AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 191

A company is refactoring applications to use AWS. The company identifies an internal web application that needs to make Amazon S3 API calls in a specific AWS account.

The company wants to use its existing identity provider (IdP) auth.company.com for authentication. The IdP supports only OpenID Connect (OIDC). A DevOps engineer needs to secure the web application's access to the AWS account.

Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Configure AWS IAM Identity Center (AWS Single Sign-On). Configure an IdP. Upload the IdP metadata from the existing IdP.
• B. Create an IAM IdP by using the provider URL, audience, and signature from the existing IP.
• C. Create an IAM role that has a policy that allows the necessary S3 actions. Configure the role's trust policy to allow the OIDC IP to assume the role if the sts.amazon.com:aud context key is appid_from_idp.
• D. Create an IAM role that has a policy that allows the necessary S3 actions. Configure the role's trust policy to allow the OIDC IP to assume the role if the auth.company.com:aud context key is appid_from_idp.
• E. Configure the web application to use the AssumeRoleWithWebIdentity API operation to retrieve temporary credentials. Use the temporary credentials to make the S3 API calls.
• F. Configure the web application to use the GetFederationToken API operation to retrieve temporary credentials. Use the temporary credentials to make the S3 API calls.

Correct answer: B, D, E

Explanation

The correct steps involve creating an IAM IdP (B) to integrate with the existing IdP, setting up an IAM role with a trust policy for OIDC (D), and utilizing the AssumeRoleWithWebIdentity API (E) to access Amazon S3. The other options either do not align with the requirements or involve incorrect configurations for the trust policy or API operations.