I’m back with another sample question that I’ve come across whilst progressing with my studies.
Your company is migrating infrastructure to AWS. A large number of developers and administrators will need to control this infrastructure using the new AWS Management Console. The Identity Management team is objecting to creating an entirely new directory of IAM users for all employees, and the employees are reluctant to commit yet another password to memory. Which of the following will satisfy both these stakeholders? (Choose 1)
a. Users request a SAML assertion from your on-premises SAML 2.0-compliant identity provider (IdP) and use that assertion to obtain federated access to the AWS Management Console via the AWS single sign-on (SSO) endpoint.
b. Users log in directly to the AWS Management Console using the credentials from your on-premises Kerberos compliant identity provider.
c. Users log in to the AWS Management Console using the AWS Command Line Interface.
d. Users sign in using an OpenID (OIDC) compatible IdP, receive an authentication token, then use that token to log in to the AWS Management Console.
As mentioned in my previous post, I always try to rule out answers that are just completely wrong. This question is testing your knowledge of Identity and Access Management or IAM as its commonly known as. If we look at the basic elements of AWS IAM there are two access options for when you create a user directly within the AWS Management Console:
- AWS Management Console – This enables a password that allows the user to log-in to the Management Console.
- Programmatic Access – This enabls an Access Key ID and a Secret Access Key for the AWS API, CLI, SDK and other development tools.
“Answer C” is quite simple to rule out as this is quite clearly the Programmatic Access as mentioned above and you simply can’t login to the AWS Management Console using the Access Key ID and Secret Access Key. Similarly reviewing the Question it clearly says that the Identity Management Team are objecting to creating an entirely new directory and thus doesn’t meet the objectives.
Before I jump too far ahead it’s useful to understand some of the other terms within the available options to the remaining questions.
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A good example of a Kerberos compliant Identity Providers would be Microsoft Active Directory.
This is the combining or joining a list of users in a Domain (such as AWS IAM) with a list of users in another Domain (such as Active Directory, Facebook, Google etc..).
A services that allow you to take an identity from Point A and federate it to Point B.
Identity Provider (IdP)
Services such as Microsoft Active Directory, Facebook, Google etc..
A user of a service like Microsoft Active Directory, Facebook, Google etc..
Security Assertion Markup Language is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
“Answer D” talks about utilising an OpenID Identity Provider to receive an authentication token to successfully log-in to the AWS Management Console. An example of an OpenID provider would be something like Facebook, Google, SalesForce etc.. to be the authentication mechanism. Personally I would rule this out straight away as well due to this also meaning there is some other directory of sorts being required by the end users be it Facebook, Google etc.. and this is going against requirements of the Identity Management Team within the question.
When we review “Answer B” this is implying that the users would login directly to the AWS Management Console using their Active Directory credentials. This would be possible if the answer mentioned having configured/used the AWS AD Connector. For details on how to configure this I would recommend reading the following AWS Blog Post.
Understanding the process of accessing resources within AWS via federation is definitely worth knowing in preparation for the exam and there is a really great AWS Blog Post that describes the process of flow very well.
“Answer A” is saying to utilise federated access. This would grant the end user access based off of their existing credentials (typically Active Directory) and therefore means there is no requirement for them to have a user created within AWS IAM whilst also allowing single sign-on (SSO).
Therefore the correct answer to this scenario is “Answer A”.