Free AWS DVA-C01 Actual Exam Questions - Question 1 Discussion
data center via IPSec VPN. The application must authenticate against the on-premise LDAP server.
Once authenticated, logged-in users can only access an S3 keyspace specific to the user.
Which two approaches can satisfy the objectives? Choose 2 answers
B/D? B fits because the app authenticates via LDAP, then assumes an IAM role with STS, which clearly aligns with AWS best practices for temporary creds. D works since building an identity broker to authenticate LDAP users and then get federated IAM credentials is a common pattern for integrating on-prem identity with AWS. A and C seem off because IAM doesn’t support direct LDAP auth. E looks overcomplicated and redundant since the identity broker should handle the LDAP part first before calling STS, not the other way around. So B and D feel like the practical, secure choices here.
B/D? The app authenticates with LDAP and then assumes an IAM role via STS, which fits B. D also makes sense since building an identity broker to federate LDAP users and get temporary AWS creds is a common pattern. A sounds off because IAM doesn’t really accept LDAP creds directly, so the app can’t just “log in” to IAM that way. C and E seem less likely since C incorrectly says you authenticate STS directly with LDAP creds, and E flips the flow by authenticating STS first, which doesn’t align with typical federation setups.
It’s B and D, because they match federated access patterns.