A corporate web application is deployed within an Amazon VPC, and is connected to the
corporate data center via IPSec VPN. The application must authenticate against the
on-premise LDAP server. Once authenticated, logged-in users can only access an S3
keyspace specific to the user. Which two approaches can satisfy the objectives? Choose 2
answers
A.
The application authenticates against LDAP, and retrieves the name of an IAM role
associated with the user. The application then calls the IAM Security Token Service to
assume that IAM Role. The application can use the temporary credentials to access the
appropriate S3 bucket.
B.
Develop an identity broker which authenticates against IAM Security Token Service to
assume an IAM Role to get temporary AWS security credentials. The application calls the
identity broker to get AWS temporary security credentials with access to the appropriate S3
bucket.
C.
The application authenticates against IAM Security Token Service using the LDAP
credentials. The application uses those temporary AWS security credentials to access the
appropriate S3 bucket.
D.
The application authenticates against LDAP. The application then calls the IAM Security
Service to login to IAM using the LDAP credentials. The application can use the IAM
temporary credentials to access the appropriate S3 bucket.
E.
Develop an identity broker which authenticates against LDAP, and then calls IAM
Security Token Service to get IAM federated user credentials. The application calls the
identity broker to get IAM federated user credentials with access to the appropriate S3
bucket.
A,E
A and E,
The ACloud Guru site has comments that disagree but read the AWS doc:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html#CreatingSAML-configuring
This contains an exact diagram and explanation of the proposed setup.
A , E
Greg says its write.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html#CreatingSAML-configuring
Ans : A , E
The sequence of events it never talks to IAM Security Token first. So B & C cant be right.
& we never login to IAM using the LDAP credentials so D is wrong too