Managing AWS Resources from AWS Console for On-Premises Users | Authentication Options | DOP-C01 Exam Answer

Authentication Options for Managing AWS Resources from AWS Console for On-Premises Users

Prev Question Next Question

Question

Your company has recently extended its datacenter into a VPC on AWS.

There is a requirement for on-premises users to manage AWS resources from the AWS console.

You don't want to create IAM users for them again.

Which of the below options will fit your needs for authentication?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - C.

You can use a role to configure your SAML 2.0-compliant IdP and AWS to permit your federated users to access the AWS Management Console.

The role grants the user permissions to carry out tasks in the console.

For more information on AWS SAML, please visit the below URL.

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html

The requirement is to allow on-premises users to manage AWS resources from the AWS console without creating IAM users for them again. To fulfill this requirement, we can use federated access to AWS resources via an on-premises identity provider (IDP).

There are several ways to implement federated access to AWS, but the most common methods are OAuth 2.0, web identity federation, and Security Assertion Markup Language (SAML) 2.0.

OAuth 2.0 is a standard protocol for authorization that allows users to grant third-party access to their resources without sharing their credentials. However, OAuth 2.0 is primarily designed for web applications and mobile devices, and it does not support federated access to the AWS Management Console.

Web identity federation is another option that allows users to authenticate with a web identity provider (e.g., Facebook, Google, or Amazon) and obtain temporary AWS security credentials that can be used to access AWS resources. However, web identity federation is also designed for web and mobile applications and does not provide seamless access to the AWS Management Console.

SAML 2.0 is a standard protocol for exchanging authentication and authorization data between parties, in particular, between an identity provider (IDP) and a service provider (SP). SAML 2.0 supports federated access to the AWS Management Console and other AWS services via the AWS Single Sign-On (SSO) endpoint.

In this scenario, we can use the on-premises SAML 2.0-compliant IDP to grant federated access to the AWS Management Console via the AWS SSO endpoint. This option allows users to authenticate using their existing credentials from the on-premises IDP and obtain temporary AWS security credentials that can be used to access AWS resources, including the AWS Management Console.

Therefore, the correct option is C, "Use your on-premises SAML 2.0-compliant identity provider (IDP) to grant the members federated access to the AWS Management Console via the AWS single-sign-on (SSO) endpoint."