AWS Certified Solutions Architect – Associate (SAA-C03) — Question 463

A company wants to move from many standalone AWS accounts to a consolidated, multi-account architecture. The company plans to create many new AWS accounts for different business units. The company needs to authenticate access to these AWS accounts by using a centralized corporate directory service.

Which combination of actions should a solutions architect recommend to meet these requirements? (Choose two.)

Answer options

• A. Create a new organization in AWS Organizations with all features turned on. Create the new AWS accounts in the organization.
• B. Set up an Amazon Cognito identity pool. Configure AWS IAM Identity Center (AWS Single Sign-On) to accept Amazon Cognito authentication.
• C. Configure a service control policy (SCP) to manage the AWS accounts. Add AWS IAM Identity Center (AWS Single Sign-On) to AWS Directory Service.
• D. Create a new organization in AWS Organizations. Configure the organization's authentication mechanism to use AWS Directory Service directly.
• E. Set up AWS IAM Identity Center (AWS Single Sign-On) in the organization. Configure IAM Identity Center, and integrate it with the company's corporate directory service.

Correct answer: A, E

Explanation

To consolidate multiple accounts and easily provision new ones, creating an organization in AWS Organizations with all features enabled is the standard practice. Integrating AWS IAM Identity Center (AWS Single Sign-On) with the company's existing corporate directory allows for centralized user authentication across all member accounts. Other options, such as using Amazon Cognito or trying to connect AWS Directory Service directly to AWS Organizations, do not support this centralized multi-account SSO architecture.