AWS Certified Solutions Architect – Associate (SAA-C03) — Question 592

A company wants to provide users with access to AWS resources. The company has 1,500 users and manages their access to on-premises resources through Active Directory user groups on the corporate network. However, the company does not want users to have to maintain another identity to access the resources. A solutions architect must manage user access to the AWS resources while preserving access to the on-premises resources.

What should the solutions architect do to meet these requirements?

Answer options

• A. Create an IAM user for each user in the company. Attach the appropriate policies to each user.
• B. Use Amazon Cognito with an Active Directory user pool. Create roles with the appropriate policies attached.
• C. Define cross-account roles with the appropriate policies attached. Map the roles to the Active Directory groups.
• D. Configure Security Assertion Markup Language (SAML) 2 0-based federation. Create roles with the appropriate policies attached Map the roles to the Active Directory groups.

Correct answer: D

Explanation

SAML 2.0-based federation is the standard approach for integrating an on-premises Active Directory with AWS, enabling single sign-on (SSO) so users do not need to maintain separate credentials. Option A is incorrect because creating 1,500 individual IAM users introduces significant administrative overhead and violates the single-identity requirement. Options B and C are incorrect because Amazon Cognito is not designed for direct on-premises Active Directory user pool integration, and cross-account roles are used for delegation between AWS accounts rather than on-premises federation.