A corporate web application is deployed within an Amazon Virtual Private Cloud (VPC), and is
connected to the corporate data center via an IPsec VPN. The application must authenticate
against the on- premises LDAP server. After authentication, each logged-in user can only access
an Amazon Simple Storage Space (S3) keyspace specific to that user.
Which two approaches can satisfy these objectives? Choose 2 answers

A.
The application authenticates against IAM Security Token Service using the LDAP credentials.
The application uses those temporary AWS security credentials to access the appropriate S3
bucket.

B.
Develop an identity broker that authenticates against LDAP, and then calls IAM Security Token
Service to get IAM federated user credentials.
The application calls the Identity broker to get IAM federated user credentials with access to the
appropriate S3 bucket.

C.
The application authenticates against LDAP, and retrieves the name of an IAM role associated
with the user.
The application then calls the IAM Security Token Service to assume that IAM role.
The application can use the temporary credentials to access the appropriate S3 bucket.

D.
The application authenticates against LDAP.
The application then calls the AWS Identity and Access Management (IAM) Security Service to
log in to IAM using the LDAP credentials.
The application can use the IAM temporary credentials to access the appropriate S3 bucket.

E.
Develop an identity broker that authenticates against IAM Security Token Service to assume an
IAM role in order to get temporary AWS security credentials.
The application calls the identity broker to get AWS temporary security credentials with access to
the appropriate S3 bucket.

Explanation:
Imagine that in your organization, you want to provide a way for users to copy data from their
computers to a backup folder. You build an application that users can run on their computers. On
the back end, the application reads and writes objects in an S3 bucket. Users don’t have direct
access to AWS. Instead, the application communicates with an identity provider (IdP) to
authenticate the user. The IdP gets the user information from your organization’s identity store
(such as an LDAP directory) and then generates a SAML assertion that includes authentication
and authorization information about that user. The application then uses that assertion to make a
call to the AssumeRoleWithSAML API to get temporary security credentials. The app can then
use those credentials to access a folder in the S3 bucket that’s specific to the user.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html