AWS Certified SysOps Administrator – Associate (legacy) — Question 597

A company manages multiple AWS accounts and wants to provide access to AWS from a single management account using an existing on-premises Microsoft
Active Directory domain.
Which solution will meet these requirements with the LEAST amount of effort?

Answer options

• A. Create an Active Directory connector using AWS Directory Service. Create IAM users in the target accounts with the appropriate trust policy.
• B. Create an Active Directory connector using AWS Directory Service. Associate the directory with AWS Single Sign-On (AWS SSO). Configure user access to target accounts through AWS SSO.
• C. Create an Amazon Cognito federated identity pool. Associate the pool identity with the on-premises directory. Configure the IAM roles with the appropriate trust policy.
• D. Create an identity provider in AWS IAM associated with the on-premises directory. Create IAM roles in the target accounts with the appropriate trust policy.

Correct answer: A

Explanation

Using AWS Directory Service to create an Active Directory connector allows the organization to leverage their existing on-premises Microsoft Active Directory without replicating directory data. Establishing IAM users in the target accounts with appropriate trust policies provides a direct and straightforward way to delegate access. Other options like Amazon Cognito or manual SAML identity provider setups involve significantly more configuration and overhead for multi-account management.