analysis. In the bucket data is segregated for each department using specific pre-fixes. Hence, each department can access data only for which it has the permissions. Your Organization already have the Microsoft
Active Directory Solution in place for authentication and authorization, you want to leverage the same Active Directory data and use the single sign on feature to access data in S3 bucket for each employee in IT
department. Which of the following option will help in achieving the same?
1. You will be creating new IAM Group for each department and then sync each department configurations with this IAM Group.
2. You will be updating bucket policy so that users from Active Directory can access the data.
3. You will use the Active Connect to sync the Active Directory data with the IAM Group and IAM User.
4. You will be creating IAM Role for each department and then assign that role in Active Directory.
5. You will be using IAM Federation functions and for each group in Active Directory, you will create a new IAM Role.
Correct Answer : 5 Exp : AWS supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0), an open standard that many identity providers (IdPs) use. This feature enables federated single sign-on
(SSO), so users can log into the AWS Management Console or call the AWS API operations without creating an IAM user for everyone in your organization. By using SAML, you can simplify the process of configuring
federation with AWS, because you can use the IdPs service instead of writing custom identity proxy code.
While using the Identity Federation organizations can get the temporary credentials for the employee in each department where Identity will be managed by the Active Directory. You have to create IAM Role that would
have permission to access the specific prefix in the bucket, and this temporary token will be used for accessing bucket objects having specific prefixes.
5
