AWS Certified Solutions Architect - Associate
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company wants to provide users with access to AWS resources. The company has 1,500 users and manages their access to on-premises resources through Active Directory user groups on the corporate network. However, the company does not want users to have to maintain another identity to access the resources. A solutions architect must manage user access to the AWS resources while preserving access to the on-premises resources.
What should the solutions architect do to meet these requirements?
Other
Community
UAnonymous
A
Create an IAM user for each user in the company. Attach the appropriate policies to each user.
B
Use Amazon Cognito with an Active Directory user pool. Create roles with the appropriate policies attached.
C
Define cross-account roles with the appropriate policies attached. Map the roles to the Active Directory groups.
D
Configure Security Assertion Markup Language (SAML) 2.0-based federation. Create roles with the appropriate policies attached. Map the roles to the Active Directory groups.
Explanation:
Explanation
Correct Answer: D - Configure Security Assertion Markup Language (SAML) 2.0-based federation. Create roles with the appropriate policies attached. Map the roles to the Active Directory groups.
Why this is correct:
- SAML 2.0 Federation allows users to use their existing Active Directory credentials to access AWS resources without creating separate IAM users.
- Preserves existing identity management - Users continue to use their corporate Active Directory accounts for both on-premises and AWS resources.
- Role-based access control - IAM roles with appropriate policies are created and mapped to Active Directory groups, allowing centralized management through existing group memberships.
- Scalability - With 1,500 users, creating individual IAM users would be inefficient and difficult to manage.
- Single sign-on experience - Users get seamless access to AWS resources using their existing corporate credentials.
Why other options are incorrect:
A. Create an IAM user for each user - This would require users to maintain separate AWS identities, which violates the requirement that users should not have to maintain another identity.
B. Use Amazon Cognito with an Active Directory user pool - Amazon Cognito is designed for web and mobile applications, not for federating enterprise Active Directory users to AWS management console or CLI access. It's more suitable for customer identity and access management.
C. Define cross-account roles - Cross-account roles are for accessing resources across different AWS accounts, not for federating with on-premises Active Directory. This doesn't address the identity federation requirement.
Key AWS Services Involved:
- AWS IAM Identity Center (formerly AWS SSO) or AWS Directory Service for SAML federation
- Active Directory Federation Services (AD FS) or similar SAML identity provider
- IAM Roles with appropriate policies
- Active Directory as the identity source
This solution provides a secure, scalable, and user-friendly approach that meets all the requirements while leveraging existing identity infrastructure.