A corporate web application is deployed within an Amazon VPC, and is connected to the
corporate data center via IPSec VPN. The application must authenticate against the
on-premise LDAP server. Once authenticated, logged-in users can only access an S3
keyspace specific to the user. Which two approaches can satisfy the objectives? Choose 2
answers
A.
The application authenticates against LDAP, and retrieves the name of an IAM role
associated with the user. The application then calls the IAM Security Token Service to
assume that IAM Role. The application can use the temporary credentials to access the
appropriate S3 bucket.
B.
Develop an identity broker which authenticates against IAM Security Token Service to
assume an IAM Role to get temporary AWS security credentials. The application calls the
identity broker to get AWS temporary security credentials with access to the appropriate S3
bucket.
C.
The application authenticates against IAM Security Token Service using the LDAP
credentials. The application uses those temporary AWS security credentials to access the
appropriate S3 bucket.
D.
The application authenticates against LDAP. The application then calls the IAM Security
Service to login to IAM using the LDAP credentials. The application can use the IAM
temporary credentials to access the appropriate S3 bucket.
E.
Develop an identity broker which authenticates against LDAP, and then calls IAM
Security Token Service to get IAM federated user credentials. The application calls the
identity broker to get IAM federated user credentials with access to the appropriate S3
bucket.
I agree with the answer. AE
0
0
The question clearly states “authenticate against LDAP” which C and E don’t do. Note that A refers to “IAM temporary credentials”, but temporary credentials come from STS, not IAM. So A is out. Thus B and D are correct.
Source: https://acloud.guru/course/aws-certified-developer-associate/discuss/-K9rF4cEF05v3MNDBnRK/sample-iam-security-token-service-question
0
2
Hello Lucas,
I hope you lost in the options. The options posted are different from source do check it out. In acloud guru the answers were B & D and those two related to A & E.
I don’t understand why E can’t do, it authenticates against LDAP (it is clearly mentioned in the option) and option A do keep in mind STS is part of IAM. The temporary credentials are only issued in the IAM.
The correct Answers are A & E.
Here, how the process goes. First the application authenticates against LDAP with the help of identity broker and that particular user can have either role or credentials. Next, Identity broker will approach STS to validate the user policy and provide temporary security credentials. These are pushed to the application such that they can use the temporary credentials to access the S3.
1
0
The only possible answers are A & E:
B – there are no LDAP authentication, so this is incorrect
C – you cannot authenticate with STS directly using LDAP
D – same, it’s using LDAP credentials to logon directly, cannot be done
The key words are always “assume role” or “federated tokens”
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
“Imagine that in your organization, you want to provide a way for users to copy data from their computers to a backup folder. You build an application that users can run on their computers. On the back end, the application reads and writes objects in an S3 bucket. Users don’t have direct access to AWS. Instead, the application communicates with an identity provider (IdP) to authenticate the user. The IdP gets the user information from your organization’s identity store (such as an LDAP directory) and then generates a SAML assertion that includes authentication and authorization information about that user. The application then uses that assertion to make a call to the AssumeRoleWithSAML API to get temporary security credentials. The app can then use those credentials to access a folder in the S3 bucket that’s specific to the user.”
2
0
B & D is correct answer
0
0
I agree with Kelvin, D cant be right you cant use LDAP credentials directly on STS. Im going for A and E
0
0
A and E
0
0
A and E
0
0
A,E.
For me, A seems to be the scenario which we use AssumeRoleWithSAML and E seems to be the scenario which we use AssumeRoleWithWebIdentity.
B is wrong as it doesn’t mention LDAP.
C & D are wrong as they use LDAP credentials directly to authenticate with IAM.
0
0
A, E
0
0
A & E
0
0
yes A and E are correct
0
0
With federation, the client never directly authenticates against LDAP. The client ALWAYS hits the IDP first in order to get a token. That token is then presented to the STS where a temporary access token is returned. Any “answer” where the client directly authenticates against LDAP is going to be wrong. 🙂
0
0
AE
0
0