AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 219

A company uses AWS Organizations to manage its AWS accounts. A DevOps engineer must ensure that all users who access the AWS Management Console are authenticated through the company’s corporate identity provider (IdP).

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Use Amazon GuardDuty with a delegated administrator account Use GuardDuty to enforce denial of IAM user logins.
• B. Use AWS IAM Identity Center to configure identity federation with SAML 2.0.
• C. Create a permissions boundary in AWS IAM Identity Center to deny password logins for IAM users.
• D. Create IAM groups in the Organizations management account to apply consistent permissions for all IAM users.
• E. Create an SCP in Organizations to deny password creation for IAM users.

Correct answer: B, E

Explanation

The correct answer is B, as using AWS IAM Identity Center with SAML 2.0 enables identity federation, allowing users to authenticate via the corporate IdP. Option E is also correct because creating a Service Control Policy (SCP) to deny password creation for IAM users ensures that only federated logins are permitted. The other options do not directly address the requirement for authentication through the corporate IdP.