Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 231

A company uses AWS Organizations to manage its AWS accounts. A DevOps engineer must ensure that all users who access the AWS Management Console are authenticated through the company’s corporate identity provider (IdP).

Which combination of steps will meet these requirements? (Choose two.)

Use Amazon GuardDuty with a delegated administrator account Use GuardDuty to enforce denial of IAM user logins.

Use AWS IAM Identity Center to configure identity federation with SAML 2.0.

Create a permissions boundary in AWS IAM Identity Center to deny password logins for IAM users.

Create IAM groups in the Organizations management account to apply consistent permissions for all IAM users.

Create an SCP in Organizations to deny password creation for IAM users.

Correct Answer: B, E

To ensure that all users who access the AWS Management Console are authenticated through the company’s corporate identity provider (IdP), you need to configure identity federation with SAML 2.0 using AWS IAM Identity Center (formerly AWS Single Sign-On) to enable SSO integration. Additionally, creating a Service Control Policy (SCP) in AWS Organizations to deny password creation for IAM users will enforce that users cannot log in directly with IAM credentials, ensuring they use SSO for authentication.

Discussion

KaranNishadOptions: BE

BE is answer { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "iam:CreateLoginProfile", "iam:UpdateLoginProfile" ], "Resource": "*" } ] }

tgv

---> BE

trungtdOptions: BE

of course B. E enforce that users cannot log in directly with IAM credentials. Instead, they must use the SSO setup provided by AWS IAM Identity Center, ensuring compliance with the requirement to authenticate through the corporate IdP.