SAP-C02 第 21 题
题目
A company is using an on-premises Active Directory service for user authentication. The company wants to use the same authentication service to sign in to the company’s AWS accounts, which are using AWS Organizations. AWS Site-to-Site VPN connectivity already exists between the on-premises environment and all the company’s AWS accounts. The company’s security policy requires conditional access to the accounts based on user groups and roles. User identities must be managed in a single location. Which solution will meet these requirements?
中文翻译:
一家公司正在使用本地 Active Directory 服务进行用户身份验证。该公司希望使用相同的身份验证服务登录该公司使用 AWS Organizations 的 AWS 账户。本地环境与公司的所有 AWS 账户之间已存在 AWS 站点到站点 VPN 连接。公司的安全策略要求根据用户组和角色对帐户进行有条件的访问。用户身份必须在单一位置进行管理。哪种解决方案可以满足这些要求?
选项
A. Configure AWS IAM Identity Center (AWS Single Sign-On) to connect to Active Directory by using SAML 2.0. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using attribute-based access controls (ABACs).
中文翻译:
配置 AWS IAM Identity Center (AWS Single Sign-On) 以使用 SAML 2.0 连接到 Active Directory。使用跨域身份管理系统 (SCIM) v2.0 协议启用自动配置。使用基于属性的访问控制 (ABAC) 授予对 AWS 账户的访问权限。
B. Configure AWS IAM Identity Center (AWS Single Sign-On) by using IAM Identity Center as an identity source. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using IAM Identity Center permission sets.
中文翻译:
使用 IAM Identity Center 作为身份源来配置 AWS IAM Identity Center (AWS Single Sign-On)。使用跨域身份管理系统 (SCIM) v2.0 协议启用自动配置。使用 IAM Identity Center 权限集授予对 AWS 账户的访问权限。
C. In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use a SAML 2.0 identity provider. Provision IAM users that are mapped to the federated users. Grant access that corresponds to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM users.
中文翻译:
在公司的 AWS 账户之一中,配置 AWS Identity and Access Management (IAM) 以使用 SAML 2.0 身份提供商。配置映射到联合用户的 IAM 用户。授予与 Active Directory 中相应组相对应的访问权限。使用跨账户 IAM 用户授予对所需 AWS 账户的访问权限。
D. In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use an OpenID Connect (OIDC) identity provider. Provision IAM roles that grant access to the AWS account for the federated users that correspond to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM roles.
中文翻译:
在公司的 AWS 账户之一中,配置 AWS Identity and Access Management (IAM) 以使用 OpenID Connect (OIDC) 身份提供商。预置 IAM 角色,为与 Active Directory 中相应组相对应的联合用户授予对 AWS 账户的访问权限。使用跨账户 IAM 角色授予对所需 AWS 账户的访问权限。
答案
A
解析
正确答案:A 解析: 本题应选择 A。 正确选项: A. 配置 AWS IAM Identity Center (AWS Single Sign-On) 以使用 SAML 2.0 连接到 Active Directory。使用跨域身份管理系统 (SCIM) v2.0 协议启用自动配置。使用基于属性的访问控制 (ABAC) 授予对 AWS 账户的访问权限。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同...