By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
For AWS Solutions Architect – Associate (SAA-C03) & Real-World Deployments
You’re a cloud engineer at a mid-sized company migrating from on-prem Active Directory (AD) to AWS. Your CTO demands: - Single sign-on (SSO) for 500 employees across AWS, Salesforce, and internal apps.- Seamless access to EC2 Windows instances without managing local passwords.- Compliance (HIPAA/SOC2) requiring centralized identity logs.
If you ignore this subtopic:- Employees juggle 10+ passwords → security risks (password reuse) and helpdesk tickets.- EC2 Windows instances become unmanageable (no AD integration → manual local accounts).- AWS IAM becomes a bottleneck (no group-based access for non-AWS apps).
If you master it:- One identity for AWS, SaaS apps, and on-prem resources.- Automated user provisioning (e.g., new hire gets access to everything on Day 1).- Cost savings (no need to run your own AD servers in EC2).
Real-world scenario:You inherit a legacy AWS environment where developers use IAM users for everything. Your task: Replace this with federated access (Okta → AWS) and AD integration for Windows workloads.
example.com
corp.example.com
Goal: Employees log in to Okta → get AWS Console access via SAML.
CORP
SecurePassword123!
Verify success:
aws ds describe-directories --directory-ids <YOUR_DIRECTORY_ID>
Look for "Stage": "Active".
"Stage": "Active"
EmployeeUserPool
WebAppClient
us-east-1_abc123
aws cognito-idp list-user-pools --max-results 10
AWS SSO
https://signin.aws.amazon.com/saml
urn:amazon:webservices
https://aws.amazon.com/SAML/Attributes/Role
arn:aws:iam::<ACCOUNT_ID>:role/OktaSSORole,arn:aws:iam::<ACCOUNT_ID>:saml-provider/Okta
https://aws.amazon.com/SAML/Attributes/RoleSessionName
user.email
okta-metadata.xml
Create SAML Provider: bash aws iam create-saml-provider \ --saml-metadata-document file://okta-metadata.xml \ --name Okta Note the ARN (e.g., arn:aws:iam::123456789012:saml-provider/Okta).
bash aws iam create-saml-provider \ --saml-metadata-document file://okta-metadata.xml \ --name Okta
arn:aws:iam::123456789012:saml-provider/Okta
Create IAM Role for Okta: ```bash cat > trust-policy.json <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456789012:saml-provider/Okta" }, "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { "SAML:aud": "https://signin.aws.amazon.com/saml" } } } ] } EOF
aws iam create-role --role-name OktaSSORole --assume-role-policy-document file://trust-policy.json 3. Attach permissions (e.g., `ReadOnlyAccess` for testing):bash aws iam attach-role-policy --role-name OktaSSORole --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess ```
3. Attach permissions (e.g., `ReadOnlyAccess` for testing):
OktaSSORole
aws sts get-caller-identity
Output should show the assumed role (not an IAM user).
AWS-DevTeam
Environment=Prod
Owner=DevOps
SAML:aud
❌ "IAM" (trick answer).
"How do you give temporary AWS access to a contractor via Okta?"
❌ "Create an IAM user" (wrong for contractors).
"Which Cognito feature stores user data?"
"You need to give 100 employees SSO access to AWS Console and Salesforce. Which service do you use?"- ✅ AWS SSO (simplest for AWS + SaaS apps).- ❌ "Cognito" (overkill for enterprise SSO).- ❌ "IAM users" (scalability nightmare).
You have a React app where users sign in with Google. After login, they should get temporary AWS credentials to upload files to S3. How do you set this up?
S3UploadRole
Why it works:- User Pool handles Google auth.- Identity Pool exchanges the Google token for AWS credentials.
aws ds create-microsoft-ad --name corp.example.com --password SecurePassword123! --vpc-settings VpcId=vpc-123,SubnetIds=subnet-1,subnet-2
aws ds create-computer --directory-id d-1234567890 --computer-name EC2Instance --password SecurePassword123!
aws cognito-idp create-user-pool --pool-name EmployeeUserPool
aws iam create-saml-provider --saml-metadata-document file://okta-metadata.xml --name Okta
aws sts assume-role-with-saml --role-arn arn:aws:iam::123456789012:role/OktaSSORole --principal-arn arn:aws:iam::123456789012:saml-provider/Okta --saml-assertion <BASE64_SAML_RESPONSE>
<region>_<id>
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.