AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A company needs to allow its employees to access cloud services without managing separate user accounts for each employee. Employees should be able to use their existing corporate login credentials. The solution should minimize cost and administrative overhead and should adhere to security best practices. What should a solutions architect recommend?
Implement Amazon Cognito to authenticate employees using their corporate login credentials.
Create individual IAM user accounts for all employees and manage their credentials in AWS.
Configure identity federation with IAM roles and SAML integration to the corporate identity provider.
Use AWS Directory Service to synchronize the corporate directory with AWS.
The best solution is to set up identity federation using AWS IAM roles with Security Assertion Markup Language (SAML) integration to the company's corporate identity provider (IdP). This approach enables employees to authenticate using their existing corporate credentials and assume IAM roles to access AWS services. It minimizes administrative overhead by removing the need to create and manage individual IAM user accounts in AWS. This method adheres to security best practices by enforcing the principle of least privilege through role-based access control.
Creating individual IAM user accounts for all employees increases management complexity and potential security risks associated with credential management. Using AWS Directory Service to synchronize the corporate directory is unnecessary if SAML federation is available as it adds extra complexity and cost. Implementing Amazon Cognito is more suitable for customer-facing web and mobile applications as it provides user login service via social media profile. Hence, is not designed for providing federated access to AWS resources for internal employees.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SAML and how does it work in identity federation?
Open an interactive chat with Bash
What is the principle of least privilege and how is it applied with IAM roles?
Open an interactive chat with Bash
How does AWS Directory Service differ from SAML federation for corporate access?