Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise
LDAP (Lightweight Directory Access Protocol) directory service?
A.
Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
B.
Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.
C.
Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
D.
Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
E.
Use the LDAP credentials to restrict a group of users from launching specific EC2 instance types.
Explanation:
https://d0.awsstatic.com/whitepapers/aws-whitepaper-single-sign-on-integrating-aws-open-ldap-andshibboleth.pdf
I think C is the correct answer here.
Refer to
http://jayendrapatil.com/tag/iam-role/
http://jayendrapatil.com/aws-iam-overview/
https://aws.amazon.com/blogs/aws/aws-identity-and-access-management-now-with-identity-federation/ & https://aws.amazon.com/blogs/security/how-to-use-shibboleth-for-single-sign-on-to-the-aws-management-console/
C
‘B’ is correct as unlike ‘C’ it is not asking for any identity broker in between.
https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/
Correct answer is B. SAML used to integrate IAM and LDAP
C
B.
If you get a question about Active Directory or LDAP and authentication to AWS the answer should contain SAML.
C
http://www.aiotestking.com/amazon/which-technique-can-be-used-to-integrate-aws-iam-identity-and-access-management-with-an-on-premise-ldap-lightweight-directory-access-protocol-directory-service/
Looking at the documentation, SAML is definitely the answer because STS is at the root. VMWare also uses SAML and STS is just the service that allow SAML integration.
AWS Documentation » AWS Security Token Service » API Reference » Actions » AssumeRoleWithSAML
Ok, this is a tricky question. You can use both B and C to authenticate an on-prem LDAP user to AWS. (see http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_federated-users.html ) See the section named “Federating users by creating a custom identity broker application”.
If I had to choose, I’d choose B because it is the more standard method of federating on-prem users.
c
active dirictory -saml
ldap – sts
C
Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
I choose B, because option C says following:
‘Use AWS Security Token Service “FROM AN” identity broker to issue short-lived AWS credentials.’
It seems that it is saying that the STS is on the Identity Broker, but the STS is on AWS side and Identity Broker is on Customer Side (between AD and STS)