Step 1: Creating an Identity Provider in IAMYou first need to configure AWS to trust the external identity provider (IdP), which in this case supports OpenID Connect (OIDC). The IdP will handle the authentication, and AWS will handle the authorization based on the IdP's token.
Action: Create an IAM Identity Provider (IdP) in AWS using the existing provider's URL, audience, and signature. This step is essential for establishing trust between AWS and the external IdP.
Why: This allows AWS to accept tokens from your external IdP (auth.company.com) for authentication.
[Reference: AWS documentation on IAM Identity Providers., So, this corresponds to Option B: Create an IAM IdP by using the provider URL, audience, and signature from the existing IdP., Step 2: Creating an IAM Role with Specific PermissionsNext, you need to create an IAM role with a trust policy that allows the external IdP to assume it when certain conditions are met. Specifically, the trust policy needs to allow the role to be assumed based on the context key auth.company.com:aud (audience claim in the token)., Action: Create an IAM role that has the necessary permissions (e.g., Amazon S3 access). The role's trust policy should specify the OIDC IdP as the trusted entity and validate the audience claim (auth.company.com:aud), which comes from the token provided by the IdP., Why: This step ensures that only the specified web application authenticated via OIDC can assume the IAM role to make API calls., Reference: AWS documentation on OIDC and Role Assumption., This corresponds to Option D: Create an IAM role that has a policy that allows the necessary S3 actions. Configure the role's trust policy to allow the OIDC IdP to assume the role if the auth.company.com:aud context key is appid_from_idp., Step 3: Using Temporary Credentials via AssumeRoleWithWebIdentity APITo securely make Amazon S3 API calls, the web application will need temporary credentials. The web application can use the AssumeRoleWithWebIdentity API call to assume the IAM role configured in the previous step and obtain temporary AWS credentials. These credentials can then be used to interact with Amazon S3., Action: The web application must be configured to call the AssumeRoleWithWebIdentity API operation, passing the OIDC token from the IdP to obtain temporary credentials., Why: This allows the web application to authenticate via the external IdP and then authorize access to AWS resources securely using short-lived credentials., Reference: AWS documentation on AssumeRoleWithWebIdentity., This corresponds to Option E: Configure the web application to use the AssumeRoleWithWebIdentity API operation to retrieve temporary credentials. Use the temporary credentials to make the S3 API calls., Summary of Selected Answers:, B: Create an IAM IdP by using the provider URL, audience, and signature from the existing IdP., D: Create an IAM role that has a policy that allows the necessary S3 actions. Configure the role’s trust policy to allow the OIDC IdP to assume the role if the auth.company.com:aud context key is appid_from_idp., E: Configure the web application to use the AssumeRoleWithWebIdentity API operation to retrieve temporary credentials. Use the temporary credentials to make the S3 API calls., This setup enables the web application to use OpenID Connect (OIDC) for authentication and securely interact with Amazon S3 in a specific AWS account using short-lived credentials obtained through AWS Security Token Service (STS)., , ]
