AWS Certified Solutions Architect – Professional — Question 421

A financial company with multiple departments wants to expand its on-premises environment to the AWS Cloud. The company must retain centralized access control using an existing on-premises Active Directory (AD) service. Each department should be allowed to create AWS accounts with preconfigured networking and should have access to only a specific list of approved services. Departments are not permitted to have account administrator permissions.
What should a solutions architect do to meet these security requirements?

Answer options

• A. Configure AWS Identity and Access Management (IAM) with a SAML identity provider (IdP) linked to the on-premises Active Directory, and create a role to grant access. Configure AWS Organizations with SCPs and create new member accounts. Use AWS CloudFormation templates to configure the member account networking.
• B. Deploy an AWS Control Tower landing zone. Create an AD Connector linked to the on-premises Active Directory. Change the identity source in AWS Single Sign-On to use Active Directory. Allow department administrators to use Account Factory to create new member accounts and networking. Grant the departments AWS power user permissions on the created accounts.
• C. Deploy an Amazon Cloud Directory. Create a two-way trust relationship with the on-premises Active Directory, and create a role to grant access. Set up an AWS Service Catalog to use AWS CloudFormation templates to create the new member accounts and networking. Use IAM roles to allow access to approved AWS services.
• D. Configure AWS Directory Service for Microsoft Active Directory with AWS Single Sign-On. Join the service to the on-premises Active Directory. Use AWS CloudFormation to create new member accounts and networking. Use IAM roles to allow access to approved AWS services.

Correct answer: B

Explanation

AWS Control Tower's Account Factory allows the automated provisioning of new accounts with standardized, preconfigured networking, and delegates this capability to department users without giving them full administrator rights. Linking AD Connector with AWS Single Sign-On (now AWS IAM Identity Center) satisfies the requirement for centralized access control utilizing the existing on-premises Active Directory. Assigning AWS Power User permissions ensures departments can manage their workloads while preventing them from performing administrative, account-level modifications.