🔥 3-day streak
AWS Certified Security - Specialty166 / 184
Question 166 of 184

A company federates workforce users into AWS using IAM Identity Center-independent SAML federation directly to IAM. When users assume the role via AssumeRoleWithSAML, the identity provider passes a 'Department' attribute as a session tag. A downstream service team wants users, after assuming the initial federated role, to chain into a second role in another account that grants access only to resources tagged with the same Department value. During testing, the second AssumeRole call succeeds, but the ABAC conditions on the resource fail because the Department session tag is not present in the second session. What is the cause and the correct fix?

Reviewed for accuracy · Report an issueNext question