FSx file system to the on-premises Active Directory, all existing Active Directory groups, users, and permissions are preserved. The file shares, folders, and files will continue to use the same Active Directory-based access controls that were used on-premises. 3. **SMB protocol compatibility**: FSx for Windows File Server uses the SMB protocol, which is fully compatible with Active Directory authentication and authorization mechanisms. ### Why the other options are incorrect: **A. Create an Active Directory Connector to connect to the Active Directory. Map the Active Directory groups to IAM groups to restrict access.** - While Active Directory Connector can be used for some AWS services, FSx for Windows File Server doesn't require this approach for authentication. - Mapping AD groups to IAM groups would create a complex and unnecessary translation layer when FSx can directly use AD authentication. **B. Assign a tag with a Restrict tag key and a Compliance tag value. Map the Active Directory groups to IAM groups to restrict access.** - AWS resource tags are for resource management and cost allocation, not for file-level access control. - Tags cannot restrict access to SMB shares, folders, or files within an FSx file system. **C. Create an IAM service-linked role that is linked directly to FSx for Windows File Server to restrict access.** - IAM service-linked roles are for AWS service-to-service communication, not for file-level access control. - IAM roles cannot control access to SMB shares, folders, or files within an FSx file system. ### Key AWS Service Knowledge: - **Amazon FSx for Windows File Server**: Provides fully managed Windows file servers with native SMB protocol support - **Active Directory integration**: FSx can join your existing Active Directory domain for authentication and authorization - **Access control**: File-level permissions are managed through Windows ACLs, not AWS IAM - **Migration path**: This approach allows seamless migration of Windows file shares while preserving existing security models
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company's compliance team needs to move its file shares to AWS. The shares run on a Windows Server SMB file share. A self-managed on-premises Active Directory controls access to the files and folders.
The company wants to use Amazon FSx for Windows File Server as part of the solution. The company must ensure that the on-premises Active Directory groups restrict access to the FSx for Windows File Server SMB compliance shares, folders, and files after the move to AWS. The company has created an FSx for Windows File Server file system.
Which solution will meet these requirements?
A
Create an Active Directory Connector to connect to the Active Directory. Map the Active Directory groups to IAM groups to restrict access.
B
Assign a tag with a Restrict tag key and a Compliance tag value. Map the Active Directory groups to IAM groups to restrict access.
C
Create an IAM service-linked role that is linked directly to FSx for Windows File Server to restrict access.
D
Join the file system to the Active Directory to restrict access.