Configure Account Lockout for Failed Login Attempts in AWS Managed Microsoft AD

Answer - B.

This is mentioned in the AWS Documentation.

You may also modify the following properties of your password policies to specify if and how Active Directory should lockout an account after login failures:

· Number of failed login attempts allowed.

· Account lockout duration.

· Reset failed logon attempts after some duration.

Option A is incorrect since this is used to encrypt all data in transit.

Option C is incorrect since this is used for adding one more layer of authentication.

Option D is incorrect since this is used for managing access to IAM users.

For more information on supported password policy settings, please visit the below URL.

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/supportedpolicysettings.html

The correct answer is B. Use Password policies in the directory service.

Explanation:

The AWS Managed Microsoft AD directory service allows the configuration of password policies that enforce rules for password complexity, expiration, and lockout settings. By configuring password policies, you can define the number of failed login attempts allowed before a user's account is locked out.

Option A is incorrect because enabling LDAP over SSL provides secure communication between the client and the server, but it does not provide any functionality related to account lockout.

Option C is incorrect because enabling Multi-Factor Authentication (MFA) for the directory service provides an additional layer of security by requiring users to provide two or more authentication factors, but it does not provide any functionality related to account lockout.

Option D is incorrect because IAM policies are used to manage permissions and access to AWS resources, not for configuring password policies.

Therefore, the correct answer is B. Use Password policies in the directory service.