AWS Certified Security – Specialty — Question 423

A security engineer is working for a parent company that provides hosting and services to client companies. The parent company maintains an organization in AWS Organizations for all client company accounts. The parent company adds any new accounts to the organization when the new accounts are created. The parent company currently uses IAM users to administer the client company accounts. As more client accounts are added, the administration of the IAM accounts takes more time.

The security engineer must design a solution to reduce the amount of time that the parent company spends on administration and access provisioning for client accounts.

Which combination of steps should the security engineer take to meet these requirements? (Choose two.)

Answer options

• A. Provision an external identity provider (IdP) for the parent company. Implement AWS Single Sign-On (AWS SSO) with the IdP as the identity source for AWS SSO.
• B. Provision an external identity provider (IdP) for each client company. Implement AWS Single Sign-On (AWS SSO) with the IdPs as the identity source for AWS SSO.
• C. Provision an external identity provider (IdP) for the parent company. Implement AWS Single Sign-On (AWS SSO) with employee IAM roles as the identity source for AWS SSO.
• D. In the AWS Single Sign-On console, select the users who require access to client accounts. Assign these users to the accounts.
• E. In the IAM console, select the users who require access to client accounts. Assign these users to the accounts.

Correct answer: A, D

Explanation

Configuring a single external identity provider (IdP) for the parent company combined with AWS Single Sign-On (AWS SSO) centralizes user management, eliminating the need to manage individual IAM users in each account. Once configured, administrators can efficiently assign these federated users to the appropriate client accounts directly from the AWS SSO console, drastically reducing administrative effort.