exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 843 discussion

A company is using an on-premises Active Directory service for user authentication. The company wants to use the same authentication service to sign in to the company's AWS accounts, which are using AWS Organizations. AWS Site-to-Site VPN connectivity already exists between the on-premises environment and all the company's AWS accounts.
The company's security policy requires conditional access to the accounts based on user groups and roles. User identities must be managed in a single location.
Which solution will meet these requirements?

  • A. Configure AWS Single Sign-On (AWS SSO) to connect to Active Directory by using SAML 2.0. Enable automatic provisioning by using the System for Cross- domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using attribute-based access controls (ABACs).
  • B. Configure AWS Single Sign-On (AWS SSO) by using AWS SSO as an identity source. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using AWS SSO permission sets.
  • C. In one of the company's AWS accounts, configure AWS Identity and Access Management (IAM) to use a SAML 2.0 identity provider. Provision IAM users that are mapped to the federated users. Grant access that corresponds to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM users.
  • D. In one of the company's AWS accounts, configure AWS Identity and Access Management (IAM) to use an OpenID Connect (OIDC) identity provider. Provision IAM roles that grant access to the AWS account for the federated users that correspond to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM roles.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
aca1
1 year, 6 months ago
I will go with A. When I look to this "conditional access to the accounts based on user groups and roles", this a conditional access based on groups and roles, this is clear ABAC, access base on some conditions/attributes from the user. For example: if the user has a role as Manager (attribute) and a group as Finance (attribute), then the user access an AWS Resource. Looking to "A company is using an on-premises Active Directory service for user authentication" this is SAML. To simplify all this integration AWS IAM Identity Center (AWS Single Sign-On)
upvoted 2 times
...
evargasbrz
1 year, 11 months ago
Selected Answer: A
I'll go with A
upvoted 1 times
...
skywalker
2 years, 1 month ago
Selected Answer: A
A https://aws.amazon.com/blogs/aws/new-attributes-based-access-control-with-aws-single-sign-on/
upvoted 2 times
...
dcdcdc3
2 years, 2 months ago
AD connector is needed at any option.. or 3rd party IDP https://getstarted.awsworkshop.io/05-optional/02-federated-access-to-aws/03-aws-sso-ad.html something /words may be missing from the answers D seems to be 95% correct except the One Account deployment
upvoted 2 times
...
daiditenan
2 years, 3 months ago
Selected Answer: C
active directory does not support SCIM at this point. Azure AD does, but it's not mentioned https://docs.aws.amazon.com/singlesignon/latest/userguide/supported-idps.html
upvoted 3 times
...
jxl_harry
2 years, 3 months ago
I choose A
upvoted 1 times
...
Student1950
2 years, 4 months ago
correction: will go with D since Active Directory > MS Active Directory as per options displayed while configuring AWS SSO. https://aws.amazon.com/blogs/architecture/field-notes-integrating-a-multi-forest-source-environment-with-aws-sso/
upvoted 1 times
...
Student1950
2 years, 4 months ago
A is correct as per the link https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html. D is correct only If on-premises Active Directory is Microsoft AD since you need to use AWS Directory services to connect to MS AD through AWS SSO
upvoted 1 times
...
aandc
2 years, 5 months ago
Selected Answer: A
vote for A
upvoted 3 times
...
hinfsynz
2 years, 5 months ago
Selected Answer: A
AAAAAA
upvoted 2 times
...
wannaaws
2 years, 5 months ago
to utilize the same authentication solution to login in to its AWS accounts, idp is the on prem MS AD. So SAML 2.0 is needed. So that D is preferred. SCIM used for provisioning with external idp (Azure AD, CyberArk, JumpCloud, Okta etc). https://docs.aws.amazon.com/singlesignon/latest/userguide/supported-idps.html
upvoted 1 times
wannaaws
2 years, 5 months ago
overlooked. D with OIDC. well, does not feel like right. C with SAMPL 2.0, but should map users to role. So not correct either. Is A the right use case in this scenario then?
upvoted 1 times
...
...
user0001
2 years, 7 months ago
A, you need to connect to on-prem AD
upvoted 1 times
user0001
2 years, 7 months ago
https://aws.amazon.com/identity/attribute-based-access-control/
upvoted 1 times
...
...
bobsmith2000
2 years, 7 months ago
Selected Answer: A
The AD just be the source of truth. https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-users-groups-AD.html
upvoted 1 times
...
shailurtm2001
2 years, 7 months ago
B seems correct.
upvoted 1 times
shailurtm2001
2 years, 4 months ago
right changed to A
upvoted 1 times
...
mirnuj_atom
2 years, 7 months ago
The question states that the clients have the Active Directory domain which they want to use as a source of truth. Can’t see where we connect the AD in B.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago