SCS-C03 · Question #15
SCS-C03 Question #15: Real Exam Question with Answer & Explanation
The correct answer is A: Create an OIDC identity provider (IdP) by using AWS Identity and Access Management (IAM). AWS IAM supports identity federation by allowing external identity providers that use OpenID Connect (OIDC) to authenticate and assume IAM roles. According to the AWS Certified Security - Specialty documentation, IAM OIDC identity providers are the recommended approach for enabli
Question
A company stores infrastructure and application code in web-based, third-party, Git-compatible code repositories outside of AWS. The company wants to give the code repositories the ability to securely authenticate and assume an existing IAM role within the company's AWS account by using OpenID Connect (OIDC). Which solution will meet these requirements?
Options
- ACreate an OIDC identity provider (IdP) by using AWS Identity and Access Management (IAM)
- BUse AWS Identity and Access Management (IAM) Roles Anywhere to create a trust anchor that
- CSet up an account instance of AWS IAM Identity Center. Configure access to the code
- DUse AWS Resource Access Manager (AWS RAM) to create a new resource share that uses
Explanation
AWS IAM supports identity federation by allowing external identity providers that use OpenID Connect (OIDC) to authenticate and assume IAM roles. According to the AWS Certified Security - Specialty documentation, IAM OIDC identity providers are the recommended approach for enabling third-party systems, such as external CI/CD pipelines or Git-based repositories, to securely obtain temporary AWS credentials without using long-term access keys. By creating an OIDC identity provider in IAM and configuring the IAM role trust policy to trust the external IdP, the company enables secure, token-based authentication. The trust policy can include conditions that restrict which repositories, branches, or workflows are allowed to assume the role, enforcing least privilege. AWS Security Specialty guidance emphasizes that this method eliminates static credentials and relies on short-lived tokens issued by the OIDC provider. Option B is incorrect because IAM Roles Anywhere is designed for workloads running outside AWS that use X.509 certificates, not OIDC. Option C is intended for workforce identity federation, not machine-to-machine authentication. Option D is invalid because AWS RAM does not provide identity federation or authentication capabilities. This solution aligns with AWS best practices for secure, scalable, and low-overhead authentication for external workloads.
Community Discussion
No community discussion yet for this question.