A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in
using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to
temporary access should you use for the Amazon S3 operations?
A.
SAML-based Identity Federation
B.
Cross-Account Access
C.
AWS Identity and Access Management roles
D.
Web Identity Federation
D
Agreed on D with Nitin
Background: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
D – only option that can be correct
Correct answer is C
guys, pls IGNORE all answers given by networkmanagers -this loser is deliberately posting wrong answers.
Fuck you
@networkmanagers F**K U
D is correct ..AWS STS web identity federation supports Login with Amazon, Facebook, Google, and any OpenID Connect (OICD)-compatible identity provider
Exactly, u can refer from http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
Agree with C, as long as the question is asking what to use to access s3, the resource, already the application is using OpenID Connect-comptabile identity provider and its mentioned clearly in the question however the question meant the next step which “what to use to access the s3 bucket”
Identity federation provides access to AWS resources to users by means of a third-party identity provider (IdP). To set up identity federation, you configure the provider and then create an IAM role that determines what permissions a federated user will have
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html
The Questions is “Which AWS Security Token Service approach to
temporary access should you use for the Amazon S3 operations?”
So it should be: D
Wed Identity Federation
D
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
Answer is D
http://docs.aws.amazon.com/IAM/latest/UserGuide/idrolesproviders_oidc.html
D
Web identity federation – You can let users sign in using a well-known third party identity provider such as Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC) 2.0 compatible provider.
AWS STS web identity federation supports Login with Amazon, Facebook, Google, and any OpenID Connect (OICD)-compatible identity provider.
Answer is D i do this myself
If you read the question carefully, it can be rephrased as “how does a federated-ID authenticated user access S3 objects?
C is the answer
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html
I think it can be done with AssumeRoleWithWebIdentity
Looks like D is correct.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction
“Common Scenarios for Temporary Credentials” – AWS STS web identity federation supports Login with Amazon, Facebook, Google, and any OpenID Connect (OICD)-compatible identity provider.
Question:”.. allows application sign-in
using an OpenID Connect-compatible identity provider”.
d
I agree with Charles:
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp.html
D
D
After going through all the comments and reading the question once again, it is surely C, the authentication is already in place, the question is about the access to S3 using STS.
D: correct
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
With web identity federation, you don’t need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known identity provider (IdP) —such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP, receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account.
Answer is D:
C: assigns permanent access but D gives temporary access.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
Web identity federation – You can let users sign in using a well-known third party identity provider such as Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC) 2.0 compatible provider. You can exchange the credentials from that provider for temporary permissions to use resources in your AWS account. This is known as the web identity federation approach to temporary access. When you use web identity federation for your mobile or web application, you don’t need to create custom sign-in code or manage your own user identities. Using web identity federation helps you keep your AWS account secure, because you don’t have to distribute long-term security credentials, such as IAM user access keys, with your application. For more information, see About Web Identity Federation.
AWS STS web identity federation supports Login with Amazon, Facebook, Google, and any OpenID Connect (OICD)-compatible identity provider.