AWS Certified SysOps Administrator – Associate — Question 105

An organization with a large IT department has decided to migrate to AWS. With different job functions in the IT department, it is not desirable to give all users access to all AWS resources. Currently the organization handles access via LDAP group membership.

What is the BEST method to allow access using current LDAP credentials?

Answer options

• A. Create an AWS Directory Service Simple AD. Replicate the on-premises LDAP directory to Simple AD.
• B. Create a Lambda function to read LDAP groups and automate the creation of IAM users.
• C. Use AWS CloudFormation to create IAM roles. Deploy Direct Connect to allow access to the on-premises LDAP server.
• D. Federate the LDAP directory with IAM using SAML. Create different IAM roles to correspond to different LDAP groups to limit permissions.

Correct answer: D

Explanation

The correct answer, D, allows for federated access management, linking LDAP groups with corresponding IAM roles, which ensures that users only have permissions relevant to their job functions. Option A does not directly support federating existing LDAP credentials with IAM. Option B creates IAM users instead of roles, which is not the best practice for managing access. Option C involves setting up infrastructure that does not address the need for role-based access tied to LDAP groups.