AWS Certified SysOps Administrator – Associate — Question 359

A company's SysOps administrator uses AWS IAM Identity Center (AWS Single Sign-On) to connect to an Active Directory. The SysOps administrator creates a new account that all the company's users need to access.

The SysOps administrator uses the Active Directory Domain Users group for permissions to the new account because all users are already members of the group. When users try to log in, their access is denied.

Which action will resolve this access issue?

Answer options

• A. Create a new group. Add users to the new group to provide access.
• B. Correct the time on the Active Directory domain controllers.
• C. Remove the account. Re-add the account to the organization that is integrated with IAM Identity Center.
• D. Correct the permissions on the Active Directory group so that IAM Identity Center has read access.

Correct answer: A

Explanation

AWS IAM Identity Center does not support the default Active Directory "Domain Users" primary group for assigning access permissions. To resolve this limitation, the administrator must create a new, custom security group in Active Directory, add the users to it, and use this new group for AWS account access. Adjusting domain controller time, recreating the AWS account, or changing AD read permissions will not resolve this specific group compatibility issue.