Which of the following will you need to consider so you can set up a solution that incorporates single sign-on from your corporate AD or LDAP directory and restricts access for each user to a designated user folder in a bucket?
(Choose three.)
Setting up a federation proxy or identity provider
Using AWS Security Token Service to generate temporary tokens
Tagging each folder in the bucket
Configuring IAM role
Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in the bucket
Explanations:
Setting up a federation proxy or identity provider allows for Single Sign-On (SSO) between your corporate Active Directory (AD) or LDAP directory and AWS services. This ensures that users can authenticate using their corporate credentials.
AWS Security Token Service (STS) can generate temporary credentials, allowing users to access S3 without needing permanent AWS credentials. This is crucial for managing session-based access securely.
Tagging folders in an S3 bucket does not directly help with restricting access to individual user folders. IAM policies or S3 bucket policies would be more relevant for access control based on user identity.
Configuring an IAM role ensures that the correct permissions are granted to users for accessing specific S3 resources. Roles are essential for defining which resources users can access and under what conditions.
Creating individual IAM users for every corporate user is not scalable or efficient in this context, as the goal is to leverage SSO. IAM roles linked to federated users should be used instead.
From what I’ve seen, the answer is:
Setting up a federation proxy or identity provider