Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise
LDAP (Lightweight Directory Access Protocol) directory service?
A.
Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
B.
Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.
C.
Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
D.
Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
E.
Use the LDAP credentials to restrict a group of users from launching specific EC2 instance types.
B.
https://d0.awsstatic.com/whitepapers/aws-whitepaper-single-sign-on-integrating-aws-open-ldap-and-shibboleth.pdf
0
0
B
0
0
C
0
0
B
0
0
B
0
0
I believe is C
https://aws.amazon.com/blogs/aws/aws-identity-and-access-management-now-with-identity-federation/
People who chose B, Can you explain why?
A SAML assertion should be generated by an identity provider and then pass it to AWS Security Token Service by the client. As I see it, B answer: “Use SAML to enable SSO” is very imprecise.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
0
0
It is SAML
https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/
0
0
It should be C as the link you gave still needs AD Connector which the answer does not mention. There should be a Identity Provider like Shibboleth as in link https://aws.amazon.com/blogs/security/how-to-use-shibboleth-for-single-sign-on-to-the-aws-management-console/ or an custom identity broker.
0
0
Yes, I shoud be C (Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials).
Identity Broken will use LDAP Directory to get authen and create Token,
User will use Token to access to AWS server (Token mapping with IAM policy)
0
0
I will go for B
The problem of C: the AWS security token service is NOT from Identity broker.
1
0
Correct answer is C.
Refer below link:
https://aws.amazon.com/blogs/aws/aws-identity-and-access-management-now-with-identity-federation/
0
0
This test is really similar to other cert tests. It is more about “Can you decipher our ambiguous wording” vs whether or not you are actually knowledgeable on the subject.
0
0
C – https://aws.amazon.com/blogs/aws/aws-identity-and-access-management-now-with-identity-federation/
0
0
C – see AWS identify federation.
0
0
Answer is C
0
0