Question #1196
A company collaborates with external partners who use their own identity provider (IdP). The company needs to grant these partners secure access to specific AWS resources without requiring them to create new AWS credentials.
Which AWS service should be used to fulfill this requirement?
AWS Directory Service
Amazon Cognito
AWS IAM Identity Center
AWS Resource Access Manager (AWS RAM)
Explanation
The correct answer is C. AWS IAM Identity Center.
Why C is correct:
AWS IAM Identity Center (formerly AWS SSO) allows federated access to AWS resources using external identity providers (IdPs) via SAML 2.0. Partners can authenticate through their own IdP and assume IAM roles with temporary credentials, eliminating the need for AWS-specific credentials. This meets the requirement of granting secure access without creating new AWS credentials.
Why other options are incorrect:
- A. AWS Directory Service: Manages directories (e.g., Microsoft AD) but does not support federation with external IdPs for cross-account resource access.
- B. Amazon Cognito: Handles user authentication for applications (e.g., mobile/web apps) but is not designed for granting direct AWS resource access.
- D. AWS RAM: Shares resources across AWS accounts but does not handle authentication or federation with external IdPs.
Key Points:
- Use IAM Identity Center for federated access via external IdPs.
- Temporary credentials avoid the need for long-term AWS credentials.
- SAML 2.0 integration enables seamless partner authentication.
Answer
The correct answer is: C