exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 222 discussion

A company is planning to create an organization by using AWS Organizations. The company needs to integrate user management with the company’s external identity provider (IdP). The company also needs to centrally manage access to all of its AWS accounts and applications from the organization’s management account.

Which solution will meet these requirements?

  • A. Configure AWS Directory Service with the external IdP. Create IAM policies and associate them with users from the external IdP.
  • B. Enable AWS IAM Identity Center and use the external IdP as the identity source. Create permission sets and account assignments by using IAM Identity Center.
  • C. Configure AWS Identity and Access Management (IAM) to use the external IdP as an IdP. Create IAM policies and associate them with users from the external IdP.
  • D. Enable Amazon Cognito in the organization’s management account. Create an identity pool and associate it with the external IdP. Create IAM roles and associate them with the identity pool.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
molerowan
2 days, 19 hours ago
Selected Answer: B
Integration with External IdP: IAM Identity Center supports SAML 2.0 and SCIM for seamless integration with external identity providers (e.g., Azure AD, Okta). Users authenticate via the corporate IdP and access AWS resources through the AWS access portal. Centralized Access Management: Permission Sets: Define roles (e.g., ReadOnly, Administrator) in the management account and assign them to users/groups from the external IdP. These sets apply across all AWS accounts in the organization. Account Assignments: Assign users/groups to specific AWS accounts with predefined permissions, eliminating per-account IAM role configuration. AWS Organizations Compatibility: When enabled in the management account, IAM Identity Center becomes the central hub for managing access across all member accounts
upvoted 1 times
molerowan
2 days, 19 hours ago
A (Directory Service): AWS Directory Service creates/manages directories (e.g., Managed AD), but does not natively integrate with external IdPs for cross-account access. C (IAM Federation): IAM roles with SAML federation require per-account setup, which is inefficient for large organizations. D (Cognito): Amazon Cognito is for customer identity (B2C), not workforce access to AWS accounts.
upvoted 1 times
...
...
Pmktechno
2 months, 2 weeks ago
Selected Answer: B
AWS IAM Identity Center (formerly AWS Single Sign-On): This service allows you to centrally manage access to multiple AWS accounts and applications. It integrates seamlessly with external IdPs, providing a unified identity management solution. Permission Sets and Account Assignments: IAM Identity Center enables you to create permission sets that define the permissions for users and groups. You can then assign these permission sets to users and groups across your AWS accounts, ensuring consistent access management. This approach provides a robust and scalable solution for managing user access and permissions across your AWS environment.
upvoted 1 times
...
IPLogic
3 months, 1 week ago
Selected Answer: B
The best solution for integrating user management with an external identity provider (IdP) and centrally managing access to all AWS accounts and applications is B. Enable AWS IAM Identity Center and use the external IdP as the identity source. Create permission sets and account assignments by using IAM Identity Center. AWS IAM Identity Center (formerly AWS Single Sign-On) allows you to connect your external IdP, such as Okta or Microsoft Entra ID, using SAML 2.0 or SCIM protocols1. This setup enables centralized management of user access across all AWS accounts and applications within your organization
upvoted 2 times
IPLogic
3 months, 1 week ago
Option D, which involves enabling Amazon Cognito and associating it with the external IdP, is not the best fit for this scenario because Amazon Cognito is primarily designed for managing user authentication and authorization for web and mobile applications. It is not specifically tailored for managing access across multiple AWS accounts within an organization.
upvoted 1 times
...
...
HappyG
3 months, 2 weeks ago
Selected Answer: B
Amazon Cognito is intended for managing access to user-facing applications, not for centralized management of AWS accounts and resources in an organization so D doesn't work.
upvoted 1 times
...
jdx000
3 months, 3 weeks ago
Selected Answer: D
D is more scalable
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago