ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 67 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 67
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A corporate web application is deployed within an Amazon Virtual Private Cloud (VPC) and is connected to the corporate data center via an IPSec VPN. The application must authenticate against the on-premises LDAP server. After authentication, each logged-in user can only access an Amazon Simple Storage Space
(S3) keyspace specific to that user.
Which two approaches can satisfy these objectives? (Choose two.)

  • A. Develop an identity broker that authenticates against IAM security Token service to assume a IAM role in order to get temporary AWS security credentials The application calls the identity broker to get AWS temporary security credentials with access to the appropriate S3 bucket.
  • B. The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM role. The application can use the temporary credentials to access the appropriate S3 bucket.
  • C. Develop an identity broker that authenticates against LDAP and then calls IAM Security Token Service to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 bucket.
  • D. The application authenticates against LDAP the application then calls the AWS identity and Access Management (IAM) Security service to log in to IAM using the LDAP credentials the application can use the IAM temporary credentials to access the appropriate S3 bucket.
  • E. The application authenticates against IAM Security Token Service using the LDAP credentials the application uses those temporary AWS security credentials to access the appropriate S3 bucket.
Show Suggested Answer Hide Answer
Suggested Answer: BC 🗳️
Imagine that in your organization, you want to provide a way for users to copy data from their computers to a backup folder. You build an application that users can run on their computers. On the back end, the application reads and writes objects in an S3 bucket. Users don't have direct access to AWS. Instead, the application communicates with an identity provider (IdP) to authenticate the user. The IdP gets the user information from your organization's identity store (such as an LDAP directory) and then generates a SAML assertion that includes authentication and authorization information about that user. The application then uses that assertion to make a call to the AssumeRoleWithSAML API to get temporary security credentials. The app can then use those credentials to access a folder in the S3 bucket that's specific to the user.
Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
by amog at Jan. 12, 2020, 8:09 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
CloudFloater
Highly Voted 3 years, 6 months ago
BC A. Needs to authenticate against LDAP and not IAM B. Authenticates with LDAP and calls the AssumeRole C. Custom Identity broker implementation, with authentication with LDAP and using federated token D. Can’t login to IAM using LDAP credentials) E. Need to authenticate with LDAP http://jayendrapatil.com/tag/iam-role/
upvoted 15 times
...
amministrazione
Most Recent 8 months, 3 weeks ago
B. The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM role. The application can use the temporary credentials to access the appropriate S3 bucket. C. Develop an identity broker that authenticates against LDAP and then calls IAM Security Token Service to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 bucket.
upvoted 1 times
...
srv321
1 year, 5 months ago
this question is included in John Bonso's practice tests, B& C is correct
upvoted 1 times
...
TigerInTheCloud
2 years, 4 months ago
Selected Answer: BC
A: STS provides not the identity provider AWS temporary security credential. B: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html C: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html D: Not Login to IAM, but get the temporary security credential from STS E: LDAP performs the authentication (through the broker), STS creates the temporary security credential
upvoted 1 times
...
wahlbergusa
3 years, 4 months ago
C is definitely correct but B cannot be. Cause the application NEVER talks to STS directly. => https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html ,
upvoted 1 times
wahlbergusa
3 years, 4 months ago
Correction. I interpreted the options to be used at the same time. As I now understand any of the options can be used so B would be a viable alternative to C.
upvoted 1 times
...
...
cldy
3 years, 5 months ago
B. The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM role. The application can use the temporary credentials to access the appropriate S3 bucket. C. Develop an identity broker that authenticates against LDAP and then calls IAM Security Token Service to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 bucket.
upvoted 1 times
...
FERIN_01
3 years, 6 months ago
C. seems to be correct If the Organization doesn’t support SAML compatible IdP, a Custom Identity Broker can be used to provide the access Custom Identity Broker should perform the following steps Verify that the user is authenticated by the local identity system. Call the AWS Security Token Service (AWS STS) AssumeRole (recommended) or GetFederationToken (by default, has a expiration period of 36 hours) APIs to obtain temporary security credentials for the user. Temporary credentials limit the permissions a user has to the AWS resource Call an AWS federation endpoint and supply the temporary security credentials to get a sign-in token. Construct a URL for the console that includes the token. URL that the federation endpoint provides is valid for 15 minutes after it is created. Give the URL to the user or invoke the URL on the user’s behalf
upvoted 1 times
...
tvs
3 years, 6 months ago
BD . Develop an identity broker , seriously ?
upvoted 1 times
...
01037
3 years, 6 months ago
Yes, B&C
upvoted 1 times
...
cldy
3 years, 6 months ago
B.C. authentication is always against LDAP
upvoted 1 times
...
fullaws
3 years, 6 months ago
B and C is correct
upvoted 3 times
...
amog
3 years, 7 months ago
Answer is B,C AssumeRole() and GetFederationToken()
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago