examptopics

Q21

A company is using an on-premises Active Directory service for user authentication. The company wants to use the same authentication service to sign in to the company’s AWS accounts, which are using AWS Organizations. AWS Site-to-Site VPN connectivity already exists between the on-premises environment and all the company’s AWS accounts. The company’s security policy requires conditional access to the accounts based on user groups and roles. User identities must be managed in a single location. Which solution will meet these requirements?

A. Configure AWS IAM Identity Center (AWS Single Sign-On) to connect to Active Directory by using SAML 2.0. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using attribute-based access controls (ABACs). B. Configure AWS IAM Identity Center (AWS Single Sign-On) by using IAM Identity Center as an identity source. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using IAM Identity Center permission sets. C. In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use a SAML 2.0 identity provider. Provision IAM users that are mapped to the federated users. Grant access that corresponds to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM users. D. In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use an OpenID Connect (OIDC) identity provider. Provision IAM roles that grant access to the AWS account for the federated users that correspond to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM roles.

생각들

B랑 A를 고민했는데, B는 AD에 관한 얘기가 없음 답은 A

풀이 및 공부

1번

처음보는 용어가 나와서 간단히 공부

SCIM(System for Cross-domain Identity Management) : ID 도메인과 IT 시스템 간의 사용자 ID 정보 교환을 자동화하기 위한 개방형 표준 프로토콜. AD에서 쓰는 것인가보다.

ABAC(attribute-based access control) : role-based access control 은 많이들어봤는데, abac는 첨들어본다. aws docs에 잘 소개가 되어있다.

2번

문제를 읽어보면 Identity Source 를 AD로 해야하는데 2번 문항에 Identity Source를 Identity Center로 한다해서 틀림

참고

• https://learn.microsoft.com/ko-kr/azure/active-directory/fundamentals/sync-scim
• https://docs.aws.amazon.com/ko_kr/IAM/latest/UserGuide/introduction_attribute-based-access-control.html
• https://www.okta.com/kr/identity-101/role-based-access-control-vs-attribute-based-access-control/