Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 371 discussion

D is complete nonsense. Don't know why so many people are voting for it. "Configure a role policy that allows access to the ALB" - Come on, guys. ALB is accessed via http or https. You can restrict access via security groups not roles. Also cognito is mentioned in D but cognito is not connected to to the SAML provider. So B is the correct answer.

There are two options either via Cognito or Auth0 and then attach an IDP to one of them. See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/

Option B is right because: Cognito provides a federated identity provider that can integrate with the directory, making it easy to authenticate users against the application. By configuring the user pool with the metadata from the directory, you can leverage the existing authentication mechanism in the directory. Creating an app client and associating it with the user pool allows you to use Cognito as the authentication provider for the ALB. Specifying the authenticate-cognito action for the listener rule enables Cognito-based authentication for the ALB.

Option B focuses more on user identity management for web and mobile applications, providing rich user management features and flexible authentication processes. If the company's main requirement is to manage user identities and data for applications, then option B may be more appropriate. Option D focuses more on providing single sign on access to AWS accounts and applications for organizational employees, as well as integration with external identity providers through SAML. If the company wishes to integrate its existing identity management system (such as Microsoft Active Directory) with AWS accounts and applications, and wants employees to easily access these resources, then option D may be more appropriate.

IAM Identity Center is primarily designed for single sign-on (SSO) access to AWS accounts, applications, and services that are integrated with AWS. It provides centralized identity management for users accessing these resources. In contrast, the requirement here is for web application authentication directly tied to an intranet web application hosted on EC2 instances, not for general access to AWS resources.

ALB Authenticate users through corporate identities, using SAML, OpenID Connect (OIDC), or OAuth, through the user pools supported by Amazon Cognito. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

Option B

B vote

B vote

I vote for B

Option D: Per AWS doc " An Amazon Cognito user pool is a user directory for web and mobile app authentication and authorization. " . The question states " The company hosts an intranet web application". So, you can't select Cognito https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html

A: The Active Directory directory does not use OIDC. B: Make sense. C: Cannot add the directory as a new IAM IdP. D: Why "authenticate-cognito action"

A: Doesn't support OIDC directly. B: ALBs can interface directly to Cognito. The correct answer. C: Rubbish, as IAM doesn't directly interface to any AD. D: Mixes things up royally.

Attach the new role to all groups ???

Option D

refer to below. 46 I am on the Amazon Cognito team. Amazon Cognito is our identity management solution for developers building B2C or B2B apps for their customers, which makes it a customer-targeted IAM and user directory solution. AWS SSO is focused on SSO for employees accessing AWS and business apps, initially with Microsoft AD as the underlying employee directory. We plan to integrate Cognito User Pools and AWS SSO as part of our roadmap.

They have already AD so we have to use SSO.