MemberJune 27, 2020 at 3:14 pm
Hello, The following question is not clear to me :
You are working for a large software company which has an on-premises LDAP server and a web application hosted on their VPC. As the Solutions Architect, you are the one who established an IPSec VPN connection between the VPC and the on-premises location.
In this scenario, which of the following options can allow the employees to access the web application and other AWS resources using their corporate account? (Choose 2)
Correct Answers :
1/Launch an identity broker that authenticates against LDAP server and then calls STS to get IAM federated user credentials. Configure the web application to call the identity broker that you created to get IAM federated user credentials with access to the appropriate AWS service. OK
2/Configure the web application to authenticate against the on-premises LDAP server and retrieve the name of an IAM role associated with the user. The application then calls the STS to assume that IAM role. The application can use the temporary credentials to access any AWS resource.
the 2nd Answer states that the app directly authenticates to the On Prem LDAP, retrieves a role, calls the STS to assume that role.
It means that it’s calling the sts assumeRole command with the role name but AWS states that you must use credentials for an IAM user or an IAM role to call AssumeRole, and there s no mention of using these “pre credentials” for calling STS.
Can you please clarify ?
MemberJune 28, 2020 at 3:17 pm
Thank you for your feedback.
Usually, for Professional level questions, when the option says “calls the STS to assume that IAM role” this means that the application (likely, on the EC2) has the appropriate “Assume Role” permission attached to its Instance profile. So this “pre credentials” for calling STS is already on the IAM instance profile. The application just needs to authenticate on LDAP to get be able to get token on STS and use it as temporary credentials.
Also, with the process of elimination, the other two choices are incorrect.
Create an identity broker that authenticates against STS to assume an IAM role to generate temporary AWS security credentials. For user authentication, configure the web application to call the identity broker to get AWS temporary security credentials is incorrect as the users need to be authenticated using LDAP first and not via STS.
Integrate the on-premises LDAP server with IAM so the users can log into IAM using their corporate LDAP credentials. Once authenticated, they can use the temporary credentials to access any AWS resource is incorrect as you cannot use the LDAP credentials to log into IAM.
With that in mind, the remaining two options are correct. Still, we will review the choices and possibly update to avoid confusion for this.
Hope this helps.
Kenneth Samonte @ Tutorials Dojo
MemberJune 28, 2020 at 3:50 pm
Hello, thank you for your answer.
You are perfectly right, anyway the elimination process works in that case.
I even think you should not update the question as I already passed pro and specialty exams and lots of questions have this kind of missing points.
Log in to reply.