Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 671 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional

Question #: 671
Topic #: 1

[All AWS Certified Solutions Architect - Professional Questions]

A solutions architect has implemented a SAML 2.0 federated identity solution with their company's on-premises identity provider (IdP) to authenticate users' access to the AWS environment. When the solutions architect tests authentication through the federated identity web portal, access to the AWS environment is granted. However, when test users attempt to authenticate through the federated identity web portal, they are not able to access the AWS environment.
Which items should the solutions architect check to ensure identity federation is properly configured? (Choose three.)

A. The IAM user's permissions policy has allowed the use of SAML federation for that user.
B. The IAM roles created for the federated users' or federated groups' trust policy have set the SAML provider as the principal.
C. Test users are not in the AWSFederatedUsers group in the company's IdR.
D. The web portal calls the AWS STS AssumeRoleWithSAML API with the ARN of the SAML provider, the ARN of the IAM role, and the SAML assertion from IdR.
E. The on-premises IdP's DNS hostname is reachable from the AWS environment VPCs.
F. The company's IdP defines SAML assertions that properly map users or groups in the company to IAM roles with appropriate permissions.

Show Suggested Answer

Suggested Answer: BDF 🗳️

by liono at Nov. 7, 2020, 11:29 a.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

liono

Highly Voted 3 years, 8 months ago

B, D & F looks correct

upvoted 29 times

...

Cantaloupe

Highly Voted 3 years, 8 months ago

B: "In IAM, you create one or more IAM roles. In the role's trust policy, you set the SAML provider as the principal, which establishes a trust relationship between your organization and AWS" D: "The client app calls the AWS STS AssumeRoleWithSAML API, passing the ARN of the SAML provider, the ARN of the role to assume, and the SAML assertion from IdP" F: "In your organization's IdP, you define assertions that map users or groups in your organization to the IAM roles"

upvoted 19 times

kirrim

3 years, 6 months ago

Where these quotes came from: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

upvoted 5 times

...

thotwielder

Most Recent 1 year, 5 months ago

a, c, f bdf doesn't address why solutions architect can login while the test user can't

upvoted 1 times

marszalekm

1 year, 3 months ago

but A says "The IAM user's permissions", "not IAM role"

upvoted 1 times

...

kadev

2 years, 9 months ago

B,D,F Explain: Follow to accecc to AWS console by IDP 3rd: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html From stituation of question, we know that: Flow is succesc to step 3 ( got Grant from Idp) => user cant not access to AWS console because failed at step 4 or step 5 So: 1. we need to verify SAML assertion (D) : "The IAM role and IAM identity provider are specified as a comma-delimited pair of ARNs in the same format as the RoleArn and PrincipalArn" https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml-attribute-mapping 2, Next, Verify mapping User and Role is exaclty ( F) 3, Verify "Prerequisites for creating a role for SAML" : Principal must has "PROVIDER-NAME" https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html#idp_saml_Prerequisites

upvoted 1 times

...

RVivek

3 years, 3 months ago

Answer BDF E is also require ? Can some one say why E is not rquired ?

upvoted 1 times

Jesuisleon

1 year, 12 months ago

this sentence "When the solutions architect tests authentication through the federated identity web portal, access to the AWS environment is granted", if DNS hostname resolution fails, solution architect can't succeed in his attempt.

upvoted 1 times

...

hancoms

2 years, 7 months ago

i think 'the AWS environment VPCs' -> it does not need to assume role for SAML in aws account side

upvoted 1 times

...

vbal

3 years, 5 months ago

I can't see B an answer : The IAM roles created FOR the federated usersג€™ or federated groups???

upvoted 1 times

vbal

3 years, 5 months ago

B is fine

upvoted 1 times

...

CloudChef

3 years, 5 months ago

BDF is it.

upvoted 1 times

...

cldy

3 years, 5 months ago

B. The IAM roles created for the federated usersג€™ or federated groupsג€™ trust policy have set the SAML provider as the principal. D. The web portal calls the AWS STS AssumeRoleWithSAML API with the ARN of the SAML provider, the ARN of the IAM role, and the SAML assertion from IdR. F. The companyג€™s IdP defines SAML assertions that properly map users or groups in the company to IAM roles with appropriate permissions.

upvoted 1 times

...