AWS Certified Solutions Architect – Associate (SAA-C02) — Question 533

A company wants to move from many standalone AWS accounts to a consolidated, multi-account architecture. The company plans to create many new AWS accounts for different business units. The company needs to authenticate access to these AWS accounts by using a centralized corporate directory service.
Which combination of actions should a solutions architect recommend to meet these requirements? (Choose two.)

Answer options

• A. Create a new organization in AWS Organizations with all features turned on. Create the new AWS accounts in the organization.
• B. Set up an Amazon Cognito identity pool. Configure AWS Single Sign-On to accept Amazon Cognito authentication.
• C. Configure a service control policy (SCP) to manage the AWS accounts. Add AWS Single Sign-On to AWS Directory Service.
• D. Create a new organization in AWS Organizations. Configure the organization's authentication mechanism to use AWS Directory Service directly.
• E. Set up AWS Single Sign-On (AWS SSO) in the organization. Configure AWS SSO, and integrate it with the company's corporate directory service.

Correct answer: A, E

Explanation

To establish a multi-account environment, creating an organization in AWS Organizations with all features enabled is necessary to centrally manage and provision new AWS accounts. Integrating AWS Single Sign-On (AWS SSO) with the company's corporate directory service allows centralized authentication across all these accounts. Other options, like using Amazon Cognito or configuring AWS Organizations to connect directly to AWS Directory Service without AWS SSO, do not meet the architectural requirements for centralized enterprise SSO access.