AWS Certified Solutions Architect – Professional — Question 462

Your company has recently extended its datacenter into a VPC on AWS to add burst computing capacity as needed Members of your Network Operations Center need to be able to go to the AWS Management Console and administer Amazon EC2 instances as necessary. You don't want to create new IAM users for each
NOC member and make those users sign in again to the AWS Management Console.
Which option below will meet the needs for your NOC members?

Answer options

• A. Use OAuth 2.0 to retrieve temporary AWS security credentials to enable your NOC members to sign in to the AWS Management Console.
• B. Use web Identity Federation to retrieve AWS temporary security credentials to enable your NOC members to sign in to the AWS Management Console.
• C. Use your on-premises SAML 2.0-compliant identity provider (IDP) to grant the NOC members federated access to the AWS Management Console via the AWS single sign-on (SSO) endpoint.
• D. Use your on-premises SAML2.0-compliam identity provider (IDP) to retrieve temporary security credentials to enable NOC members to sign in to the AWS Management Console.

Correct answer: C

Explanation

Integrating an on-premises SAML 2.0-compliant identity provider (IDP) with AWS allows corporate users to access the AWS Management Console seamlessly using single sign-on (SSO) without needing separate IAM credentials. Web Identity Federation and OAuth 2.0 are designed for public consumer identities (like Google or Facebook) and are not appropriate for corporate Active Directory or LDAP integrations. Option D is incorrect because the standard SAML 2.0 flow relies on the AWS SSO endpoint to grant federated console access directly, rather than having users manually fetch and use temporary credentials to sign in.