AWS Certified Solutions Architect – Professional — Question 997

A company is using AWS Single Sign-On (AWS SSO) to centrally manage permissions and access to multiple AWS accounts in AWS Organizations. A solutions architect needs to provide users with granular access to AWS accounts based on different job functions.
What should the solutions architect do to meet these requirements?

Answer options

• A. Create an IAM group for each job function. In AWS SSO for the management account, create a permission set for each job function. Add users to the appropriate groups. Assign roles to the corresponding groups in all AWS accounts.
• B. Create a group in AWS SSO for each job function. In AWS SSO for the management account, create a permission set for each job function. Add users to the appropriate groups. Assign groups to AWS accounts with corresponding permission sets.
• C. Create an IAM role for each job function in all AWS accounts. Create a group in the management account for each job function. In AWS SSO for the management account, create a permission set for each job function.
• D. Create an IAM role for each job function in the management account. In AWS SSO for the management account, create a permission set for each IAM role.

Correct answer: B

Explanation

Option B is correct because AWS SSO (now IAM Identity Center) allows administrators to manage access centrally by creating groups directly within AWS SSO, defining permission sets, and assigning those groups to specific AWS accounts with the corresponding permission sets. Options A, C, and D are incorrect because they rely on creating local IAM groups or IAM roles manually in individual accounts, which defeats the centralized management benefits of AWS SSO.