Home › Forums › AWS › AWS Certified Solutions Architect Professional › Clarification on Review Mode 2 Question 65
-
Clarification on Review Mode 2 Question 65
Neil-TutorialsDojo updated 7 months ago 2 Members · 4 Posts
-
A leading call center company has its headquarters in Seattle. Its corporate web portal is deployed to AWS. The AWS cloud resources are linked to its corporate data center via a link aggregation group (LAG), which terminates at the same AWS Direct Connect endpoint and is connected on a private virtual interface (VIF) in your VPC. The portal must authenticate against their on-premises LDAP server. Each Amazon S3 bucket can only be accessed by a logged-in user if it belongs to that user.
Which of the following options should the solutions architect implement in AWS to meet the company requirements? (Select TWO.)
-
(1) Authenticate against LDAP using an identity broker you created, and have it call IAM Security Token Service (STS) to retrieve IAM federated user credentials. The application then gets the IAM federated user credentials from the identity broker to access the appropriate S3 bucket.
-
(2) Create an identity broker that assumes an IAM role, and retrieve temporary AWS security credentials via IAM Security Token Service (STS). The application gets the AWS temporary security credentials from the identity broker to gain access to the appropriate S3 bucket
-
(3) The application first authenticates against LDAP to retrieve the name of an IAM role associated with the user. It then assumes that role via a call to IAM Security Token Service (STS). Afterward, the application can now use the temporary credentials from the role to access the appropriate S3 bucket.
I’ve Removed the wrong answers for brevity.
(1) is definitely right – However, I’ve been searching AWS documentation on (2) vs (3)-> I had picked (2) because You can create a Custom Identity Broker which calls STS.AssumeRole on behalf of the application and hands off the credentials to the application which is in the AWS documentation. However the correct answer picks (3). I have not found any documentation where the “application first authenticates against LDAP to retrieve the name of an IAM role associated with the user. It then assumes that role via a call to IAM Security Token Service (STS)“. (1) and (2) can be found here .
Can someone point out where does AWS say an app can directly auth against LDAP WITHOUT an Identity Broker and thus validate (3) is right? And thus why (2) is wrong?
-
-
Hi SalientListener,
Good day!
Thank you for your feedback.
To clarify why option (3) is correct, it is because it follows the correct sequence in conjunction with option (1). This means that it still uses an identity broker. The application first authenticates against LDAP to retrieve the name of an IAM role associated with the user and then assumes that role via a call to IAM Security Token Service (STS). The temporary credentials from this role allow access to the appropriate S3 bucket.
Option (2) is incorrect because, as explained in its explanation, it doesn’t follow the necessary sequence. It implies a direct interaction with STS without appropriately leveraging the identity broker to mediate the authentication process with LDAP.
I hope this clarifies the reasoning behind the correct answers. If you have more clarifications, pls let us know.
Regards,
Neil @ Tutorials Dojo-
HI Neil – Sorry Im still confused.
There are two types of questions in these exams which feature multiple choice question-
One type is what are the CHAIN of steps that will enable a solution. (One Answer will have part of the solution and a second answer will have the remaining completing the solution)
Second type is what are the different ways you can enable the SAME solution (Multiple answers will be the correct and independent solution)
Which of these types are you explaining the answers ?
-
Hi SalientListener,
Good day! I am Explaining the One type- chain of steps.
Thank you.
-
-
Log in to reply.