Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Possible Error in Federate IAM question:

  • Possible Error in Federate IAM question:

  • PeterMescher

    Member
    March 11, 2023 at 9:55 am

    From Bank #2: A leading call center company has its headquarters in Seattle. Its corporate web portal is deployed to AWS. The AWS cloud resources are linked to its corporate data center via a link aggregation group (LAG), which terminates at the same AWS Direct Connect endpoint and is connected on a private virtual interface (VIF) in your VPC. The portal must authenticate against their on-premises LDAP server. Each Amazon S3 bucket can only be accessed by a logged-in user if it belongs to that user.

    One of the correct answers is: “The application first authenticates against LDAP to retrieve the name of an IAM role associated with the user. It then assumes that role via a call to IAM Security Token Service (STS). Afterward, the application can now use the temporary credentials from the role to access the appropriate S3 bucket.”

    However, retrieving just the name of the IAM role is insufficient; to assume a role, you must already be authenticated with IAM, correct? Shouldn’t the broker be making the assume-role call, and then passing the returned STS credential to the application? Just retrieving the name of the role in question and passing it to the application will not be sufficient. (That would be wildly insecure.)

  • Kenneth-Samonte-Tutorials-Dojo

    Member
    March 18, 2023 at 5:20 pm

    Hello PeterMescher,

    Thank you for the feedback.

    Thank you for your feedback.

    This question has two options which are correct, and are independent of each other. Which means the implementation on 1 option is complete to satisfy all requirements on the question.

    One correct option is: The application first authenticates against LDAP to retrieve the name of an IAM role associated with the user. It then assumes that role via call to IAM Security Token Service (STS). Afterwards, the application can now use the temporary credentials from the role to access the appropriate S3 bucket.

    >> This option provides a complete answer as it first authenticates with the LDAP server to verify the user. There is no mention of identity broker on this option, but it states that the “application first authenticates against LDAP” which means the application itself is the broker. After the application successfully authenticates, it contacts the STS service to get the temporary security tokens that will be used for federation.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!

    Regards,

    Kenneth Samonte @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now