AWS Certified Solutions Architect – Associate (SAA-C03) — Question 964

A company needs to give a globally distributed development team secure access to the company's AWS resources in a way that complies with security policies.

The company currently uses an on-premises Active Directory for internal authentication. The company uses AWS Organizations to manage multiple AWS accounts that support multiple projects.

The company needs a solution to integrate with the existing infrastructure to provide centralized identity management and access control.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Set up AWS Directory Service to create an AWS managed Microsoft Active Directory on AWS. Establish a trust relationship with the on-premises Active Directory. Use IAM rotes that are assigned to Active Directory groups to access AWS resources within the company's AWS accounts.
• B. Create an IAM user for each developer. Manually manage permissions for each IAM user based on each user's involvement with each project. Enforce multi-factor authentication (MFA) as an additional layer of security.
• C. Use AD Connector in AWS Directory Service to connect to the on-premises Active Directory. Integrate AD Connector with AWS IAM Identity Center. Configure permissions sets to give each AD group access to specific AWS accounts and resources.
• D. Use Amazon Cognito to deploy an identity federation solution. Integrate the identity federation solution with the on-premises Active Directory. Use Amazon Cognito to provide access tokens for developers to access AWS accounts and resources.

Correct answer: C

Explanation

Option C is the best choice because using AD Connector with AWS IAM Identity Center provides a seamless, low-overhead way to federate on-premises Active Directory identities into AWS Organizations. Option A introduces unnecessary complexity and cost by requiring a fully managed AWS Directory Service instance and establishing trust relationships. Option B involves significant administrative overhead, while Option D is incorrect as Amazon Cognito is intended for user authentication in web and mobile applications, not for managing employee access to the AWS Management Console and resources.