What is the BEST method to allow access using current LDAP credentials?

exams SOA-C02 V5 SOA-C02 exam 0 Comments

An organization with a large IT department has decided to migrate to AWS With different job functions in the IT department it is not desirable to give all users access to all AWS resources Currently the organization handles access via LDAP group membership

What is the BEST method to allow access using current LDAP credentials?
A . Create an AWS Directory Service Simple AD Replicate the on-premises LDAP directory to Simple AD
B . Create a Lambda function to read LDAP groups and automate the creation of IAM users
C . Use AWS CloudFormation to create IAM roles Deploy Direct Connect to allow access to the on-premises LDAP server
D . Federate the LDAP directory with IAM using SAML Create different IAM roles to correspond to different LDAP groups to limit permissions

Answer: D

Explanation:

To allow access using current LDAP credentials while migrating to AWS, the best approach is to federate the LDAP directory with IAM using SAML.

Set Up SAML-Based Federation:

AWS supports identity federation using SAML (Security Assertion Markup Language) 2.0. You need to configure your LDAP directory to federate with AWS IAM via SAML.

Reference: About SAML 2.0-based Federation

Create and Configure IAM Roles:

Create IAM roles in AWS that correspond to different LDAP groups. Each role should have the appropriate permissions for its specific job function.

Reference: Creating IAM Roles

Set Up Identity Provider in AWS:

Configure AWS as a SAML 2.0 identity provider. This involves setting up a trust relationship between AWS and your LDAP directory.

Reference: Creating and Managing a SAML Identity Provider Assign IAM Roles to SAML Provider:

Map the LDAP group membership to IAM roles. This allows users to assume the roles based on their LDAP group membership.

Reference: Configuring SAML Assertions for Role-Based Access Control

By federating the LDAP directory with IAM using SAML, the organization can leverage existing LDAP credentials and group memberships to manage access to AWS resources effectively.