AWS Certified Solutions Architect – Associate (SAA-C03) — Question 709

A company sets up an organization in AWS Organizations that contains 10 AWS accounts. A solutions architect must design a solution to provide access to the accounts for several thousand employees. The company has an existing identity provider (IdP). The company wants to use the existing IdP for authentication to AWS.

Which solution will meet these requirements?

Answer options

• A. Create IAM users for the employees in the required AWS accounts. Connect IAM users to the existing IdP. Configure federated authentication for the IAM users.
• B. Set up AWS account root users with user email addresses and passwords that are synchronized from the existing IdP.
• C. Configure AWS IAM Identity Center (AWS Single Sign-On). Connect IAM Identity Center to the existing IdP. Provision users and groups from the existing IdP.
• D. Use AWS Resource Access Manager (AWS RAM) to share access to the AWS accounts with the users in the existing IdP.

Correct answer: C

Explanation

AWS IAM Identity Center (AWS Single Sign-On) is the AWS-recommended service for centralizing access management across multiple AWS accounts in AWS Organizations while integrating with an external IdP. Creating IAM users manually for thousands of employees is highly inefficient and insecure, and root accounts should never be used for day-to-day employee access. AWS Resource Access Manager (AWS RAM) is designed for sharing resources like Transit Gateways or subnets, not for user identity federation.