A company hosts an intranet web application on Amazon EC2 instances behind an Application Load Balancer (ALB). Currently, users authenticate to the application against an internal user database.
The company needs to authenticate users to the application by using an existing AWS Directory Service for Microsoft Active Directory directory. All users with accounts in the directory must have access to the application.
Which solution will meet these requirements?
The company needs to authenticate users to an internal web application using AWS Directory Service for Microsoft Active Directory. One of the most appropriate solutions is to utilize Amazon Cognito, which can federate identities from the directory service. Configuring an Amazon Cognito user pool with a federated identity provider using metadata from the directory allows seamless integration with the existing Active Directory. Creating an app client associated with this user pool and a listener rule for the ALB specifying the authenticate-cognito action will ensure users are authenticated correctly. This setup meets the requirement of leveraging the existing AWS Directory Service for user authentication.
There are two options either via Cognito or Auth0 and then attach an IDP to one of them. See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/
If the question were an internet web application I would go with B but as the question says it is an intranet application and internal database I would go with D, I don't think Cognito is the best answer.
The scenario says it in this part "The company needs to authenticate users to the application by using an existing AWS Directory Service for Microsoft Active Directory directory". For this reason, Cognito is the best option
D is complete nonsense. Don't know why so many people are voting for it. "Configure a role policy that allows access to the ALB" - Come on, guys. ALB is accessed via http or https. You can restrict access via security groups not roles. Also cognito is mentioned in D but cognito is not connected to to the SAML provider. So B is the correct answer.
A: Doesn't support OIDC directly. B: ALBs can interface directly to Cognito. The correct answer. C: Rubbish, as IAM doesn't directly interface to any AD. D: Mixes things up royally.
A: The Active Directory directory does not use OIDC. B: Make sense. C: Cannot add the directory as a new IAM IdP. D: Why "authenticate-cognito action"
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
They have already AD so we have to use SSO.
Answer is A - There is already an AWS Active Directory running in the account. So this is simply about creating a client for the application to authenticate against this AD (inside AWS). There is no need to use Cognito, nor is threre a need to setup connectivity to an on-premises AD using IAM Centre. Client Applications can use OIDC (Open ID Connect) which is a web standard for user authentication.
Change answer to B I take that back as I was thinking of Microsoft Azure which offers OIDC Authentication but Microsoft AD does not. There are two options either via Cognito or Auth0 and then attach an IDP to one of them. See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html https://aws.amazon.com/blogs/aws/built-in-authentication-in-alb/
refer to below. 46 I am on the Amazon Cognito team. Amazon Cognito is our identity management solution for developers building B2C or B2B apps for their customers, which makes it a customer-targeted IAM and user directory solution. AWS SSO is focused on SSO for employees accessing AWS and business apps, initially with Microsoft AD as the underlying employee directory. We plan to integrate Cognito User Pools and AWS SSO as part of our roadmap.
Option D
B vote
B vote
Attach the new role to all groups ???
Option D: Per AWS doc " An Amazon Cognito user pool is a user directory for web and mobile app authentication and authorization. " . The question states " The company hosts an intranet web application". So, you can't select Cognito https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html
I vote for B
Option B
ALB Authenticate users through corporate identities, using SAML, OpenID Connect (OIDC), or OAuth, through the user pools supported by Amazon Cognito. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html