Streamlining and Securing AWS Management Console and AWS CLI Access | SOA-C02 Exam Question Answer

Streamlining and Securing AWS Management Console and AWS CLI Access

Prev Question Next Question

Question

A SysOps Administrator is tasked with making the AWS Management Console and AWS CLI access more streamlined and secure.

The company uses Active Directory for internal IT resources.

But for AWS, users share the account owner (root) login. What is the recommended way for the Administrator to make access more secure and streamlined?

Answers

A. Store Active Directory logins using reversible encryption. Implement a script to query the Active Directory logins for Administrators and synchronize passwords with the matching AWS logins.

B. Create IAM users for each user that require AWS access and mirror their Active Directory groups with AWS IAM Groups. Allow users to keep passwords synchronized if they prefer.

C. Configure a SAML federation between AWS and the corporate Active Directory. Map Active Directory groups to IAM Roles to manage user permissions.

D. Move users to SSH keys and discontinue use of the root login. Make sure that keys are rotated every 90 days and disable password authentication to the console.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: C.

The preferred setup is given in the AWS Documentation.

Since the preferred setup is already given, all other options are incorrect.

For more information on the preferred setup, please visit the below URL-

https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/

How Integration Between AD FS and AWS Works

Before we get too far into the configuration details, let's walk through how this all works.

&
=

AWS Sign-in

Post to Sign-In
Passing AuthN Response

Redirect client
AWS Management
Console

The recommended way for the SysOps Administrator to make AWS Management Console and AWS CLI access more streamlined and secure is to create IAM users for each user that requires AWS access and mirror their Active Directory groups with AWS IAM Groups. This can be achieved through option B.

Option A is not recommended because storing Active Directory logins using reversible encryption is not secure. If an attacker gains access to the encryption key, they can easily decrypt the passwords, which can lead to a security breach. Additionally, synchronizing passwords between Active Directory and AWS is not the best practice since it can cause security issues and adds complexity.

Option C is a good approach since it allows for centralized user management and provides better security. It also maps Active Directory groups to IAM Roles to manage user permissions. However, it can be complex and time-consuming to set up SAML federation, which may not be necessary for smaller organizations.

Option D is also a good approach because it eliminates the need to share the root login, which can be a security risk. However, using SSH keys can be complex for end-users, especially those who are not familiar with the command-line interface. Also, disabling password authentication to the console can lead to operational challenges for some users.

Option B is the best approach because it allows the SysOps Administrator to create IAM users with unique credentials for each user, providing better security and accountability. By mirroring Active Directory groups with AWS IAM Groups, the Administrator can easily manage permissions and access control for each user. This approach also ensures a streamlined process for managing AWS access and reduces the likelihood of a security breach.

In summary, Option B - Create IAM users for each user that requires AWS access and mirror their Active Directory groups with AWS IAM Groups, is the recommended way for the SysOps Administrator to make access more secure and streamlined.

Prev Question Next Question