MemberJune 28, 2020 at 3:17 pm
Thank you for your feedback.
Usually, for Professional level questions, when the option says “calls the STS to assume that IAM role” this means that the application (likely, on the EC2) has the appropriate “Assume Role” permission attached to its Instance profile. So this “pre credentials” for calling STS is already on the IAM instance profile. The application just needs to authenticate on LDAP to get be able to get token on STS and use it as temporary credentials.
Also, with the process of elimination, the other two choices are incorrect.
Create an identity broker that authenticates against STS to assume an IAM role to generate temporary AWS security credentials. For user authentication, configure the web application to call the identity broker to get AWS temporary security credentials is incorrect as the users need to be authenticated using LDAP first and not via STS.
Integrate the on-premises LDAP server with IAM so the users can log into IAM using their corporate LDAP credentials. Once authenticated, they can use the temporary credentials to access any AWS resource is incorrect as you cannot use the LDAP credentials to log into IAM.
With that in mind, the remaining two options are correct. Still, we will review the choices and possibly update to avoid confusion for this.
Hope this helps.
Kenneth Samonte @ Tutorials Dojo