Configuring SAML 2.0 IdP for ADFS Identity Provider in AWS
Question
You have an ADFS identity provider, and you need to configure the SAML 2.0-compliant IdP and AWS to permit federated users to access the AWS Management Console.
You create an IAM role for federated users to assume.
Its trust policy is as follows: { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Federated": "arn:aws:iam::ACCOUNT:saml-provider/ExampleSSOProvider"}, "Action": "sts:AssumeRoleWithSAML", "Condition": {"StringEquals": { "saml:edupersonorgdn": "Example", "saml:aud": "https://signin.aws.amazon.com/saml" }} }] } Which part of the IAM trust policy ensures that the IAM role is assumed only for sign-in to the AWS Management Console?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because the IAM condition key saml:aud checks the endpoint URL to which SAML assertions are presented.
Option B is incorrect because the Principal determines which identity provider can assume the role but not the endpoint URL where SAMl assertions are presented.
Option C is incorrect because the condition key saml:edupersonorgdn specifies that only users whose SAML eduPersonOrgDN whose value is Example can assume the role and not anyone else.
Option D is incorrect because the Action field determines that the role is used for SAML.
However, it does not limit the sign-in to the AWS Management Console.
References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.htm https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wifThe IAM trust policy is used to specify who is allowed to assume the IAM role and under what conditions they are allowed to assume the role. The trust policy consists of a set of statements, each of which contains an "Effect" that specifies whether the statement allows or denies access, a "Principal" that specifies the entity that is allowed or denied access, an "Action" that specifies the AWS service API action that is allowed or denied, and a "Condition" that specifies the circumstances under which the action is allowed or denied.
In the given IAM trust policy, the "Effect" is "Allow", which means that the statement allows access. The "Principal" is the SAML identity provider specified by its Amazon Resource Name (ARN), which means that only federated users authenticated by this SAML identity provider are allowed to assume the IAM role. The "Action" is "sts:AssumeRoleWithSAML", which means that the federated user is allowed to assume the IAM role using SAML. The "Condition" contains two key-value pairs, "saml:edupersonorgdn": "Example" and "saml:aud": "https://signin.aws.amazon.com/saml", which specify the conditions under which the federated user is allowed to assume the IAM role.
The answer to the question is (A) "saml:aud": "https://signin.aws.amazon.com/saml". This is because the "saml:aud" condition specifies the audience of the SAML assertion, which in this case is the AWS Management Console sign-in page. This condition ensures that the IAM role is assumed only for sign-in to the AWS Management Console. If the "saml:aud" condition is not met, the federated user will not be able to assume the IAM role and access the AWS Management Console.
The "saml:edupersonorgdn": "Example" condition specifies an attribute in the SAML assertion that must match a specified value, and is not directly related to accessing the AWS Management Console. This condition can be used to further restrict access to specific users or groups based on their SAML attributes.
The "Principal": {"Federated": "arn:aws:iam::ACCOUNT:saml-provider/ExampleSSOProvider"} specifies the SAML identity provider that is allowed to authenticate the federated users and is required for federated access.
The "Action": "sts:AssumeRoleWithSAML" specifies the API action that allows the federated user to assume the IAM role using SAML.
