Ends in
00
hrs
00
mins
00
secs
SHOP NOW

⏳48 Hour Extension Anniversary Sale - Get 25% OFF ALL Reviewers plus eBooks as LOW as 2.99 USD only!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Timed Mode Set 3 – Setup onprem AD with AWS IAM

  • Timed Mode Set 3 – Setup onprem AD with AWS IAM

     JR-TutorialsDojo updated 1 month, 1 week ago 2 Members · 2 Posts
    AWS Certified Solutions Architect Professional

  • Nguyen Nguyen Hoang

    Member
    February 17, 2025 at 9:53 pm

    Could you help me to review an answer this question?

    A large software company has an on-premises LDAP server and has established an IPSec VPN connection between its on-premises network and its VPC in AWS. The company wants to enable employees to access AWS resources using the same corporate account used inside the company network.

    Which of the following actions should the solutions architect implement to achieve the company’s requirements?

    1. Create an identity broker that authenticates against the on-premises LDAP server and then calls AWS STS to assume an IAM role, generating temporary AWS security credentials. The employees can use these credentials to access AWS resources.

    2. Set up a federation between the on-premises LDAP server and AWS IAM. When employees authenticate against the LDAP server, retrieve the name of an IAM role associated with the user. Use AWS STS to assume that IAM role and provide the employees with temporary credentials to access AWS resources.

    Why the second option is incorrect? Judging from the documentation below from AWS, setting up action 2 does provide an inhouse portal to login, then redirect the user to the console. Option 1 requires us to build an inhouse identity broker, which should be more work

    https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/

  • JR-TutorialsDojo

    Administrator
    February 18, 2025 at 10:04 am

    Hello Nguyen Nguyen Hoang,

    Thank you for your feedback.

    AWS recommends that you require human users to access AWS resources through federation with an identity provider (IdP) rather than creating individual IAM users in your AWS account. By using an IdP, you can manage user identities outside of AWS and grant these external user identities the permissions needed to use your AWS resources.

    https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html

    Option 2 is not suitable in this context because AWS IAM does not directly support federation with an on-premises LDAP server. Instead, it requires an intermediary identity provider (IdP) that supports SAML 2.0 or OIDC, such as Active Directory Federation Services (AD FS), to facilitate the connection between LDAP authentication and AWS.

    https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html

    Option 1 correctly acknowledges the need for an identity broker, which is exactly what a SAML IdP like AD FS does.

    Hope this helps! Let us know if you need further assistance.

    Regards,
    JR @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content