A company is creating a new multi-account architecture. A SysOps administrator must implement a login solution to centrally manage user access and permissions across all AWS accounts. The solution must be integrated with AWS Organizations and must be connected to a third-party Security Assertion Markup Language (SAML) 2.0 identity provider (IdP).
What should the SysOps administrator do to meet these requirements?
To centrally manage user access and permissions across all AWS accounts within an organization, while also integrating with a third-party SAML 2.0 identity provider, AWS Single Sign-On (SSO) is the appropriate solution. AWS SSO supports integration with AWS Organizations, enabling centralized management of access and permissions. It is designed to provide a seamless single sign-on experience by connecting with external IdPs using SAML 2.0, which allows users to use their existing corporate credentials to access AWS accounts and applications.
AWS IAM Identity Center makes it easy to centrally manage federated access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. You can use AWS IAM Identity Center for identities in the AWS IAM Identity Center’s user directory, your existing corporate directory, or external IdP.
It's B. AWS SSO (IAM Identity Center) supports SAML 2.0
B. AWS Single Sign-On (SSO) is the service to use in order to integrate with a third-party identity provider (IdP) such as SAML 2.0 and centrally manage user access and permissions across all AWS accounts. AWS Cognito is used for user authentication, but not for this use case. Federating the third-party IdP with AWS IAM is not required in this situation, as AWS SSO is used to manage user access. Additionally, it is not possible to integrate the third-party IdP directly with AWS Organizations.
AWS Single Sign-On (AWS SSO) is an AWS service that enables you to manage access to multiple AWS accounts and business applications through a single AWS SSO portal. It is designed to work with your identity provider (IdP) using Security Assertion Markup Language (SAML) 2.0, which makes it easy to set up federation with AWS SSO. With AWS SSO, you can centrally manage users and permissions for all your AWS accounts and business applications from your AWS SSO directory. AWS SSO is integrated with AWS Organizations, which allows you to manage access to all the AWS accounts in your organization.
Option A (Configure an Amazon Cognito user pool. Integrate the user pool with the third-party IdP) is not the most suitable choice for the requirements mentioned. While Amazon Cognito is a service for managing user identities and access control, it is not specifically designed for centralized management of user access across AWS accounts in AWS Organizations. AWS Single Sign-On (SSO) is a more appropriate solution for this use case.
Option B (Enable and configure AWS Single Sign-On with the third-party IdP) is the correct choice for implementing a login solution that meets the specified requirements. AWS Single Sign-On (SSO) is a service that simplifies access management for multiple AWS accounts and business applications by enabling users to sign in only once using their existing credentials from the third-party IdP (which supports SAML 2.0 in this case). It allows centralized management of access and permissions across all accounts in AWS Organizations. AWS Single Sign-On (SSO) can be integrated with third-party SAML 2.0 identity providers, which means that users from the organization can use their existing credentials to sign in to the AWS environment. The administrator can set up AWS SSO to work with AWS Organizations, which allows for simplified user management across accounts.
I'll keep in mind "AWS Single Sign-On (SSO) can be integrated with third-party SAML 2.0 identity providers"
I think it's C: https://aws.amazon.com/identity/federation/#:~:text=AWS%20IAM%20helps%20you%20define,reusable%20custom%20managed%20IAM%20policies. "AWS IAM helps you define permissions once, and then grant, revoke or modify AWS access by simply changing the attributes in the IdP. You can apply the same federated access policy to multiple AWS accounts by implementing reusable custom managed IAM policies."
The correct answer is: B. Enable and configure AWS Single Sign-On with the third-party IdP. Here's why: Centralized Management: AWS SSO allows you to centrally manage SSO access and user permissions across all AWS accounts that are part of your AWS Organizations. SAML 2.0 Integration: AWS SSO natively supports integration with third-party SAML 2.0 identity providers, enabling you to use your existing corporate credentials. Seamless Integration with AWS Organizations: AWS SSO integrates directly with AWS Organizations, making it easy to assign users and groups from your IdP to roles in any AWS account within your organization. User-friendly Configuration: AWS SSO provides a user-friendly interface for managing SSO settings and user permissions, reducing administrative overhead.