A Developer is creating a web application that will be used by employees working from home. The company uses a SAML directory on-premises for storing user information. The Developer must integrate with the SAML directory and authorize each employee to access only their own data when using the application. Which approach should the Developer take?
WHY A IS False?
Create a unique IAM role for each employee and have each employee assume the role to access the application so they can access their personal data only.
This is not integrated into the SAML directory which is a requirement of the question and would be very difficult to manage a unique IAM role for each employee.
WHY B IS True?
Amazon Cognito identity pool
Amazon Cognito leverages IAM roles to generate temporary credentials for your application’s users. Access to permissions is controlled by a role’s trust relationships.
Identity pools are for authorization (access control). You can use identity pools to create unique identities for users and give them access to other AWS services. In this example, the Developer must limit access to specific identities in the SAML directory. The Developer can create a trust policy with an IAM condition key that limits access to a specific set of app users
WHY C IS False?
VPC endpoint & SAML Directory
You cannot provide access to an on-premises SAML directory using a VPC endpoint.
WHY D IS False?
Use Amazon Cognito user pools, federate with the SAML provider, and use user pool groups with an IAM policy.
User pools are for authentication (identify verification). With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP).
A user pool can be used to authenticate but the identity pool is used to provide authorized access to AWS services.
1. "authorize each employee to access only their own data when using the application" - to authorize Amazon Cognito user pools should be used.