Question 230:
A company has a local SAML 2.0-compliant IdP that is used to authenticate users’ identities. The on-premises servers are being migrated to AWS, and you need to establish the trust relationship between AWS resources and the local IdP. You have already created a SAML identity provider in AWS, and now you need to configure an IAM role to allow SAML-federated access to the AWS Management Console. Which of the below trust policies is correct for the IAM role?
Answer options:
A.{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Resource": {"IDP": "arn:aws:iam::EXAMPLE-ACCOUNT-ID:saml-provider/ExampleOrgSSOProvider"},
"Action": "sts:*"
}
}]
}
B. {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Federated": "arn:aws:iam::EXAMPLE-ACCOUNT-ID:saml-provider/ExampleOrgSSOProvider"},
"Action": "sts:AssumeRoleWithSAML"
}
}]
}
C.{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Federated": "arn:aws:iam::EXAMPLE-ACCOUNT-ID:saml-provider/ExampleOrgSSOProvider"},
"Action": "sts:AssumeRoleWithWebIdentity"
}
}]
}
D.{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Resource": {"Federated": "arn:aws:iam::EXAMPLE-ACCOUNT-ID:saml-provider/ExampleOrgSSOProvider"},
"Action": "sts:AssumeRoleWithSAML"
}
}]
}