Amazon Web Services SAP-C02 Exam With Confidence Using Practice Dumps

The correct solution is to use the authenticate-oidc action for the ALB listener rule and configure it with the details of the AWS Directory Service for Microsoft Active Directory directory. This way, the ALB can use OpenID Connect (OIDC) to authenticate users against the directory and grant them access to the intranet web application. The app client in the directory is used to register the ALB as an OIDC client and provide the necessary credentials and endpoints. The callback URL is the URL that the ALB redirects the user to after a successful authentication. This solution does not require any additional services or roles, and it leverages the existing directory accounts for all users.

The other solutions are incorrect because they either use the wrong action for the ALB listener rule, or they involve unnecessary or incompatible services or roles. For example:

Solution B is incorrect because it uses Amazon Cognito user pool, which is a separate user directory service that does not integrate with AWS Directory Service for Microsoft Active Directory. To use this solution, the company would have to migrate or synchronize their users from the directory to the user pool, which is not required by the question. Moreover, the authenticate-cognito action for the ALB listener rule only works with Amazon Cognito user pools, not with federated identity providers (IdPs) that have metadata from the directory.

Solution C is incorrect because it uses IAM as an identity provider (IdP), which is not compatible with AWS Directory Service for Microsoft Active Directory. IAM can only be used as an IdP for web identity federation, which allows users to sign in with social media or other third-party IdPs, not with Active Directory. Moreover, the authenticate-oidc action for the ALB listener rule requires an OIDC IdP, not a SAML 2.0 federation IdP, which is what IAM provides.

Solution D is incorrect because it uses AWS IAM Identity Center (AWS Single Sign-On), which is a service that simplifies the management of SSO access to multiple AWS accounts and business applications. This service is not needed for the scenario in the question, which only involves a single intranet web application. Moreover, the authenticate-cognito action for the ALB listener rule does not work with external IdPs that use SAML, such as AWS IAM Identity Center.

Authenticate users using an Application Load Balancer

What is AWS Directory Service for Microsoft Active Directory?

Using OpenID Connect for user authentication

Comprehensive and Detailed Explanation:

This question tests knowledge of private access patterns to Amazon S3 from:

resources inside a VPC, and

users in an on-premises environment connected through Site-to-Site VPN.

The correct answer is B because the company has two different traffic sources with different endpoint requirements.

Why B is correct

For the EC2 instance inside the private VPC:

An S3 gateway endpoint is the standard and most cost-effective method for private access from resources in the VPC to Amazon S3. With a gateway endpoint, traffic from the VPC to S3 stays on the AWS network and does not require a NAT gateway or internet gateway. This satisfies the requirement to remove the NAT gateways for the application’s S3 access.

For the on-premises users over the Site-to-Site VPN:

Gateway endpoints are for use within the VPC and are not accessed from on-premises networks over VPN or Direct Connect. To allow on-premises clients to access S3 privately through the VPC, the architecture needs an S3 interface endpoint with private DNS enabled. Interface endpoints create elastic network interfaces in the VPC and can be reached privately from connected on-premises environments, assuming routing and DNS are configured correctly.

Therefore, the combination is required:

S3 gateway endpoint for VPC resources

S3 interface endpoint with private DNS for on-premises access through VPN

This design allows both the EC2 application and on-premises users to access S3 without using the public internet.

Why A is incorrect

An S3 gateway endpoint works for VPC resources, but it does not provide private access for on-premises users over Site-to-Site VPN. On-premises networks cannot route directly to a gateway endpoint in the way described. That makes A incomplete and incorrect.

Why C is incorrect

Mountpoint for Amazon S3 is a way to mount an S3 bucket for file-like access from an EC2 instance or similar compute environment. It does not solve the connectivity requirement for on-premises users, and it does not address the broader network design requirement of private S3 access without NAT gateways for all stated users. It also does not replace the need for appropriate VPC endpoint architecture.

Why D is incorrect

Storage Browser for S3 is not the solution to provide private network connectivity for an application and on-premises users. It is unrelated to the core architecture requirement. The question is asking about private access paths to S3, not a user interface or client-side browser tool.

Key design principle being tested

This question checks whether you know the distinction between:

S3 gateway endpoints for traffic originating from within the VPC

S3 interface endpoints for private access from on-premises environments over hybrid connectivity

It also tests whether you understand that removing NAT gateways is possible for S3 access from private subnets when a VPC endpoint is used.

Final justification

Because the company needs:

private S3 access from an EC2 instance in a private VPC, and

private S3 access from on-premises users over VPN,

while removing NAT gateways,

the correct design is to use:

an S3 gateway endpoint for the VPC application, and

an S3 interface endpoint with private DNS for the on-premises users.

That makes B the best answer.