Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Amazon Discussions

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 371 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 371
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company hosts an intranet web application on Amazon EC2 instances behind an Application Load Balancer (ALB). Currently, users authenticate to the application against an internal user database.

The company needs to authenticate users to the application by using an existing AWS Directory Service for Microsoft Active Directory directory. All users with accounts in the directory must have access to the application.

Which solution will meet these requirements?

  • A. Create a new app client in the directory. Create a listener rule for the ALB. Specify the authenticate-oidc action for the listener rule. Configure the listener rule with the appropriate issuer, client ID and secret, and endpoint details for the Active Directory service. Configure the new app client with the callback URL that the ALB provides.
  • B. Configure an Amazon Cognito user pool. Configure the user pool with a federated identity provider (ldP) that has metadata from the directory. Create an app client. Associate the app client with the user pool. Create a listener rule for the ALSpecify the authenticate-cognito action for the listener rule. Configure the listener rule to use the user pool and app client.
  • C. Add the directory as a new IAM identity provider (ldP). Create a new IAM role that has an entity type of SAML 2.0 federation. Configure a role policy that allows access to the ALB. Configure the new role as the default authenticated user role for the ldP. Create a listener rule for the ALB. Specify the authenticate-oidc action for the listener rule.
  • D. Enable AWS IAM Identity Center (AWS Single Sign-On). Configure the directory as an external identity provider (ldP) that uses SAML. Use the automatic provisioning method. Create a new IAM role that has an entity type of SAML 2.0 federation. Configure a role policy that allows access to the ALB. Attach the new role to all groups. Create a listener rule for the ALB. Specify the authenticate-cognito action for the listener rule.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by devalenzuela86 at Nov. 22, 2023, 5:21 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
ayadmawla
Highly Voted 5 months ago
Selected Answer: B
There are two options either via Cognito or Auth0 and then attach an IDP to one of them. See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/
upvoted 6 times
...
GibaSP45
Highly Voted 4 months, 3 weeks ago
Selected Answer: D
If the question were an internet web application I would go with B but as the question says it is an intranet application and internal database I would go with D, I don't think Cognito is the best answer.
upvoted 6 times
DanyelBlood
4 months, 2 weeks ago
The scenario says it in this part "The company needs to authenticate users to the application by using an existing AWS Directory Service for Microsoft Active Directory directory". For this reason, Cognito is the best option
upvoted 4 times
...
...
seetpt
Most Recent 2 weeks ago
Selected Answer: B
B vote
upvoted 1 times
...
seetpt
2 weeks ago
Selected Answer: B
B vote
upvoted 1 times
...
seetpt
2 weeks ago
I vote for B
upvoted 1 times
...
TonytheTiger
3 weeks, 1 day ago
Selected Answer: D
Option D: Per AWS doc " An Amazon Cognito user pool is a user directory for web and mobile app authentication and authorization. " . The question states " The company hosts an intranet web application". So, you can't select Cognito https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html
upvoted 1 times
...
gustori99
1 month, 2 weeks ago
Selected Answer: B
D is complete nonsense. Don't know why so many people are voting for it. "Configure a role policy that allows access to the ALB" - Come on, guys. ALB is accessed via http or https. You can restrict access via security groups not roles. Also cognito is mentioned in D but cognito is not connected to to the SAML provider. So B is the correct answer.
upvoted 4 times
...
VerRi
1 month, 2 weeks ago
Selected Answer: B
A: The Active Directory directory does not use OIDC. B: Make sense. C: Cannot add the directory as a new IAM IdP. D: Why "authenticate-cognito action"
upvoted 3 times
...
Dgix
1 month, 4 weeks ago
Selected Answer: B
A: Doesn't support OIDC directly. B: ALBs can interface directly to Cognito. The correct answer. C: Rubbish, as IAM doesn't directly interface to any AD. D: Mixes things up royally.
upvoted 3 times
...
JOKERO
2 months ago
Attach the new role to all groups ???
upvoted 1 times
...
career360guru
2 months, 1 week ago
Selected Answer: D
Option D
upvoted 2 times
...
ftaws
3 months, 2 weeks ago
refer to below. 46 I am on the Amazon Cognito team. Amazon Cognito is our identity management solution for developers building B2C or B2B apps for their customers, which makes it a customer-targeted IAM and user directory solution. AWS SSO is focused on SSO for employees accessing AWS and business apps, initially with Microsoft AD as the underlying employee directory. We plan to integrate Cognito User Pools and AWS SSO as part of our roadmap.
upvoted 2 times
...
ftaws
3 months, 2 weeks ago
Selected Answer: D
They have already AD so we have to use SSO.
upvoted 4 times
...
MegalodonBolado
5 months ago
Selected Answer: B
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
upvoted 3 times
...
ayadmawla
5 months, 1 week ago
Selected Answer: A
Answer is A - There is already an AWS Active Directory running in the account. So this is simply about creating a client for the application to authenticate against this AD (inside AWS). There is no need to use Cognito, nor is threre a need to setup connectivity to an on-premises AD using IAM Centre. Client Applications can use OIDC (Open ID Connect) which is a web standard for user authentication.
upvoted 1 times
ayadmawla
5 months ago
Change answer to B I take that back as I was thinking of Microsoft Azure which offers OIDC Authentication but Microsoft AD does not. There are two options either via Cognito or Auth0 and then attach an IDP to one of them. See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/
upvoted 1 times
...
...
Russs99
5 months, 1 week ago
Selected Answer: B
This option is wrong. Without an intermediate service that translates Active Directory authentication requests into OIDC tokens, option A is not feasible.
upvoted 2 times
Russs99
5 months, 1 week ago
just to clarify, option A in this scenario is wrong. I selected B.
upvoted 1 times
...
...
shaaam80
5 months, 1 week ago
Selected Answer: D
Answer D
upvoted 3 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel