AWS Certified Security – Specialty — Question 168

A large corporation is creating a multi-account strategy and needs to determine how its employees should access the AWS Infrastructure.
Which of the following solutions would provide the MOST scalable solution?

Answer options

• A. Create dedicated IAM users within each AWS account that employees can assume though federation based upon group membership in their existing identity provider.
• B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider. Use cross-account roles to allow the federated users to assume their target role in the resource accounts.
• C. Configure the AWS Security Token Service to use Kerberos tokens so that users can use their existing corporate user names and passwords to access AWS resources directly.
• D. Configure the IAM trust policies within each account's role to set up a trust back to the corporation's existing identity provider, allowing users to assume the role based off their SAML token.

Correct answer: B

Explanation

The correct answer, B, provides a centralized approach that allows for easier management and scalability as more accounts or users are added. Options A and D involve individual IAM users or account-specific configurations, which can become cumbersome as the number of users grows. Option C, while it allows access using existing credentials, does not provide the same level of integration and scalability as using IAM roles with federation.