A company is planning on using Amazon Athena along with datasets hosted in S3
They want to allow their On-premise Active Directory users to use the AWS Athena service for querying purposes.
Which of the following can be used for authentication for the existing users ensuring the least maintenance overhead?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - C.
An example of this is given in the AWS Documentation.
########
Connect to Amazon Athena with federated identities using temporary credentials.
Many organizations have standardized on centralized user management, most commonly Microsoft Active Directory or LDAP.Access to AWS resources is no exception.Amazon Athena is a serverless query engine for data on Amazon S3 that is popular for quick and cost-effective queries of data in a data lake.To allow users or applications to access Athena, organizations are required to use an AWS access key and an access secret key from which appropriate policies are enforced.
To maintain a consistent authorization model across, organizations must enable authentication and authorization for Athena by using federated users.
This blog post shows the process of enabling federated user access with the AWS Security Token Service (AWS STS)
This approach lets you create temporary security credentials and provides them to trusted users for running queries in Athena.
########
Since this is clearly mentioned in the AWS Documentation, all other options are incorrect.
For more information on using STS with Amazon Athena, please refer to the below URL.
https://aws.amazon.com/blogs/big-data/connect-to-amazon-athena-with-federated-identities-using-temporary-credentials/For allowing On-premise Active Directory users to use AWS Athena service for querying purposes, the authentication method that provides the least maintenance overhead is using the AD Connect service.
Explanation:
A) Create IAM Access Keys for the users: IAM Access Keys are used to access the AWS Management Console or API. However, these keys can only be used for access to AWS services and not for authentication to the Active Directory, which is required in this scenario. Therefore, this option is incorrect.
B) Create X.509 Certificates for the users: X.509 Certificates are used to encrypt and authenticate data in transit, but they do not provide authentication to Active Directory. Therefore, this option is incorrect.
C) Use the Security Token Service: The Security Token Service (STS) is used to provide temporary security credentials for users to access AWS resources. However, it does not provide authentication to Active Directory. Therefore, this option is incorrect.
D) Use the AD Connect service: The AD Connect service is used to synchronize user accounts and passwords between Active Directory and AWS Directory Service, which can then be used to authenticate users to AWS services such as Athena. Using AD Connect, the users can sign in with their existing Active Directory credentials and use AWS services without the need for additional IAM users, access keys, or passwords. This approach provides a low maintenance overhead as the authentication is centralized in the Active Directory and does not require any additional user management in AWS. Therefore, this option is correct.
In conclusion, the correct answer is option D - Use the AD Connect service.