ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 536 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 536
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

The CISO of a large enterprise with multiple IT departments, each with its own AWS account, wants one central place where AWS permissions for users can be managed and users authentication credentials can be synchronized with the company's existing on-premises solution.
Which solution will meet the CISO's requirements?

  • A. Define AWS IAM roles based on the functional responsibilities of the users in a central account. Create a SAML-based identity management provider. Map users in the on-premises groups to IAM roles. Establish trust relationships between the other accounts and the central account.
  • B. Deploy a common set of AWS IAM users, groups, roles, and policies in all of the AWS accounts using AWS Organizations. Implement federation between the on-premises identity provider and the AWS accounts.
  • C. Use AWS Organizations in a centralized account to define service control policies (SCPs). Create a SAML-based identity management provider in each account and map users in the on-premises groups to AWS IAM roles.
  • D. Perform a thorough analysis of the user base and create AWS IAM users accounts that have the necessary permissions. Set up a process to provision and deprovision accounts based on data in the on-premises solution.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by donathon at Oct. 8, 2019, 1:03 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
donathon
Highly Voted 3 years, 9 months ago
C To help you manage federation for multiple AWS accounts centrally, you can use AWS Single Sign-On to manage SSO access for all of your accounts in AWS Organizations. https://aws.amazon.com/identity/federation/ A: The fact that the answer did not explain how “trust relationships” are created means I would avoid this answer if there is a better answer. In this case C. You will also need to use a lot of assume roles in each and every account which can be tedious. This was what it used to be before AWS Organization was launched. B: Accounts are not centralized. (“one central place”) D: There is no federation.
upvoted 21 times
Musk
3 years, 9 months ago
C says "identity management provider in each account" which I think is wrong, because you just need one, not one per account.
upvoted 4 times
Jesuisleon
2 years, 1 month ago
yes, that's the thing also makes me feel uncomfortable
upvoted 1 times
...
...
manoj101
3 years, 8 months ago
C is not correct. you can't have SAML across each account. That is not going to centralise access.
upvoted 2 times
...
chandler
3 years, 9 months ago
Probably A is the answer: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html and search "trust" on the page. Also, question asks about "AWS permissions for users can be managed", SCP won't help too much about that. It's more like IAM's job.
upvoted 15 times
...
donathon
3 years, 9 months ago
A B\C: Accounts are not centralized. (“one central place”). Also SAML must be done in one account. D: There is no federation.
upvoted 38 times
G3
3 years, 9 months ago
I feel it has to be C. SCPs offer central control over the maximum available permissions for all accounts in your organization. A doesnt provide to centrally manage permissions.
upvoted 5 times
...
PacoDerek
3 years, 9 months ago
C. finally i got u once @donathon :D SCPs are necessary but not sufficient for granting access in the accounts in your organization. Attaching an SCP to the organization root or an organizational unit (OU) defines a guardrail for what actions accounts within the organization root or OU can do. You still need to attach IAM policies to users and roles in your organization's accounts to actually grant permissions to them https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
upvoted 1 times
...
sam422
3 years, 8 months ago
Although A looks bit vague on trust relationships, it is how aws asks to do it having an central account. For C, SCP offers perimeter control. I go with A
upvoted 1 times
...
Load full discussion...
...
...
3a632a3
Most Recent 1 year, 5 months ago
Selected Answer: A
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html + https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
upvoted 1 times
...
SkyZeroZx
2 years ago
Selected Answer: A
A B\C: Accounts are not centralized. (“one central place”). Also SAML must be done in one account. D: There is no federation.
upvoted 1 times
...
evargasbrz
2 years, 6 months ago
Selected Answer: A
A looks bit vague on trust relationships, but it makes sense. C-> SCP offers perimeter control and it tells "...identity management provider in each account", so A looks better!
upvoted 2 times
...
SureNot
2 years, 7 months ago
Selected Answer: A
one central place
upvoted 1 times
...
nsvijay04b1
2 years, 8 months ago
Selected Answer: C
each account IAM identity provider and role for SAML access created and it should be trusted external IDP provider.
upvoted 2 times
...
epomatti
2 years, 10 months ago
Selected Answer: A
A One central place to synchronize users. C is wrong.
upvoted 1 times
...
Ni_yot
2 years, 10 months ago
Will go with A. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
upvoted 1 times
...
aandc
3 years ago
A: C says " identity management provider in each account"
upvoted 1 times
...
cannottellname
3 years, 5 months ago
A Does not scale that well. Establishing trust and all, while also creating IAM role for each account because access limits can be different for different accounts + person from 1 department should not access other departments accounts though they need same permissions. Hence, there will be multiple IAM role + multiple account trusts.... Also, logging into central account and then assuming role for human resources does not seem a good option. This needs to be done at each and every account level only.... and what kind of services will be needed that way... C seems better to me here.
upvoted 1 times
...
vbal
3 years, 7 months ago
why C ? Create an IDP in each Account..?
upvoted 1 times
...
student22
3 years, 8 months ago
A is correct Map on premise users to AWS Roles through SAML federation C is similar but not centralized.
upvoted 2 times
...
denccc
3 years, 8 months ago
I think it's A
upvoted 1 times
...
DerekKey
3 years, 8 months ago
A correct - https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/ B wrong - "The CISO" + "wants one central place where AWS permissions ... can be managed and users authentication credentials can be synchronized with the company’s existing on-premises solution" C wrong - "The CISO" + "wants one central place where AWS permissions ... can be managed and users authentication credentials can be synchronized with the company’s existing on-premises solution" D wrong
upvoted 2 times
...
WhyIronMan
3 years, 8 months ago
I'll go with A
upvoted 2 times
...
Waiweng
3 years, 8 months ago
it;s C
upvoted 2 times
...
Kian1
3 years, 8 months ago
will go with A
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel