| WHY A IS False? |
CONCEPT: Create a unique IAM role for each employee and have each employee assume the role to access the application so they can access their personal data only. |
This is not integrated into the SAML directory which is a requirement of the question and would be very difficult to manage a unique IAM role for each employee.
|
| WHY B IS True? |
CONCEPT: Amazon Cognito identity pool |
Amazon Cognito leverages IAM roles to generate temporary credentials for your application’s users. Access to permissions is controlled by a role’s trust relationships.
Identity pools are for authorization (access control). You can use identity pools to create unique identities for users and give them access to other AWS services. In this example, the Developer must limit access to specific identities in the SAML directory. The Developer can create a trust policy with an IAM condition key that limits access to a specific set of app users |
| WHY D IS False? |
CONCEPT: Use Amazon Cognito user pools, federate with the SAML provider, and use user pool groups with an IAM policy. |
User pools are for authentication (identify verification). With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP).
A user pool can be used to authenticate but the identity pool is used to provide authorized access to AWS services.
|