AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
A company is seeking a scalable solution for managing multi-account authentication and authorization within AWS, utilizing only native AWS services. AWS Organizations is fully activated, and AWS IAM Identity Center (formerly AWS Single Sign-On) is enabled. What should the security engineer do next to finalize the setup for employee access across multiple AWS accounts?
A company is seeking a scalable solution for managing multi-account authentication and authorization within AWS, utilizing only native AWS services. AWS Organizations is fully activated, and AWS IAM Identity Center (formerly AWS Single Sign-On) is enabled. What should the security engineer do next to finalize the setup for employee access across multiple AWS accounts?
Explanation:
The correct answer is B. Using the IAM Identity Center default directory to create users and groups ensures that employee access management remains centralized and scalable without introducing additional user-managed components. Groups can be assigned to AWS accounts and linked to permission sets according to job functions, making the solution both efficient and secure. Options A and D involve the use of additional services like AD Connector and AWS Directory Service, which add extra complexity and management overhead. Option C incorrectly assumes the need to link IAM Identity Center groups to existing IAM users across accounts, which is unnecessary and impractical for a scalable solution.