ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company is deploying a new web-based analytics tool on AWS. Employees already sign in through the corporate identity provider that supports SAML 2.0. External auditors from a partner firm must also access the application using their own SAML IdP. The security team wants to avoid creating individual IAM users for auditors and still enforce least-privilege, auditable access. Which solution BEST meets these requirements?
Generate long-term IAM access keys in your account and share them with the auditors, restricting their actions through an attached IAM policy.
Enable AWS IAM Identity Center and use SCIM to provision individual AWS users for each auditor, assigning them to a group with the needed permissions.
Create dedicated cross-account IAM users for the auditors and distribute console passwords, enforcing password rotation every 30 days.
Create an IAM SAML identity provider with the partner's metadata and define a role granting only the required permissions; allow auditors to assume that role via SAML federation.
Creating an IAM SAML identity provider and mapping it to a minimally privileged IAM role lets auditors authenticate to their home identity provider and obtain temporary AWS credentials through the AssumeRoleWithSAML process. This satisfies single sign-on, avoids managing permanent IAM users or credentials in your account, and records role sessions in AWS CloudTrail for auditability. Synchronizing the partner directory with IAM Identity Center (previously AWS SSO) would create separate AWS identities to manage, which the security team wants to avoid. Sharing long-term access keys or passwords with auditors violates AWS security best practices and offers no native audit trail. Therefore, configuring SAML federation with an IAM identity provider and a trusted role is the most secure and least-administrative approach.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SAML 2.0 and why is it used?
Open an interactive chat with Bash
What is AWS IAM SAML Identity Provider?
Open an interactive chat with Bash
What is AssumeRoleWithSAML in AWS, and how does it work?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .