Which two approaches can satisfy these objectives?
(Choose two.)
Develop an identity broker that authenticates against IAM security Token service to assume a IAM role in order to get temporary AWS security credentials The application calls the identity broker to get AWS temporary security credentials with access to the appropriate S3 bucket.
The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM role. The application can use the temporary credentials to access the appropriate S3 bucket.
Develop an identity broker that authenticates against LDAP and then calls IAM Security Token Service to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 bucket.
The application authenticates against LDAP the application then calls the AWS identity and Access Management (IAM) Security service to log in to IAM using the LDAP credentials the application can use the IAM temporary credentials to access the appropriate S3 bucket.
The application authenticates against IAM Security Token Service using the LDAP credentials the application uses those temporary AWS security credentials to access the appropriate S3 bucket.
Explanations:
Developing an identity broker that authenticates against IAM Security Token Service (STS) does not align with the requirement to authenticate against the on-premises LDAP server. The approach focuses on AWS IAM rather than LDAP. Additionally, there’s no direct mention of retrieving S3 permissions for each user, making it unsuitable.
This option accurately describes a process where the application first authenticates against the LDAP server, retrieves the corresponding IAM role for that user, and then uses the IAM STS to assume that role. This method allows the application to obtain temporary credentials specific to the user, granting access to their designated S3 bucket.
This approach is valid as it establishes an identity broker that authenticates against LDAP and then uses IAM STS to retrieve IAM federated user credentials. This enables the application to access the appropriate S3 bucket based on the user’s identity, fulfilling the requirements for both LDAP authentication and S3 access control.
This option is incorrect because it suggests that the application can log into IAM using LDAP credentials, which is not feasible. IAM does not accept LDAP credentials directly for authentication, as it relies on AWS IAM user or role policies. The method of logging into IAM does not comply with the stated requirement.
Similar to option D, this option incorrectly suggests that IAM STS can authenticate using LDAP credentials. IAM STS does not support LDAP authentication directly. Instead, it requires either IAM users or federated users created through an identity broker, making this approach invalid.
In my opinion, the answer is:
The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM role. The application can use the temporary credentials to access the appropriate S3 bucket.