Your fortune 500 company has under taken a TCO analysis evaluating the use of Amazon S3 versus acquiring
more hardware The outcome was that ail employees would be granted access to use Amazon S3 for storage of
their personal documents.
Which of the following will you need to consider so you can set up a solution that incorporates single sign-on
from your corporate AD or LDAP directory and restricts access for each user to a designated user folder in a
bucket? (Choose 3 Answers)
A.
Setting up a federation proxy or identity provider
B.
Using AWS Security Token Service to generate temporary tokens
C.
Tagging each folder in the bucket
D.
Configuring IAM role
E.
Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in
the bucket
abd
ABD –
ABD
ABD
A.B.D.
ABD … not Sure on IAM Role …
C defnitiely does not solve any problem. Not sure why it is selected.
E. “Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in
the bucket”. Does not make sense for several users. Not a scalable solution.
This leaves us with A, B, D
See this page for more details:
Grant Access to User-Specific Folders in an Amazon S3 Bucket:
https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/
In the comments there is clarification about federated access:
A question came up about whether you can use this technique for federated users instead of for IAM users, as the examples show. Yes you can, but not exactly the same way. Federated users do not have an entity inside of IAM. Therefore, the aws:username variable is not available when using federated users. However, when you work with federated users (using the AWS STS GetFederationToken or AssumeRole APIs), you’re using a proxy server to request temporary security credentials on behalf of the federated user. When you request temporary security credentials you have the option of passing a policy as part of the API request. Therefore, before you call GetFederationToken or AssumeRole, you can create a policy and replace the federated user’s name where the aws:username variable is used. We have a downloadable federation proxy sample application that shows how to create custom policies that include the federated user’s name here:
https://aws.amazon.com/code/1288653099190193
ABD
Answer is ABD
Most of the answers at the top are wrong. I’ve gone through the trouble of correcting all 400 of them for my own study purposes. If you would like a digital copy of this dump please send $40 to paypal.me/lyannabear