AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
A company operates multiple workloads on AWS, where employees authenticate using on-premises ADFS and SSO for access to the AWS Management Console. Recently, a legacy web application was migrated to an Amazon EC2 instance. This application lacks an integrated authentication system, yet employees must securely access it from anywhere on the internet. What is the most appropriate method for a security engineer to ensure that only authenticated employees can access this application without modifying its existing code?
Explanation:
The most suitable solution is to place the application behind an Application Load Balancer (ALB) and use Amazon Cognito for authentication. By defining a SAML-based Amazon Cognito user pool and connecting it to the on-premises ADFS, the employees can securely authenticate without requiring any changes to the legacy application's code. This approach leverages AWS managed services to handle authentication and integrates seamlessly with the existing ADFS setup. Options B, C, and D either do not directly address the need for a seamless integration with ADFS and maintaining the legacy application's existing code or involve more complex and less suitable methods for the given scenario.