AWS Certified SysOps Administrator – Associate — Question 154

A company is creating a new multi-account architecture. A SysOps administrator must implement a login solution to centrally manage user access and permissions across all AWS accounts. The solution must be integrated with AWS Organizations and must be connected to a third-party Security Assertion Markup Language (SAML) 2.0 identity provider (IdP).

What should the SysOps administrator do to meet these requirements?

Answer options

• A. Configure an Amazon Cognito user pool. Integrate the user pool with the third-party IdP.
• B. Enable and configure AWS Single Sign-On with the third-party IdP.
• C. Federate the third-party IdP with AWS Identity and Access Management (IAM) for each AWS account in the organization.
• D. Integrate the third-party IdP directly with AWS Organizations.

Correct answer: B

Explanation

The correct answer is B because AWS Single Sign-On is specifically designed to manage access across multiple AWS accounts and integrates seamlessly with AWS Organizations and SAML 2.0 IdPs. Option A is incorrect because Amazon Cognito is not tailored for managing multiple AWS accounts in this context. Option C, while it mentions federation, requires individual setup for each account, making it less efficient. Option D is also incorrect as AWS Organizations does not support direct integration with third-party IdPs.