Exam AWS Certified Security - Specialty topic 1 question 318 discussion

Federate IAM with the external company's identity provider

"B" Federate IAM with the external company's identity provider

I can confidently say, none of these options is a sound secure solution. A. Cognito is basically used to web and application authentication/authorization. Not applicable to this scenario. B. Using external company's IdP is madness. The source of truth to user, groups, user metadata, authentication are all in the external company's control. Even creating roles in my account does not seem enough know that the source of truth is not at my company's control. External IdP without SCIM is a better (but not mention), as the source of truth will be in AWS SSO (Identity Center). C. IAM group is an identity, not used as authentication entity. D. Even worse than B, cause cannot use IAM group for mapping. It should be IAM role. But again, IdP of external company is not ideal secure wise! ------------------------------------- That being said, if this bad question ever shows up in your exam..select B, as the best of the rest, but know that this solution is not good enough unless using IdP without SCIM. This is important.

Only B makes sense.

C is out of the question. A doesn't seem appropriate, due to the lack of concern about permissions. There should be more consideration than simply "stop them from modifying Cognito settings." D seemed right at first, but the wording is wrong. You don't assign permissions to an IAM group, you assign a Permission Set to a user/group provided by the IdP. As such, my vote is B.

Amazon Cognito simplifies the development process by helping you manage identities for your customer-facing applications. As your application grows, some of your enterprise customers may ask you to integrate with their own Identity Provider (IdP) so that their users can sign-on to your app using their company’s identity, and have role-based access-control (RBAC) based on their company’s directory group membership.

B. Federate AWS Identity and Access Management (IAM) with the external company's identity provider. Create an IAM role and attach a policy with the necessary permissions. This approach allows the external company to use its own identity provider to authenticate users and access resources in the company's AWS account. By delegating the management of user identities and access to the external company's identity provider, the security officer minimizes the overhead of managing user access directly. The IAM role and policy can be used to grant the necessary permissions to the external company's users, allowing them to perform the required operational tasks while still maintaining control over access to the company's resources.

D is more suitable if you're configuring federation on organizational level and have many limitations.

D is an improvement of B. And yes, of course an AWS policy can be attached to a group. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html

It should be B To create a role for identity federation (AWS CLI) Create a role: aws iam create-role Attach a permissions policy to the role: aws iam attach-role-policy or Create an inline permissions policy for the role: aws iam put-role-policy https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html

Using 3rd party identity provider which makes me to go with Cognito, so answer A.

I like the option D but I've a problem with the words "Create an IAM group to map to the identity provider user group". we map IAM roles to IdP groups not the groups. So the correct option should be A.

C is out of questions A & B and D are all the same from implementation and result point of view they require federation and they makes the life of support team easier however D is a much better and scalable solution and it gives the support the flexibility of adding new members to their support group nothing shared except the sign on url i'll go with D

If you already manage user identities outside of AWS, you can use IAM identity providers instead of creating IAM users in your AWS account. With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to use AWS resources in your account. This is useful if your organization already has its own identity system, such as a corporate user directory. It is also useful if you are creating a mobile app or web application that requires access to AWS resources. When you use an IAM identity provider, you don't have to create custom sign-in code or manage your own user identities.