AWS Certified Security – Specialty (SCS-C02) — Question 279

A security engineer is implementing authentication for a multi-account environment by using federated access with SAML 2.0. The security engineer has configured AWS IAM Identity Center as an identity provider (IdP). The security engineer also has created IAM roles to grant access to the AWS accounts.

A federated user reports an authentication failure when the user attempts to authenticate with the new system.

What should the security engineer do to troubleshoot this issue in the MOST operationally efficient way?

Answer options

• A. Review the SAML IdP logs to identify errors. Check AWS CloudTrail to verify the API calls that the user made.
• B. Review the SAML IdP logs to identify errors. Use the IAM policy simulator to validate access to the IAM roles.
• C. Use IAM access advisor to review recent service access. Use the IAM policy simulator to validate access to the IAM roles.
• D. Recreate the SAML IdP in a separate account to confirm the behavior that the user is experiencing.

Correct answer: A

Explanation

Checking the SAML IdP logs helps verify if the identity provider successfully authenticated the user and generated the SAML assertion, while AWS CloudTrail records the AssumeRoleWithSAML API call to pinpoint AWS-side integration errors. Using the IAM policy simulator or IAM access advisor is ineffective because they validate resource authorization rather than the federated authentication process itself. Recreating the IdP environment is highly inefficient and unnecessary for troubleshooting a single user's authentication failure.