Active Directory in your organization for user authentication and authorization. What you will be doing, so that users from your organization can execute the query?
1. You will be creating new IAM user for each of the analytics team member
2. You will be creating new IAM Role for each of the analytics team member
3. You will be creating new IAM Groups for each of the analytics team member
4. You will be creating federated service to use the simple token service.
5. You will be using OIDC (Open ID Connect Service).
Correct Answer : 4 Exp : Many organizations have standardized on centralized user management, most commonly Microsoft Active Directory or LDAP. Access to AWS resources is no exception. Amazon Athena is a serverless
query engine for data on Amazon S3 that is popular for quick and cost-effective queries of data in a data lake. To allow users or applications to access Athena, organizations are required to use an AWS access key and
an access secret key from which appropriate policies are enforced. To maintain a consistent authorization model across, organizations must enable authentication and authorization for Athena by using federated users.
Temporary security credentials ensures that access keys to protected AWS resources are properly rotated. Therefore, potential security leaks can be caught and remedied. AWS STS generates these per-use temporary access
keys.
Temporary security credentials work similar to the long-term access key credentials that your IAM users can use. However, temporary security credentials have the following differences:
They are intended for short-term use only. You can configure these credentials to last from a few minutes to several hours, with a maximum of 12 hours. After they expire, AWS no longer recognizes them, or allows any
kind of access from API requests made with them.
They are not stored with the user. They are generated dynamically and provided to the user when requested. When or before they expire, the user can request new credentials, if they still have permissions to do so.
As option-5 mention OIDC: Open ID connect, which is not correct. Because this is used when you want to use Open IDs like Google, Facebook account for authentication. But that is not the requirement here.
Option-1, 2, and 3: Creating IAM User, Groups and Roles are not a viable option in this case, as we can integrate existing directory service.
4
