You are creating an Elasticsearch cluster using Amazon Elasticsearch Service (Amazon ES). Once the Amazon ES domain is established, you plan to use the default Kibana instance provided by Amazon ES to visualize the data. The security team raises concerns on how to control access to Kibana. How would you address the concern properly?

Answer options:

A.Users can directly access Kibana through their AWS credentials. No extra actions are required.
B.Enable SAML authentication for Kibana so that you can use the existing identity provider to offer single sign-on (SSO) for Kibana on Amazon Elasticsearch Service (Amazon ES) domains.
C.Create an IAM group with read/write permissions on Kibana and include the IAM users in the group.
D.Edit the "config/kibana.yml" file in Amazon ES and assign the permissions to IAM users or roles.

Correct Answer: B
Option A is incorrect because the permissions on Kibana are not automatically assigned. There are multiple ways to control access to Kibana. Check the reference in https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-kibana.html#es-kibana-access.
Option B is CORRECT because enabling SAML authentication for Kibana provides a single sign-on (SSO). It is a proper way to control access. Users can configure it in the Amazon Elasticsearch Service:
Option C is incorrect because Kibana does not natively support IAM users and roles. There is no IAM permission for Kibana either.
Option D is incorrect because the file "config/kibana.yml" cannot be used to assign IAM permissions for Kibana.
References:
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-kibana.html#es-kibana-access,
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html