You are managing the AWS account of a big organization. The organization has more than 1000+ employees
and they want to provide access to the various services to most of the employees. Which of the below
mentioned options is the best possible solution in this case?
A.
The user should create a separate IAM user for each employee and provide access to them as per the policy
B.
The user should create an IAM role and attach STS with the role. The user should attach that role to the EC2
instance and setup AWS authentication on that server
C.
The user should create IAM groups as per the organization’s departments and add each user to the group
for better access control
D.
Attach an IAM role with the organization’s authentication service to authorize each user for various AWS
services
Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user
permissions for various AWS services. The user is managing an AWS account for an organization that already
has an identity system, such as the login system for the corporate network (SSO.. In this case, instead of
creating individual IAM users or groups for each user who need AWS access, it may be more practical to use a
proxy server to translate the user identities from the organization network into the temporary AWS security
credentials. This proxy server will attach an IAM role to the user after authentication.
D.
Attach an IAM role with the organization’s authentication service to authorize each user for various AWS
services
1
0
d
0
0
D
https://aws.amazon.com/blogs/security/how-to-set-up-federated-single-sign-on-to-aws-using-google-apps/
0
0
For users accessing the AWS Management Console, the IAM role that the user assumes governs access to AWS resources within your AWS account. The role is where you define what you allow a federated user to do after they sign in.
1
0
Dddddddd
0
0
D – https://aws.amazon.com/blogs/security/how-to-set-up-federated-single-sign-on-to-aws-using-google-apps/
In this solution, you create a SAML identity provider (IdP) in AWS Identity and Access Management (IAM) to establish trust with your Google IdP in order to permit your Google Apps users to access the AWS Management Console. The AWS administrator delegates responsibility for authentication to a trusted IdP—in this case Google Apps—and uses SAML 2.0. This allows an IAM role to grant the federated user permissions to sign in to the AWS Management Console and access your AWS resources.
0
0
The question talks about general user authentications/authorizations. Basically, it is same as we usually (on-premise) do when we’re creating applications that need have users to be authenticated; this authentication process is transparent to the users since the applications running on the internal networks and users have been already authenticated while they log on to their office workstations. This authentication process goes against the organization’s identity management systems, say, Windows AD service. Further, we need to identify users to allow them to use some applications that are not open to every employees within the organization; we program this authorization process against AD user groups, or the applications’ own database systems. In short, the AD services, AD user groups, and applications’ database systems are referred as “organization’s authentication service” in the questions. In AWS exams, scenarios on hybrid cloud platforms, AD Connect and domain replicas are just referring to such stories.
0
0