Examice

Exam SAP-C02 All QuestionsBrowse all questions from this exam

Question 370

A company hosts an intranet web application on Amazon EC2 instances behind an Application Load Balancer (ALB). Currently, users authenticate to the application against an internal user database.

The company needs to authenticate users to the application by using an existing AWS Directory Service for Microsoft Active Directory directory. All users with accounts in the directory must have access to the application.

Which solution will meet these requirements?

Create a new app client in the directory. Create a listener rule for the ALB. Specify the authenticate-oidc action for the listener rule. Configure the listener rule with the appropriate issuer, client ID and secret, and endpoint details for the Active Directory service. Configure the new app client with the callback URL that the ALB provides.

Configure an Amazon Cognito user pool. Configure the user pool with a federated identity provider (ldP) that has metadata from the directory. Create an app client. Associate the app client with the user pool. Create a listener rule for the ALSpecify the authenticate-cognito action for the listener rule. Configure the listener rule to use the user pool and app client.

Add the directory as a new IAM identity provider (ldP). Create a new IAM role that has an entity type of SAML 2.0 federation. Configure a role policy that allows access to the ALB. Configure the new role as the default authenticated user role for the ldP. Create a listener rule for the ALB. Specify the authenticate-oidc action for the listener rule.

Enable AWS IAM Identity Center (AWS Single Sign-On). Configure the directory as an external identity provider (ldP) that uses SAML. Use the automatic provisioning method. Create a new IAM role that has an entity type of SAML 2.0 federation. Configure a role policy that allows access to the ALB. Attach the new role to all groups. Create a listener rule for the ALB. Specify the authenticate-cognito action for the listener rule.

Correct Answer: B

The company needs to authenticate users to an internal web application using AWS Directory Service for Microsoft Active Directory. One of the most appropriate solutions is to utilize Amazon Cognito, which can federate identities from the directory service. Configuring an Amazon Cognito user pool with a federated identity provider using metadata from the directory allows seamless integration with the existing Active Directory. Creating an app client associated with this user pool and a listener rule for the ALB specifying the authenticate-cognito action will ensure users are authenticated correctly. This setup meets the requirement of leveraging the existing AWS Directory Service for user authentication.

Discussion

ayadmawlaOption: B

There are two options either via Cognito or Auth0 and then attach an IDP to one of them. See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/

gustori99Option: B

D is complete nonsense. Don't know why so many people are voting for it. "Configure a role policy that allows access to the ALB" - Come on, guys. ALB is accessed via http or https. You can restrict access via security groups not roles. Also cognito is mentioned in D but cognito is not connected to to the SAML provider. So B is the correct answer.

GibaSP45Option: D

If the question were an internet web application I would go with B but as the question says it is an intranet application and internal database I would go with D, I don't think Cognito is the best answer.

DanyelBlood

The scenario says it in this part "The company needs to authenticate users to the application by using an existing AWS Directory Service for Microsoft Active Directory directory". For this reason, Cognito is the best option

VerRiOption: B

A: The Active Directory directory does not use OIDC. B: Make sense. C: Cannot add the directory as a new IAM IdP. D: Why "authenticate-cognito action"

DgixOption: B

A: Doesn't support OIDC directly. B: ALBs can interface directly to Cognito. The correct answer. C: Rubbish, as IAM doesn't directly interface to any AD. D: Mixes things up royally.

ftawsOption: D

They have already AD so we have to use SSO.

MegalodonBoladoOption: B

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

seetptOption: B

B vote

seetptOption: B

B vote

career360guruOption: D

Option D

ftaws

refer to below. 46 I am on the Amazon Cognito team. Amazon Cognito is our identity management solution for developers building B2C or B2B apps for their customers, which makes it a customer-targeted IAM and user directory solution. AWS SSO is focused on SSO for employees accessing AWS and business apps, initially with Microsoft AD as the underlying employee directory. We plan to integrate Cognito User Pools and AWS SSO as part of our roadmap.

ayadmawlaOption: A

Answer is A - There is already an AWS Active Directory running in the account. So this is simply about creating a client for the application to authenticate against this AD (inside AWS). There is no need to use Cognito, nor is threre a need to setup connectivity to an on-premises AD using IAM Centre. Client Applications can use OIDC (Open ID Connect) which is a web standard for user authentication.

ayadmawla

Change answer to B I take that back as I was thinking of Microsoft Azure which offers OIDC Authentication but Microsoft AD does not. There are two options either via Cognito or Auth0 and then attach an IDP to one of them. See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/

vip2Option: B

ALB Authenticate users through corporate identities, using SAML, OpenID Connect (OIDC), or OAuth, through the user pools supported by Amazon Cognito. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

9f02c8d

Option B

seetpt

I vote for B

TonytheTigerOption: D

Option D: Per AWS doc " An Amazon Cognito user pool is a user directory for web and mobile app authentication and authorization. " . The question states " The company hosts an intranet web application". So, you can't select Cognito https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html

JOKERO

Attach the new role to all groups ???