-
Hello Nguyen Nguyen Hoang,
Thank you for your feedback.
AWS recommends that you require human users to access AWS resources through federation with an identity provider (IdP) rather than creating individual IAM users in your AWS account. By using an IdP, you can manage user identities outside of AWS and grant these external user identities the permissions needed to use your AWS resources.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html
Option 2 is not suitable in this context because AWS IAM does not directly support federation with an on-premises LDAP server. Instead, it requires an intermediary identity provider (IdP) that supports SAML 2.0 or OIDC, such as Active Directory Federation Services (AD FS), to facilitate the connection between LDAP authentication and AWS.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html
Option 1 correctly acknowledges the need for an identity broker, which is exactly what a SAML IdP like AD FS does.
Hope this helps! Let us know if you need further assistance.
Regards,
JR @ Tutorials Dojo
