- All Exams Instant Download
Which of the following will you need to consider so you can set up a solution that incorporates a single sign-on feature from your corporate AD or LDAP directory and also restricts access for each individual user to a designated user folder in an S3 bucket?
A tech company that you are working for has undertaken a Total Cost Of Ownership (TCO) analysis evaluating the use of Amazon S3 versus acquiring more storage hardware. The result was that all 1200 employees would be granted access to use Amazon S3 for the storage of their personal documents.
Which of the following will you need to consider so you can set up a solution that incorporates a single sign-on feature from your corporate AD or LDAP directory and also restricts access for each individual user to a designated user folder in an S3 bucket? (Select TWO.)
A . Set up a matching IAM user for each of the 1200 users in your corporate directory that needs access to a folder in the S3 bucket.
B . Set up a Federation proxy or an Identity provider, and use AWS Security Token Service to generate temporary tokens.
C . Use 3rd party Single Sign-On solutions such as Atlassian Crowd, OKTA, OneLogin and many others.
D . Configure an IAM role and an IAM Policy to access the bucket.
E . Map each individual user to a designated user folder in S3 using Amazon WorkDocs to access their
personal documents.
Answer: B,D
Explanation:
The question refers to one of the common scenarios for temporary credentials in AWS. Temporary
credentials are useful in scenarios that involve identity federation, delegation, cross-account access, and
IAM roles. In this example, it is called enterprise identity federation considering that you also need to set
up a single sign-on (SSO) capability.
The correct answers are:
– Setup a Federation proxy or an Identity provider
– Setup an AWS Security Token Service to generate temporary tokens
– Configure an IAM role and an IAM Policy to access the bucket.
In an enterprise identity federation, you can authenticate users in your organization’s network, and then provide those users access to AWS without creating new AWS identities for them and requiring them to sign in with a separate user name and password. This is known as the single sign-on (SSO) approach to temporary access. AWS STS supports open standards like Security Assertion Markup Language (SAML) 2.0, with which you can use Microsoft AD FS to leverage your Microsoft Active Directory. You can also use SAML 2.0 to manage your own solution for federating user identities.
Using 3rd party Single Sign-On solutions such as Atlassian Crowd, OKTA, OneLogin and many others is
incorrect since you don’t have to use 3rd party solutions to provide the access. AWS already provides the necessary tools that you can use in this situation.
Mapping each individual user to a designated user folder in S3 using Amazon WorkDocs to access their personal documents is incorrect as there is no direct way of integrating Amazon S3 with Amazon WorkDocs for this particular scenario. Amazon WorkDocs is simply a fully managed, secure content creation, storage, and collaboration service. With Amazon WorkDocs, you can easily create, edit, and share content. And because it’s stored centrally on AWS, you can access it from anywhere on any device.
Setting up a matching IAM user for each of the 1200 users in your corporate directory that needs access
to a folder in the S3 bucket is incorrect since creating that many IAM users would be unnecessary. Also,
you want the account to integrate with your AD or LDAP directory, hence, IAM Users does not fit these
criteria.
References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
https://aws.amazon.com/premiumsupport/knowledge-center/iam-s3-user-specific-folder/
AWS Identity Services Overview:
https://youtu.be/AIdUw0i8rr0
Check out this AWS IAM Cheat Sheet:
https://tutorialsdojo.com/aws-identity-and-access-management-iam/
Latest SAA-C03 Dumps Valid Version with 400 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
Subscribe
Login
0 Comments
Inline Feedbacks
View all comments