Question 36

Domain 6: Management and Security Governance

A large company has hundreds of AWS accounts. The company needs to provide its employees with access to these accounts. The solution must maximize scalability and operational efficiency. Which solution meets these requirements?

A. With each AWS account, create dedicated IAM users that employees can assume through federation based upon group membership in their existing identity provider. B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider. Create a custom authorizer by using AWS SDK to give federated users the ability to assume their target role in the resource accounts. C. Implement AWS Control Tower for multi-account management by integrating AWS Single Sign-On with the company's existing identity provider. Create IAM roles for the identity provider to assume. D. Configure the IAM trust policies within each account's role to set up a trust back to the company's existing identity provider. Allow users to assume the role based on their SAML token.

Correct answer: C

Explanation

AWS Control Tower is built for “multi-account strategies” and “centrally deploy and manage AWS accounts,” which maximizes scalability across hundreds of accounts. AWS IAM Identity Center (AWS Single Sign-On) supports centralized authentication, and cross-account IAM roles let the identity provider assume access into each account without creating separate users.

Why each option is right or wrong

A. With each AWS account, create dedicated IAM users that employees can assume through federation based upon group membership in their existing identity provider.

IAM users are account-specific; federation should use roles, not per-account user creation.

B. Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider. Create a custom authorizer by using AWS SDK to give federated users the ability to assume their target role in the resource accounts.

Federation uses IAM Identity Center or STS roles, not a custom SDK authorizer for role assumption.

C. Implement AWS Control Tower for multi-account management by integrating AWS Single Sign-On with the company's existing identity provider. Create IAM roles for the identity provider to assume.

AWS Control Tower is the AWS-managed way to set up and govern a landing zone for a multi-account environment, and the exam blueprint explicitly calls out Task Statement 6.1: “develop a strategy to centrally deploy and manage AWS accounts,” including “multi-account strategies” and “cross-account roles.” AWS IAM Identity Center (AWS Single Sign-On) provides centralized federation for workforce access, so employees authenticate once through the existing identity provider and receive temporary access into target accounts via IAM roles rather than separate IAM users in each account. This is the scalable pattern for hundreds of accounts because it avoids per-account user administration and aligns with the centralized account-management and delegated-access model AWS expects.

D. Configure the IAM trust policies within each account's role to set up a trust back to the company's existing identity provider. Allow users to assume the role based on their SAML token.

Trust policies grant access to the identity provider via roles; users do not trust back directly from each account.

Previous Next