Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in distinguishing between direct integrations and identity federation with minimal operational overhead. In production, this is about knowing precisely how AWS services natively support identity federation without reinventing the wheel or creating fragile custom brokers. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
TechSphere, a rapidly growing software house, is developing a multifaceted web application using Amazon EC2 instances, S3 buckets for storage, and AWS Lambda functions for serverless workflows. Employees need seamless access to the AWS Management Console without managing separate AWS credentials. TechSphere maintains an on-premises Microsoft Active Directory (AD) which stores and manages all employee credentials and roles. Access levels to AWS resources must strictly map to each employee’s role defined in their AD groups. The company requires a solution that meets these needs with the least operational overhead.
The Requirement: #
Provide employees with role-based, federated access to the AWS Management Console using their existing on-premises AD credentials, minimizing custom systems and administrative complexity.
The Options #
- A) Configure AWS Directory Service for Microsoft Active Directory and establish a trust relationship with the on-premises AD. Create IAM roles with trust policies to permit employee access to AWS resources.
- B) Use LDAP protocols to directly integrate the on-premises AD with AWS IAM, mapping AD groups to IAM roles for resource access control.
- C) Develop a custom identity broker to authenticate users against the on-premises AD and request temporary credentials via AWS Security Token Service (STS) for access to AWS.
- D) Configure Amazon Cognito to federate users into the on-premises AD. Use Cognito user pools to manage user identities and provide access to AWS resources.
Google adsense #
leave a comment:
Correct Answer #
A
Quick Insight: The Developer Imperative #
Federated access via AWS Directory Service’s AD Connector or Managed AD is a native integration that minimizes operational complexity by leveraging an existing trust relationship. Avoid custom brokers (C) or unsupported direct LDAP-to-IAM integrations (B), as they increase maintenance and complexity. Cognito (D) is best for web/mobile app user identity management, not seamless AWS Console SSO with on-prem AD.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option A
The Winning Logic #
Option A leverages AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD or AD Connector) to create a trust relationship with the on-premises AD. This allows seamless single sign-on (SSO) for employees using their existing AD credentials to access AWS resources without managing separate identities. IAM roles are used to define granular permissions linked to AD groups, adhering to the principle of least privilege and role-based access control. This approach requires minimal custom infrastructure or ongoing maintenance.
- Native integration ensures stability and security.
- Supports fine-grained IAM role mapping.
- Minimal operational overhead since AD trusts are managed.
- Supports AWS Management Console access with familiar credentials.
The Trap (Distractor Analysis): #
- B (LDAP to IAM): AWS does not support direct LDAP integration into IAM for role mapping. This approach is not natively supported and requires building and maintaining custom solutions, introducing complexity.
- C (Custom Identity Broker): While feasible, building and maintaining a custom broker that authenticates against AD and calls AWS STS introduces significant operational overhead and potential security risks. This violates the “least operational overhead” requirement.
- D (Amazon Cognito User Pools): Cognito is optimized for authenticating application users (e.g., customers). It does not provide direct AWS console SSO federated access to AWS resources using on-premises AD credentials.
The Technical Blueprint #
# Example CLI command to create a trust relationship with an existing on-premises AD domain using AWS Directory Service:
aws ds create-microsoft-ad \
--name corp.example.com \
--password "AdminPassword123!" \
--vpc-settings SubnetIds=subnet-12345,subnet-67890
# Example snippet of IAM role trust policy referencing AWS SSO via AD Connector
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/AD_SSO_FederatedRole"
},
"Action": "sts:AssumeRole"
}
]
}
The Comparative Analysis #
| Option | API Complexity | Operational Overhead | Use Case Fit | Risk Factors |
|---|---|---|---|---|
| A | Low | Low | Enterprise AD SSO with AWS console | Requires AD trust setup |
| B | High | High | Unsupported direct LDAP to IAM mapping | Unsupported, fragile integration |
| C | High | Very High | Custom authentication broker | Complex, maintenance-intensive |
| D | Medium | Medium | Cognito identity management (app users) | Not suitable for AWS console SSO |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick AWS Directory Service with AD trust when you see federated AWS Console access using existing on-premises Active Directory credentials.
Real World #
In real projects, sometimes organizations add additional identity brokers for complex multi-cloud or multi-idP scenarios. But for the exam, focus on AWS native directory service integrations that minimize overhead.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.