AWS SCS-C01: Establishing Trust Relationship with SAML IdP | IAM Role Configuration

IAM Role Configuration for SAML-federated Access | AWS Certified Security - Specialty Exam Answer

Prev Question Next Question

Question

A company has a local SAML 2.0-compliant IdP that is used to authenticate users' identities.

The on-premises servers are being migrated to AWS, and you need to establish the trust relationship between AWS resources and the local IdP. You have already created a SAML identity provider in AWS, and now you need to configure an IAM role to allow SAML-federated access to the AWS Management Console. Which of the below trust policies is correct for the IAM role?

Answers

A. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Resource": {"IDP": "arn:aws:iam::EXAMPLE-ACCOUNT-ID:saml-provider/ExampleOrgSSOProvider"}, "Action": "sts:*" } }] }

B. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Federated": "arn:aws:iam::EXAMPLE-ACCOUNT-ID:saml-provider/ExampleOrgSSOProvider"}, "Action": "sts:AssumeRoleWithSAML" } }] }

C. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Federated": "arn:aws:iam::EXAMPLE-ACCOUNT-ID:saml-provider/ExampleOrgSSOProvider"}, "Action": "sts:AssumeRoleWithWebIdentity" } }] }

D. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": "*", "Resource": {"Federated": "arn:aws:iam::EXAMPLE-ACCOUNT-ID:saml-provider/ExampleOrgSSOProvider"}, "Action": "sts:AssumeRoleWithSAML" } }] }

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect because trust policies in IAM roles should not have the Resource field.

Trust policy is used to allow a Principal to assume the IAM role.

Option B is CORRECT because the trust policy allows the SAML identity provider to assume a role with a defined IAM access policy.

The SAML provider is the one you created earlier in IAM.

Option C is incorrect because the allowed Action should be AssumeRoleWithSAML instead of AssumeRoleWithWebIdentity.

Option D is incorrect because ARN should be put inside the Principal field instead of the Resource field in the SAML provider trust policy.

An IAM role can be used to set up the SAML 2.0-compliant identity provider (IdP) and AWS to allow the federated users to access the AWS Management Console.

Reference:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html#CreatingSAML-configuring-role.

The correct answer is B.

Explanation:

To allow SAML-federated access to the AWS Management Console, we need to create an IAM role with the trust policy that establishes the trust relationship between the AWS resources and the local IdP. The trust policy specifies who can assume the IAM role and under what conditions.

Option A is incorrect because it specifies the resource as IDP, which is not a valid resource type in IAM policy. The correct resource type for the SAML identity provider is "saml-provider". Also, this policy allows all actions from the AWS Security Token Service (STS), which is too permissive.

Option B is the correct answer. It allows the IAM role to be assumed by any federated user from the SAML identity provider with the ARN (Amazon Resource Name) "arn:aws:iam::EXAMPLE-ACCOUNT-ID:saml-provider/ExampleOrgSSOProvider" using the "AssumeRoleWithSAML" action. This policy is appropriate because it grants the minimum necessary permissions to assume the role.

Option C is incorrect because it uses the "AssumeRoleWithWebIdentity" action, which is not appropriate for SAML-based federation.

Option D is incorrect because it allows any principal to assume the IAM role, which is too permissive. The correct approach is to specify the trusted SAML identity provider as the principal. Also, the resource type should be "saml-provider", not "Federated".

Therefore, the correct answer is B.

Prev Question Next Question