A company has 25,000 employees and is growing. The company is creating an application that will be accessible to its employees only. A developer is using Amazon S3 to store images and Amazon RDS to store application data. The company requires that all employee information remain in the legacy Security Assertion Markup Language (SAML) employee directory only and is not interested in mirroring any employee information on AWS.
How can the developer provide authorized access for the employees who will be using this application so each employee can access their own application data only?
A . Use Amazon VPC and keep all resources inside the VPC, and use a VPC link for the S3 bucket with the bucket policy.
B . Use Amazon Cognito user pools, federate with the SAML provider, and use user pool groups with an IAM policy.
C . Use an Amazon Cognito identity pool, federate with the SAML provider, and use an IAM condition key with a value for the cognito-identity.amazonaws.com:sub variable to grant access to the employees.
D . Create a unique IAM role for each employee and have each employee assume the role to access the application so they can access their personal data only.
Answer: C
Explanation:
Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-conditionkeys.html
Leave a Reply