Which solution will meet these requirements?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A company is using an on-premises Active Directory service for user authentication.The company wants to use the same authentication service to sign in to the company’s AWS accounts, which are using AWS Organizations.AWS Site-to-Site VPN connectivity already exists between the on-premises environment and all the company’s AWS accounts.The company’s security policy requires conditional access to the accounts based on user groups and roles.User identities must be managed in a single location.

Which solution will meet these requirements?

Configure AWS Single Sign-On (AWS SSO) to connect to Active Directory by using SAML 2.0. Enable automatic provisioning by using the System for Cross- domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using attribute-based access controls (ABACs).

Configure AWS Single Sign-On (AWS SSO) by using AWS SSO as an identity source. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using AWS SSO permission sets.

In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use a SAML 2.0 identity provider. Provision IAM users that are mapped to the federated users. Grant access that corresponds to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM users.

In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use an OpenID Connect (OIDC) identity provider. Provision IAM roles that grant access to the AWS account for the federated users that correspond to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM roles.

Explanations:

AWS Single Sign-On (AWS SSO) can integrate with Active Directory via SAML 2.0, allowing for centralized user management. The use of SCIM v2.0 enables automatic provisioning of users, and attribute-based access controls (ABAC) allow conditional access based on user attributes, satisfying the security policy requirements.

While AWS SSO as an identity source does enable user management, it does not utilize the existing on-premises Active Directory setup. This option would require separate user identities in AWS SSO instead of leveraging the existing Active Directory, violating the requirement for a single identity management location.

Configuring IAM with a SAML 2.0 identity provider is feasible, but this option involves provisioning IAM users instead of leveraging federated access through AWS SSO. This would complicate user management and would not meet the requirement for single location identity management. Cross-account access also becomes more complex and cumbersome.

Similar to option C, this involves configuring IAM with an OIDC identity provider, which is not necessary since the requirement is to utilize the existing Active Directory. It also requires IAM roles and does not provide a centralized identity management solution, thus failing to meet the company’s requirements for user identity management.

2025-10-16

1 Comment

  1. Rachel
    Author

    I deduce that the answer is:
    Configure AWS Single Sign-On (AWS SSO) to connect to Active Directory by using SAML 2.0. Enable automatic provisioning by using the System for Cross- domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using attribute-based access controls (ABACs).

Leave a Reply

Your email address will not be published. Required fields are marked *

twelve − 4 =