Explanation

AWS IAM Identity Center (formerly AWS Single Sign-On) is the correct service for centrally managing workforce identity access and permissions across multiple AWS accounts and applications.

Why AWS IAM Identity Center is correct:

• Centralized Identity Management: Provides a central place to manage access to multiple AWS accounts and business applications
• Single Sign-On (SSO): Enables users to sign in once and access all their assigned accounts and applications
• Workforce Identity: Specifically designed for managing employee, contractor, and partner identities
• Multi-account Management: Can manage permissions across multiple AWS accounts in an organization

Why other options are incorrect:

• Amazon Cognito: Primarily for customer identity and access management for web and mobile applications, not for workforce identity
• AWS Control Tower: For setting up and governing a secure, multi-account AWS environment, not specifically for identity management
• AWS IAM Roles Anywhere: For enabling IAM roles for workloads running outside of AWS, not for workforce identity management

AWS IAM Identity Center integrates with existing identity providers like Microsoft Active Directory and provides fine-grained access control across the AWS organization.