AWS Certified Solutions Architect – Professional — Question 518

Your fortune 500 company has under taken a TCO analysis evaluating the use of Amazon S3 versus acquiring more hardware The outcome was that ail employees would be granted access to use Amazon S3 for storage of their personal documents.
Which of the following will you need to consider so you can set up a solution that incorporates single sign-on from your corporate AD or LDAP directory and restricts access for each user to a designated user folder in a bucket? (Choose three.)

Answer options

• A. Setting up a federation proxy or identity provider
• B. Using AWS Security Token Service to generate temporary tokens
• C. Tagging each folder in the bucket
• D. Configuring IAM role
• E. Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in the bucket

Correct answer: A, B, D

Explanation

To integrate corporate AD/LDAP with AWS for single sign-on without managing individual IAM users, you must establish an identity provider or federation proxy to authenticate users and map them to an IAM role. This federation workflow utilizes the AWS Security Token Service (STS) to issue temporary security credentials that grant users access to their designated S3 folders. Creating individual IAM users for every corporate user is administrative overhead that defeats the purpose of federation, and folder tagging is not used to enforce this type of access control.