🔥 3-day streak
AWS Certified Security - Specialty69 / 157
Question 69 of 157
A company uses a custom identity broker that authenticates employees against an on-premises Active Directory and then calls AWS STS AssumeRole to grant temporary credentials. All employees assume the same IAM role, DataAnalystRole, which has permissions to read all objects in a large S3 data lake. Compliance now requires that each analyst session be dynamically scoped so a user can only access the S3 prefix for their assigned business unit, WITHOUT creating a separate IAM role per business unit and WITHOUT modifying the DataAnalystRole's attached identity policy. What should the identity broker do when calling STS?
Reviewed for accuracy · Report an issueNext question