Home › Forums › AWS › AWS Certified Solutions Architect Professional › Review Mode Set 3 Question 18 › Reply To: Review Mode Set 3 Question 18
-
Hi VitalyKr,
The flow you described does not necessarily mean that an on-premises user is directly accessing a VPC resource. The web application in the VPC is the one making the call to the on-premises custom identity broker, not the user directly. The user’s request is being forwarded through the web application, which acts as a proxy. This doesn’t violate the principle of separation of concerns as the web application isn’t handling the authorization itself, but rather coordinating with the on-premises broker.
As for the STS calls, they are made by the on-premises broker, not the web application. The broker is responsible for authenticating the user against the LDAP server, calling STS to get temporary credentials, and then providing these credentials to the web application.
If you have multiple applications in your VPC, you wouldn’t need to include the authorization logic in each app. Instead, the custom identity broker would handle the authorization for all applications, ensuring a separation of concerns. AWS does recommend using STS directly if you’re not using Cognito, but this doesn’t mean that the call to STS has to originate from an on-premises-hosted authorization orchestrator. It’s possible to securely call STS from a VPC-hosted application as long as you’re following best practices for securing the credentials used to make the STS call.
I hope this helps! Let me know if you have any more questions.
Best Regards.