AWS Certified SysOps Administrator – Associate (legacy) — Question 500

An enterprise is using federated Security Assertion Markup Language (SAML) to access the AWS Management Console.
How should the SAML assertion mapping be configured?

Answer options

• A. Map the group attribute to an AWS group. The AWS group is assigned IAM policies that govern access to AWS resources.
• B. Map the policy attribute to IAM policies the federated user is assigned to. These policies govern access to AWS resources.
• C. Map the role attribute to an AWS role. The AWS role is assigned IAM policies that govern access to AWS resources.
• D. Map the user attribute to an AWS user. The AWS user is assigned specific IAM policies that govern access to AWS resources.

Correct answer: C

Explanation

AWS SAML federation requires mapping SAML attributes to an IAM Role (using the Role SAML attribute), which the federated user assumes upon login. AWS does not support federating directly to IAM Users or IAM Groups for console access. The assumed IAM Role has the necessary IAM policies attached to define what resources the federated user can access.