Which solution will meet these requirements with the LEAST operational overhead?
Set up AWS Directory Service to create an AWS managed Microsoft Active Directory on AWS. Establish a trust relationship with the on-premises Active Directory. Use IAM rotes that are assigned to Active Directory groups to access AWS resources within the company’s AWS accounts.
Create an IAM user for each developer. Manually manage permissions for each IAM user based on each user’s involvement with each project. Enforce multi-factor authentication (MFA) as an additional layer of security.
Use AD Connector in AWS Directory Service to connect to the on-premises Active Directory. Integrate AD Connector with AWS IAM Identity Center. Configure permissions sets to give each AD group access to specific AWS accounts and resources.
Use Amazon Cognito to deploy an identity federation solution. Integrate the identity federation solution with the on-premises Active Directory. Use Amazon Cognito to provide access tokens for developers to access AWS accounts and resources.
Explanations:
Although AWS Managed Microsoft AD with a trust relationship can enable integration, it requires significant overhead to set up and maintain, as it involves creating and managing an entirely new AD environment on AWS, which is complex and unnecessary given the existence of AD Connector.
Creating individual IAM users would lead to high operational overhead due to manual management of permissions, especially with a large, globally distributed team. It also lacks centralized management and scalability, which would be inefficient in a multi-account setup.
AD Connector can directly connect to the on-premises Active Directory, enabling integration with AWS IAM Identity Center (formerly AWS SSO) for centralized identity management. This approach provides federated access and centralized permissions management with minimal overhead.
Amazon Cognito is primarily used for web and mobile applications rather than managing access to AWS resources. Integrating Cognito with on-premises Active Directory for this purpose would require additional complexity and does not align with AWS best practices for centralized management.