AWS Certified SysOps Administrator – Associate (legacy) — Question 595

A SysOps Administrator is configuring AWS SSO for the first time. The Administrator has already created a directory in the master account using AWS Directory
Service and enabled full access in AWS Organizations.
What should the Administrator do next to configure the service?

Answer options

• A. Create IAM roles in each account to be used by AWS SSO, and associate users with these roles using AWS SSO.
• B. Create IAM users in the master account, and use AWS SSO to associate the users with the accounts they will access.
• C. Create permission sets in AWS SSO, and associate the permission sets with Directory Service users or groups.
• D. Create service control policies (SCPs) in Organizations, and associate the SCPs with Directory Service users or groups.

Correct answer: C

Explanation

After enabling AWS SSO and linking it to AWS Directory Service, the administrator must define what resources and actions the users can access by creating permission sets. These permission sets are then assigned to Directory Service users or groups to grant them access to specific AWS accounts. Manually creating IAM roles or users is unnecessary as AWS SSO manages these automatically, and SCPs are used for organization-wide guardrails rather than direct user access provisioning.