AWS Certified Solutions Architect – Professional (SAP-C02) — Question 230

A company has many separate AWS accounts and uses no central billing or management. Each AWS account hosts services for different departments in the company. The company has a Microsoft Azure Active Directory that is deployed.

A solutions architect needs to centralize billing and management of the company’s AWS accounts. The company wants to start using identity federation instead of manual user management. The company also wants to use temporary credentials instead of long-lived access keys.

Which combination of steps will meet these requirements? (Choose three.)

Answer options

• A. Create a new AWS account to serve as a management account. Deploy an organization in AWS Organizations. Invite each existing AWS account to join the organization. Ensure that each account accepts the invitation.
• B. Configure each AWS account's email address to be aws+@example.com so that account management email messages and invoices are sent to the same place.
• C. Deploy AWS IAM Identity Center (AWS Single Sign-On) in the management account. Connect IAM Identity Center to the Azure Active Directory. Configure IAM Identity Center for automatic synchronization of users and groups.
• D. Deploy an AWS Managed Microsoft AD directory in the management account. Share the directory with all other accounts in the organization by using AWS Resource Access Manager (AWS RAM).
• E. Create AWS IAM Identity Center (AWS Single Sign-On) permission sets. Attach the permission sets to the appropriate IAM Identity Center groups and AWS accounts.
• F. Configure AWS Identity and Access Management (IAM) in each AWS account to use AWS Managed Microsoft AD for authentication and authorization.

Correct answer: A, C, E

Explanation

The correct steps involve creating a management account and setting up an AWS Organizations structure to centralize billing and management (A). Additionally, deploying AWS IAM Identity Center (AWS Single Sign-On) and linking it to the Azure Active Directory allows for identity federation and user management (C). Finally, creating permission sets and attaching them to the appropriate groups and accounts in IAM Identity Center enables the use of temporary credentials (E). Options B, D, and F do not fulfill the requirements as they do not centralize management or enable identity federation effectively.