AWS Certified SysOps Administrator – Associate (legacy) — Question 287

You are managing the AWS account of a big organization. The organization has more than 1000+ employees and they want to provide access to the various services to most of the employees. Which of the below mentioned options is the best possible solution in this case?

Answer options

• A. The user should create a separate IAM user for each employee and provide access to them as per the policy
• B. The user should create an IAM role and attach STS with the role. The user should attach that role to the EC2 instance and setup AWS authentication on that server
• C. The user should create IAM groups as per the organization's departments and add each user to the group for better access control
• D. Attach an IAM role with the organization's authentication service to authorize each user for various AWS services

Correct answer: D

Explanation

For a large organization with over 1,000 employees, managing individual IAM users or groups is administratively complex and does not scale well. Integrating AWS IAM roles with the company's existing corporate identity provider (federation) is the recommended AWS best practice as it centralizes user management and avoids the overhead of maintaining individual AWS credentials. Creating individual IAM users or relying on a single EC2 instance for shared authentication is neither secure nor scalable for this volume of users.