Q56 — AWS SAP-C02 Ch.1
Question 56 of 75 | ← Chapter 1
Q131. A company is using an on-premises Active Directory service for user authentication.The company wants to use the same authentication service to sign in to the company's AWS accounts, which are using AWS Organizations. AWS Site-to-Site VPN connectivity already exists between the on-premises environment and all the company's AWS accounts.The company's security policy requires conditional access to the accounts based on user groups and roles.User identities must be managed in a single location.Which solution will meet these requirements?
- A. Configure AWS IAM Identity Center (AWS Single Sign-On) to connect to Active Directory by using SAML 2.0. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.O protocol.Grant access to the AWS accounts by using attribute-based access controls (ABACs) ✓
- B. Configure AWS IAM Identity Center (AWS Single Sign-On) by using IAM Identity Center as an identity source.Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.O protocol. Grant access to the AWS accounts by using IAM Identity Center permission sets
- C. In one of the company's AWS accounts,configure AWS Identity and Access Management (IAM) to use a SAML 2.O identity provider. Provision IAM users that are mapped to the federated users. Grant access that corresponds to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM users
- D. In one of the company's AWS accounts,configure AWS Identity and Access Management (IAM) to use an OpenID Connect (OIDC)identity provider. Provision IAM roles that grant access to the AWS account for the federated users that correspond to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAMroles
Correct Answer: A. Configure AWS IAM Identity Center (AWS Single Sign-On) to connect to Active Directory by using SAML 2.0. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.O protocol.Grant access to the AWS accounts by using attribute-based access controls (ABACs)
Explanation
A: Configure AWS Single Sign-On (AWS SSO) to connect to Active Directory by using SAML 2.0. AWS SSO provides a user portal for easy access to AWS accounts and applications. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol, which enables automatic synchronization of user identities between AWS SSO and Active Directory. Grant access to the AWS accounts by using attribute-based access controls (ABAC), which allows access to be granted based on attributes such as user groups and roles.Option B involves using IAM Identity Center, which is designed to work with external identity providers using SAML or OIDC. This option may require additional configuration and management overhead.Option C involves configuring IAM in one account and using cross-account IAM users to grant access to other accounts. This option does not meet the requirement of managing user identities in a single location.Option D involves configuring IAM in one account and using cross-account IAM roles to grant access to other accounts. This option also does not meet the requirement of managing user identities in a single location.Therefore, option A provides a simple and effective solution that leverages AWS SSO to connect to Active Directory and enable conditional access to AWS accounts based on user groups and roles, while minimizing operational overhead. A is correct as per the link https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html.D is correct only If on-premises Active Directory is Microsoft AD since you need to use AWS Directory services to connect to MS AD through AWS SSO