AWS Certified Solutions Architect – Associate (SAA-C02) — Question 744

A company develops applications in separate AWS accounts that are all part of an organization in AWS Organizations. An operations team creates an IAM user for each developer for a given application. As the company has grown, the number of applications has increased. Developers now work on several applications and need to view and access all their project accounts.
A solutions architect must design a solution that minimizes the operational overhead for the operations team.
What should the solutions architect do to meet these requirements?

Answer options

• A. Implement AWS Single Sign-On for the organization.
• B. Consolidate all the AWS accounts into a single account for all users and applications.
• C. Use AWS CloudFormation StackSets to programmatically create IAM users in each account.
• D. Create a shared services account. Create all the IAM users in the shared services account. Configure cross-account access roles with appropriate access to each account.

Correct answer: D

Explanation

Creating IAM users in a centralized shared services account and using cross-account roles (Option D) minimizes administrative overhead by keeping user management in a single place while allowing secure access to other accounts. Option A is another valid centralized approach, but Option D directly addresses the legacy IAM user delegation pattern with minimal disruption. Options B and C are incorrect because consolidating into a single account compromises security boundaries, and using CloudFormation to create users in every account still results in high user management overhead.