AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 377

A company manually provisions IAM access for its employees. The company wants to replace the manual process with an automated process. The company has an existing Active Directory system configured with an external SAML 2.0 identity provider (IdP).

The company wants employees to use their existing corporate credentials to access AWS. The groups from the existing Active Directory system must be available for permission management in AWS Identity and Access Management (IAM). A DevOps engineer has completed the initial configuration of AWS IAM Identity Center (AWS Single Sign-On) in the company’s AWS account.

What should the DevOps engineer do next to meet the requirements?

Answer options

• A. Configure an external IdP as an identity source. Configure automatic provisioning of users and groups by using the SCIM protocol.
• B. Configure AWS Directory Service as an identity source. Configure automatic provisioning of users and groups by using the SAML protocol.
• C. Configure an AD Connector as an identity source. Configure automatic provisioning of users and groups by using the SCIM protocol.
• D. Configure an external IdP as an identity source Configure automatic provisioning of users and groups by using the SAML protocol.

Correct answer: A

Explanation

To integrate AWS IAM Identity Center with an existing external SAML 2.0 identity provider, you must configure the external IdP as the identity source. While SAML 2.0 handles federation and authentication, the System for Cross-domain Identity Management (SCIM) protocol is required to automate the provisioning and synchronization of users and groups. Other options are incorrect because SAML cannot be used for provisioning, and using AD Connector or AWS Directory Service would bypass the external SAML 2.0 IdP integration.