Q56 — AWS SAP-C02 Ch.1

Question 56 of 75 | ← Chapter 1

Q131. A company is using an on-premises Active Directory service for user authentication.The company wants to use the same authentication service to sign in to the company's AWS accounts, which are using AWS Organizations. AWS Site-to-Site VPN connectivity already exists between the on-premises environment and all the company's AWS accounts.The company's security policy requires conditional access to the accounts based on user groups and roles.User identities must be managed in a single location.Which solution will meet these requirements?

Correct Answer: A. Configure AWS IAM Identity Center (AWS Single Sign-On) to connect to Active Directory by using SAML 2.0. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.O protocol.Grant access to the AWS accounts by using attribute-based access controls (ABACs)

Explanation

A: Configure AWS Single Sign-On (AWS SSO) to connect to Active Directory by using SAML 2.0. AWS SSO provides a user portal for easy access to AWS accounts and applications. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol, which enables automatic synchronization of user identities between AWS SSO and Active Directory. Grant access to the AWS accounts by using attribute-based access controls (ABAC), which allows access to be granted based on attributes such as user groups and roles.Option B involves using IAM Identity Center, which is designed to work with external identity providers using SAML or OIDC. This option may require additional configuration and management overhead.Option C involves configuring IAM in one account and using cross-account IAM users to grant access to other accounts. This option does not meet the requirement of managing user identities in a single location.Option D involves configuring IAM in one account and using cross-account IAM roles to grant access to other accounts. This option also does not meet the requirement of managing user identities in a single location.Therefore, option A provides a simple and effective solution that leverages AWS SSO to connect to Active Directory and enable conditional access to AWS accounts based on user groups and roles, while minimizing operational overhead. A is correct as per the link https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html.D is correct only If on-premises Active Directory is Microsoft AD since you need to use AWS Directory services to connect to MS AD through AWS SSO