Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service?

Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise
LDAP (Lightweight Directory Access Protocol) directory service?

A.
Use an IAM policy that references the LDAP account identifiers and the AWS credentials.

B.
Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.

C.
Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.

D.
Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.

E.
Use the LDAP credentials to restrict a group of users from launching specific EC2 instance types.

Show Hint

← Previous question

Next question →

Leave a Reply 15

B.
https://d0.awsstatic.com/whitepapers/aws-whitepaper-single-sign-on-integrating-aws-open-ldap-and-shibboleth.pdf

Chef

hello

seenagape

Oliyavan

Victor

I believe is C
https://aws.amazon.com/blogs/aws/aws-identity-and-access-management-now-with-identity-federation/

People who chose B, Can you explain why?

A SAML assertion should be generated by an identity provider and then pass it to AWS Security Token Service by the client. As I see it, B answer: “Use SAML to enable SSO” is very imprecise.

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

Khaled

It is SAML
https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/

Jayendra

It should be C as the link you gave still needs AD Connector which the answer does not mention. There should be a Identity Provider like Shibboleth as in link https://aws.amazon.com/blogs/security/how-to-use-shibboleth-for-single-sign-on-to-the-aws-management-console/ or an custom identity broker.

DaDA

Yes, I shoud be C (Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials).
Identity Broken will use LDAP Directory to get authen and create Token,
User will use Token to access to AWS server (Token mapping with IAM policy)

Thinker

I will go for B

The problem of C: the AWS security token service is NOT from Identity broker.

prashant

Correct answer is C.
Refer below link:
https://aws.amazon.com/blogs/aws/aws-identity-and-access-management-now-with-identity-federation/

Rickety

This test is really similar to other cert tests. It is more about “Can you decipher our ambiguous wording” vs whether or not you are actually knowledgeable on the subject.

knowitall

C – https://aws.amazon.com/blogs/aws/aws-identity-and-access-management-now-with-identity-federation/

Wajahat

C – see AWS identify federation.

Answer is C