AWS Certified Solutions Architect – Professional — Question 71

A corporate web application is deployed within an Amazon Virtual Private Cloud (VPC) and is connected to the corporate data center via an IPSec VPN. The application must authenticate against the on-premises LDAP server. After authentication, each logged-in user can only access an Amazon Simple Storage Space
(S3) keyspace specific to that user.
Which two approaches can satisfy these objectives? (Choose two.)

Answer options

• A. Develop an identity broker that authenticates against IAM security Token service to assume a IAM role in order to get temporary AWS security credentials The application calls the identity broker to get AWS temporary security credentials with access to the appropriate S3 bucket.
• B. The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM role. The application can use the temporary credentials to access the appropriate S3 bucket.
• C. Develop an identity broker that authenticates against LDAP and then calls IAM Security Token Service to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 bucket.
• D. The application authenticates against LDAP the application then calls the AWS identity and Access Management (IAM) Security service to log in to IAM using the LDAP credentials the application can use the IAM temporary credentials to access the appropriate S3 bucket.
• E. The application authenticates against IAM Security Token Service using the LDAP credentials the application uses those temporary AWS security credentials to access the appropriate S3 bucket.

Correct answer: B, C

Explanation

Option B is correct because it involves authenticating against LDAP, retrieving the IAM role name, and then using the IAM Security Token Service to assume that role for S3 access. Option C is also correct as it involves authenticating against LDAP and obtaining federated user credentials from IAM. The other options either do not appropriately link LDAP with IAM roles or incorrectly describe the authentication process.