you need to consider so you can set up a solution that incorporates single sign-on from…

Your fortune 500 company has under taken a TCO analysis evaluating the use of Amazon S3 versus acquiring
more hardware The outcome was that ail employees would be granted access to use Amazon S3 for storage of
their personal documents.
Which of the following will you need to consider so you can set up a solution that incorporates single sign-on
from your corporate AD or LDAP directory and restricts access for each user to a designated user folder in a
bucket? (Choose 3 Answers)

Your fortune 500 company has under taken a TCO analysis evaluating the use of Amazon S3 versus acquiring
more hardware The outcome was that ail employees would be granted access to use Amazon S3 for storage of
their personal documents.
Which of the following will you need to consider so you can set up a solution that incorporates single sign-on
from your corporate AD or LDAP directory and restricts access for each user to a designated user folder in a
bucket? (Choose 3 Answers)

A.
Setting up a federation proxy or identity provider

B.
Using AWS Security Token Service to generate temporary tokens

C.
Tagging each folder in the bucket

D.
Configuring IAM role

E.
Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in
the bucket



Leave a Reply 10

Your email address will not be published. Required fields are marked *


Srinivasu Muchcherla

Srinivasu Muchcherla

ABD … not Sure on IAM Role …

Krish

Krish

C defnitiely does not solve any problem. Not sure why it is selected.

E. “Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in
the bucket”. Does not make sense for several users. Not a scalable solution.

This leaves us with A, B, D

vladam

vladam

See this page for more details:
Grant Access to User-Specific Folders in an Amazon S3 Bucket:
https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

In the comments there is clarification about federated access:

A question came up about whether you can use this technique for federated users instead of for IAM users, as the examples show. Yes you can, but not exactly the same way. Federated users do not have an entity inside of IAM. Therefore, the aws:username variable is not available when using federated users. However, when you work with federated users (using the AWS STS GetFederationToken or AssumeRole APIs), you’re using a proxy server to request temporary security credentials on behalf of the federated user. When you request temporary security credentials you have the option of passing a policy as part of the API request. Therefore, before you call GetFederationToken or AssumeRole, you can create a policy and replace the federated user’s name where the aws:username variable is used. We have a downloadable federation proxy sample application that shows how to create custom policies that include the federated user’s name here:
https://aws.amazon.com/code/1288653099190193

lyannabear

lyannabear

Answer is ABD

Most of the answers at the top are wrong. I’ve gone through the trouble of correcting all 400 of them for my own study purposes. If you would like a digital copy of this dump please send $40 to paypal.me/lyannabear