Question #1
A global logistics company operates both an on-premises data center and cloud-based workloads in AWS. The company wants to ensure that all Cloud Engineers can log in to the AWS Management Console and access AWS services using their corporate credentials from the company’s existing Active Directory.
Which of the following is the best solution to meet this requirement?
A. Create IAM users for each Cloud Engineer and manually configure their credentials in AWS.
B. Configure an Amazon Cognito user pool and synchronize it with the company’s Active Directory.
C. Set up SAML 2.0-based federation using Active Directory Federation Services (AD FS).
D. Deploy an AWS Directory Service and manually synchronize users with the on-premises Active Directory.
Show answer
Correct Answer:
✅ C. Set up SAML 2.0-based federation using Active Directory Federation Services (AD FS).
Explanation:
For enterprises using on-premises Active Directory, the best way to enable secure access to AWS using corporate credentials is through SAML 2.0 federation with AD FS.
✔ SAML-based federation allows users to authenticate with their existing corporate credentials without creating separate IAM users.
✔ AD FS (Active Directory Federation Services) acts as the Identity Provider (IdP), verifying user identities and granting temporary AWS access.
✔ This setup enables Single Sign-On (SSO), reducing credential management overhead.
Why Not the Other Options?
❌ A. Create IAM users – This requires manual credential management, which contradicts the requirement to use corporate credentials.
❌ B. Amazon Cognito – Cognito is primarily designed for web and mobile app authentication, not enterprise Active Directory integration.
❌ D. AWS Directory Service – While AWS Directory Service allows integration with on-premises AD, it does not handle authentication federation for AWS Console access.
By using SAML-based federation with AD FS, the company can allow Cloud Engineers to securely access AWS without managing separate IAM users, following AWS best practices.
Question #2
A technology company has conducted a Total Cost of Ownership (TCO) analysis comparing Amazon S3 with purchasing additional on-premises storage hardware. Based on the results, the company has decided to provide all 1,200 employees with access to Amazon S3 for storing their personal documents.
The company also wants to ensure:
✔ Single Sign-On (SSO) integration with their existing Active Directory (AD) or LDAP directory
✔ Access control, so each employee can only access their designated folder in an S3 bucket
Which of the following should be implemented to meet these requirements? (Select TWO.)
A. Use third-party Single Sign-On (SSO) solutions such as Okta, OneLogin, or Atlassian Crowd.
B. Configure an IAM role and an IAM policy to access the bucket.
C. Set up a federation proxy or an identity provider (IdP) and use AWS Security Token Service (STS) to generate temporary tokens.
D. Create a matching IAM user for each of the 1,200 employees who need access to the S3 bucket.
E. Use Amazon WorkDocs to map each employee to their designated folder in S3.
Show answer
Correct Answers:
✅ B. Configure an IAM role and an IAM policy to access the bucket.
✅ C. Set up a federation proxy or an identity provider (IdP) and use AWS Security Token Service (STS) to generate temporary tokens.
Explanation:
To integrate Active Directory (AD) or LDAP with AWS S3 and enforce user-specific access controls, the best approach is:
✔ IAM Roles & Policies (Option B) – IAM roles define the permissions employees need, while IAM policies ensure users can only access their assigned folder in S3.
✔ Federation with STS (Option C) – Instead of creating 1,200 separate IAM users, the company can use AWS Security Token Service (STS) with a federation proxy or identity provider (IdP). This allows employees to use their corporate AD credentials for temporary access to S3.
Why Not the Other Options?
❌ A. Third-party SSO Solutions – While services like Okta or OneLogin provide SSO, they do not enforce user-specific access restrictions in S3. AWS STS and IAM policies are still required for access control.
❌ D. Creating 1,200 IAM Users – Managing 1,200 individual IAM users is inefficient and not scalable. Using STS-based federation is the best practice.
❌ E. Amazon WorkDocs – WorkDocs is a separate document collaboration service, not a tool for managing S3 folder access.
By implementing IAM roles, IAM policies, and federation with STS, the company can achieve secure, scalable, and cost-effective SSO integration with per-user access control in Amazon S3.
Question #3
A cybersecurity firm has developed a real-time threat monitoring system running in both development and production AWS accounts. A junior security engineer currently has access to the development account but has been temporarily approved to access the production account.
The access requirements are as follows:
✔ Limited-duration access (no permanent credentials)
✔ Write permissions for Amazon EC2 and Amazon S3
✔ Access should be secure and automatically revoked after a set period
Which of the following allows the engineer to obtain temporary security credentials for accessing AWS resources?
A. Use AWS IAM Identity Center (AWS SSO)
B. Use AWS Security Token Service (STS) to assume a role in the production account.
C. Use Amazon Cognito to generate JSON Web Tokens (JWT) for authentication.
D. All of the above.
Show answer
Correct Answer:
✅ B. Use AWS Security Token Service (STS) to assume a role in the production account.
