AWS Certified Solutions Architect – Associate (SAA-C03) — Question 783

A company is migrating applications from an on-premises Microsoft Active Directory that the company manages to AWS. The company deploys the applications in multiple AWS accounts. The company uses AWS Organizations to manage the accounts centrally.

The company's security team needs a single sign-on solution across all the company's AWS accounts. The company must continue to manage users and groups that are in the on-premises Active Directory.

Which solution will meet these requirements?

Answer options

• A. Create an Enterprise Edition Active Directory in AWS Directory Service for Microsoft Active Directory. Configure the Active Directory to be the identity source for AWS IAM Identity Center.
• B. Enable AWS IAM Identity Center. Configure a two-way forest trust relationship to connect the company's self-managed Active Directory with IAM Identity Center by using AWS Directory Service for Microsoft Active Directory.
• C. Use AWS Directory Service and create a two-way trust relationship with the company's self-managed Active Directory.
• D. Deploy an identity provider (IdP) on Amazon EC2. Link the IdP as an identity source within AWS IAM Identity Center.

Correct answer: B

Explanation

AWS IAM Identity Center is the recommended service for centralized single sign-on across multiple AWS accounts managed by AWS Organizations. By deploying AWS Directory Service for Microsoft Active Directory with a two-way forest trust, the company can seamlessly integrate AWS IAM Identity Center with their existing on-premises Active Directory, allowing them to continue managing users and groups locally. Other options either fail to leverage the existing on-premises directory directly or introduce unnecessary operational overhead by managing a custom identity provider on Amazon EC2.