Topic 1 Question 371
A company hosts an intranet web application on Amazon EC2 instances behind an Application Load Balancer (ALB). Currently, users authenticate to the application against an internal user database.
The company needs to authenticate users to the application by using an existing AWS Directory Service for Microsoft Active Directory directory. All users with accounts in the directory must have access to the application.
Which solution will meet these requirements?
Create a new app client in the directory. Create a listener rule for the ALB. Specify the authenticate-oidc action for the listener rule. Configure the listener rule with the appropriate issuer, client ID and secret, and endpoint details for the Active Directory service. Configure the new app client with the callback URL that the ALB provides.
Configure an Amazon Cognito user pool. Configure the user pool with a federated identity provider (ldP) that has metadata from the directory. Create an app client. Associate the app client with the user pool. Create a listener rule for the ALSpecify the authenticate-cognito action for the listener rule. Configure the listener rule to use the user pool and app client.
Add the directory as a new IAM identity provider (ldP). Create a new IAM role that has an entity type of SAML 2.0 federation. Configure a role policy that allows access to the ALB. Configure the new role as the default authenticated user role for the ldP. Create a listener rule for the ALB. Specify the authenticate-oidc action for the listener rule.
Enable AWS IAM Identity Center (AWS Single Sign-On). Configure the directory as an external identity provider (ldP) that uses SAML. Use the automatic provisioning method. Create a new IAM role that has an entity type of SAML 2.0 federation. Configure a role policy that allows access to the ALB. Attach the new role to all groups. Create a listener rule for the ALB. Specify the authenticate-cognito action for the listener rule.
ユーザの投票
コメント(10)
- 正解だと思う選択肢: A
Answer A
Explanation:
- Creating a new app client in the directory will allow the company to authenticate users to the application by using an existing AWS Directory Service for Microsoft Active Directory directory
- Creating a listener rule for the ALB and specifying the authenticate-oidc action for the listener rule will ensure that all users with accounts in the directory have access to the application
👍 3devalenzuela862023/11/22 B
Amazon Cognito seamlessly integrates with AWS Directory Service for Microsoft Active Directory, allowing the use of existing directory accounts for authentication. The authenticate-cognito action on the ALB ensures that all incoming requests are authenticated against the Cognito user pool before being forwarded to the application. This approach centralizes user authentication and simplifies access management while leveraging the existing Active Directory.
👍 3heatblur2023/11/25- 正解だと思う選択肢: D
Intranet - company only website. No external users only users within the organization. Isn't AWS IAM Identity Center and Active Directory a match made in heaven? Again, when it states Active Directory, I believe ADFS is implied. You technically can only integrate SAML 2.0 with ADFS directly.
👍 3enk2023/11/28
シャッフルモード