AWS Certified Security – Specialty (SCS-C02) — Question 166

A company uses AWS Organizations. The company has more than 100 AWS accounts and will increase the number of accounts. The company also uses an external corporate identity provider (IdP).

The company needs to provide users with role-based access to the accounts. The solution must maximize scalability and operational efficiency.

Which solution will meet these requirements?

Answer options

• A. In each account, create a set of dedicated IAM users. Ensure that all users assume these IAM users through federation with the existing IdP.
• B. Deploy an IAM role in a central identity account. Allow users to assume the role through federation with the existing IdP. In each account, deploy a set of IAM roles that match the desired access patterns. Include a trust policy that allows access from the central identity account. Edit the permissions policy for the role in each account to match user access requirements.
• C. Enable AWS IAM Identity Center. Integrate IAM Identity Center with the company's existing IdP. Create permission sets that match the desired access patterns. Assign permissions to match user access requirements.
• D. In each account, deploy a set of IAM roles that match the desired access patterns. Create a trust policy with the existing IdP. Update each role's permissions policy to use SAML-based IAM condition keys that are based on user access requirements.

Correct answer: C

Explanation

The correct answer is C because AWS IAM Identity Center is specifically designed for managing access at scale across multiple accounts, making it ideal for organizations with numerous AWS accounts and existing IdPs. Options A and B rely on managing IAM users and roles separately in each account, which can become cumbersome as the number of accounts grows. Option D, while viable, does not leverage the efficiency and centralized management capabilities provided by AWS IAM Identity Center.