You have an ADFS identity provider, and you need to configure the SAML 2.0-compliant IdP and AWS to permit federated users to access the AWS Management Console. You create an IAM role for federated users to assume. Its trust policy is as follows:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Federated": "arn:aws:iam::ACCOUNT:saml-provider/ExampleSSOProvider"},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {"StringEquals": {
"saml:edupersonorgdn": "Example",
"saml:aud": "https://signin.aws.amazon.com/saml"
}}
}]
}
Which part of the IAM trust policy ensures that the IAM role is assumed only for sign-in to the AWS Management Console?

Answer options:

A."saml:aud": "https://signin.aws.amazon.com/saml"
B."Principal": {"Federated": "arn:aws:iam::ACCOUNT:saml-provider/ExampleSSOProvider"}
C."saml:edupersonorgdn": "Example"
D."Action": "sts:AssumeRoleWithSAML"

Answer: A
Option A is CORRECT because the IAM condition key saml:aud checks the endpoint URL to which SAML assertions are presented.
Option B is incorrect because the Principal determines which identity provider can assume the role but not the endpoint URL where SAMl assertions are presented.
Option C is incorrect because the condition key saml:edupersonorgdn specifies that only users whose SAML eduPersonOrgDN whose value is Example can assume the role and not anyone else.
Option D is incorrect because the Action field determines that the role is used for SAML. However, it does not limit the sign-in to the AWS Management Console.
References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.htm
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif