A company wishes to enable Single Sign On (SSO) so its employees can login to the management console using their corporate directory identity. Which steps below are required as part of the process? Select 2 answers from the options given below.
Please select:

• A.Create a Direct Connect connection between on-premise network and AWS. Use an AD connector for connecting AWS with on-premise active directory.
• B.Create IAM policies that can be mapped to group memberships in the corporate directory.
• C.Create a Lambda function to assign IAM roles to the temporary security tokens provided to the users.
• D.Create IAM users that can be mapped to the employees' corporate identities
• E.Create an IAM role that establishes a trust relationship between IAM and the corporate directory identity provider (IdP)

Correct Answer: A,E

Create a Direct Connect connection so that corporate users can access the AWS account
Option B is incorrect because IAM policies are not directly mapped to group memberships in the corporate directory. It is IAM roles which are mapped.
Option C is incorrect because Lambda functions is an incorrect option to assign roles.
Option D is incorrect because IAM users are not directly mapped to employees' corporate identities.
For more information on Direct Connect, please refer to below URL:
' https://aws.amazon.com/directconnect/
From the AWS Documentation, for federated access, you also need to ensure the right policy permissions are in place
Configure permissions in AWS for your federated users
The next step is to create an IAM role that establishes a trust relationship between IAM and your organization's IdP that identifies your IdP as a principal (trusted entity) for purposes of federation. The role also defines what users authenticated your organization's IdP are allowed to do in AWS. You can use the IAM console to create this role. When you create the trust policy that indicates who can assume the role, you specify the SAML provider that you created earlier in IAM along with one or more SAML attributes that a user must match to be allowed to assume the role. For example, you can specify that only users whose SAML eduPersonOrgDN value is ExampleOrg are allowed to sign in. The role wizard automatically adds a condition to test the saml:aud attribute to make sure that the role is assumed only for sign-in to the AWS Management Console. The trust policy for the role might look like this:

For more information on SAML federation, please refer to below URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enabli
Note:
What directories can I use with AWS SSO?
You can connect AWS SSO to Microsoft Active Directory, running either on-premises or in the AWS Cloud. AWS SSO supports AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, and AD Connector. AWS SSO does not support Simple AD. See AWS Directory Service Getting Started to learn more.
To connect to your on-premises directory with AD Connector, you need the following:
VPC
Set up a VPC with the following:
* At least two subnets. Each of the subnets must be in a different Availability Zone.
* The VPC must be connected to your on-premises network through a virtual private network (VPN) connection or AWS Direct
Connect.
* The VPC must have default hardware tenancy.
* https://aws.amazon.com/single-sign-on/
* https://aws.amazon.com/single-sign-on/faqs/
* https://aws.amazon.com/bloj using-corporate-credentials/
* https://docs.aws.amazon.com/directoryservice/latest/admin-
The correct answers are: Create a Direct Connect connection between on-premise network and AWS. Use an AD connector connecting AWS with on-premise active directory.. Create an IAM role that establishes a trust relationship between IAM and corporate directory identity provider (IdP)
Submit your Feedback/Queries to our Experts

Comment: *

Name: *

Email: *

Verification: *

An Amazon EC2 instance is denied access to a newly created AWS KMS CMK used for decrypt actions. The environment has the following configuration:
* The instance is allowed the kms:Decrypt action in its IAM role for all resources
* The AWS KMS CMK status is set to enabled
* The instance can communicate with the KMS API using a configured VPC endpoint What is causing the issue?

• A.The kms:GenerateDataKey permission is missing from the EC2 instance's IAM role
• B.The ARN tag on the CMK contains the EC2 instance's ID instead of the instance's ARN
• C.The kms:Encrypt permission is missing from the EC2 IAM role
• D.The KMS CMK key policy that enables IAM user permissions is missing

Comment: *

Name: *

Email: *

Verification: *

A Security Administrator at a university is configuring a fleet of Amazon EC2 instances. The EC2 instances are shared among students, and non-root SSH access is allowed. The Administrator is concerned about students attacking other AWS account resources by using the EC2 instance metadata service.
What can the Administrator do to protect against this potential attack?

• A.Install the Amazon Inspector agent on the instances.
• B.Disable the EC2 instance metadata service.
• C.Log all student SSH interactive session activity.
• D.Implement ip tables-based restrictions on the instances.

Comment: *

Name: *

Email: *

Verification: *

An company is using AWS Secrets Manager to store secrets that are encrypted using a CMK and are stored in the security account 111122223333. One of the company's production accounts. 444455556666, must to retrieve the secret values from the security account 111122223333. A security engineer needs to apply a policy to the secret in the security account based on least privilege access so the production account can retrieve the secret value only.
Which policy should the security engineer apply?

• A.Option C
• B.Option D
• C.Option B
• D.Option A

Comment: *

Name: *

Email: *

Verification: *

Your company has a hybrid environment, with on-premise servers and servers hosted in the AWS cloud. They are planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work; Please select:

• A.Ensure that the on-premise servers are running on Hyper-V.
• B.Ensure that an 1AM service role is created
• C.Ensure that an 1AM User is created
• D.Ensure that an 1AM Group is created for the on-premise servers

Comment: *

Name: *

Email: *

Verification: *