Explanation:
The best way to grant temporary access to the production account while maintaining security is by using AWS Security Token Service (STS).
✔ STS issues short-lived credentials, ensuring access is automatically revoked after the defined session duration.
✔ The engineer can assume an IAM role in the production account to get temporary access to EC2 and S3.
✔ This follows AWS best practices for granting least privilege access while reducing the risk of credential leakage.
Why Not the Other Options?
❌ A. AWS IAM Identity Center (AWS SSO) – While AWS SSO enables user authentication across multiple AWS accounts, it does not provide temporary access tokens like STS does.
❌ C. Amazon Cognito – Cognito is designed for web and mobile application authentication, not for granting IAM role access to AWS services.
❌ D. All of the above – Incorrect because only STS meets the requirement of issuing temporary security credentials for IAM users.
By using AWS STS, the security engineer can securely assume a role in the production account and access only the necessary AWS resources for a limited time, ensuring a secure and controlled access mechanism.
Question #4
A Solutions Architect is responsible for managing a company’s AWS environment, which includes approximately 300 IAM users. Due to a new company policy, the access permissions for 100 IAM users who manage Amazon S3 buckets need to be updated.
The architect wants to implement this change efficiently without manually updating each user’s permissions.
Which of the following is the best approach to simplify access management?
A. Create a new IAM role and add each user to the IAM role.
B. Create a new S3 bucket policy that grants full access to each IAM user.
C. Create a new IAM policy and apply it to multiple IAM users using a shell script.
D. Create a new IAM group, add the relevant users to the group, and attach the required policy to the group.
Show answer
Correct Answer:
✅ D. Create a new IAM group, add the relevant users to the group, and attach the required policy to the group.
Explanation:
The best way to efficiently manage permissions for multiple users in AWS IAM is to use IAM groups.
✔ IAM groups simplify permissions management by allowing the Solutions Architect to apply policies once to the group instead of updating each user individually.
✔ This approach is scalable and maintainable, making it easier to manage permissions if more users require S3 access in the future.
✔ IAM policies attached to a group automatically apply to all members.
Why Not the Other Options?
❌ A. Create an IAM role and add users to it – IAM roles cannot be directly assigned to users. Instead, IAM roles are designed for temporary access or for services assuming a role, not for managing user access within an AWS account.
❌ B. Create a new S3 bucket policy with unlimited access – This is not a best practice because:
- A bucket policy applies at the bucket level, not per user.
- Granting unlimited access is a security risk and violates the principle of least privilege.
❌ C. Apply a policy using a shell script – While possible, manually applying policies to each user using a script is still less efficient than managing permissions through an IAM group.
By using IAM groups, the Solutions Architect can quickly and efficiently apply access policies to multiple users, ensuring security, consistency, and scalability.
Question #5
A company needs to integrate its on-premises Lightweight Directory Access Protocol (LDAP) directory service with AWS IAM to enable authentication and access control.
However, the company’s identity store is not compatible with SAML, meaning SAML-based federation cannot be used.
Which of the following provides the most valid approach to integrating LDAP with AWS IAM?
A. Use an IAM policy that references the LDAP identifiers and AWS credentials.
B. Use AWS IAM Identity Center (AWS SSO) to manage access between AWS and your LDAP.
C. Develop an on-premises custom identity broker application and use AWS Security Token Service (STS) to issue short-lived AWS credentials.
D. Use IAM roles to rotate the IAM credentials whenever LDAP credentials are updated.
Show answer
Correct Answer:
✅ C. Develop an on-premises custom identity broker application and use AWS Security Token Service (STS) to issue short-lived AWS credentials.
Explanation:
Since the LDAP directory is not compatible with SAML, the best approach is to:
✔ Develop a custom identity broker that can authenticate users against LDAP and then request temporary security credentials from AWS Security Token Service (STS).
✔ The identity broker allows users to log in with their LDAP credentials, then maps them to AWS IAM roles dynamically.
✔ STS issues short-lived credentials, providing a secure and scalable solution.
This method allows seamless authentication between LDAP and AWS, even without SAML support.
Why Not the Other Options?
❌ A. Use an IAM policy referencing LDAP identifiers – IAM policies do not natively integrate with LDAP. IAM does not support referencing LDAP identifiers directly.
❌ B. Use AWS IAM Identity Center (AWS SSO) – AWS IAM Identity Center requires SAML-based federation or Active Directory integration, which is not an option in this scenario.
❌ D. Use IAM roles to rotate credentials – IAM roles are not designed to sync with LDAP credential updates. IAM credentials do not map directly to LDAP users.
By using an identity broker application with AWS STS, the company can successfully integrate its LDAP-based authentication system with AWS IAM, ensuring secure and temporary access to AWS resources.