Which combination of steps should the security engineer take to meet these requirements?
(Choose two.)
Provision an external identity provider (IdP) for the parent company. Implement AWS Single Sign-On (AWS SSO) with the IdP as the identity source for AWS SSO.
Provision an external identity provider (IdP) for each client company. Implement AWS Single Sign-On (AWS SSO) with the IdPs as the identity source for AWS SSO.
Provision an external identity provider (IdP) for the parent company. Implement AWS Single Sign-On (AWS SSO) with employee IAM roles as the identity source for AWS SSO.
In the AWS Single Sign-On console, select the users who require access to client accounts. Assign these users to the accounts.
In the IAM console, select the users who require access to client accounts. Assign these users to the accounts.
Explanations:
Using AWS SSO with an external identity provider (IdP) as the identity source allows for centralized user management across all client accounts, reducing administrative overhead.
Provisioning an IdP for each client company is not necessary. A single external IdP for the parent company can be used to manage access to all client accounts through AWS SSO.
Employee IAM roles are not suitable as an identity source for AWS SSO. AWS SSO requires an IdP to manage user identities, not IAM roles.
AWS SSO allows the security engineer to assign users to client accounts, simplifying access management without needing to manage individual IAM users in each account.
IAM users are difficult to manage at scale, and using IAM console to manually assign users to client accounts would not address the problem of reducing administrative overhead.
I map out that the answer is:
Provision an external identity provider (IdP) for the parent company. Implement AWS Single Sign-On (AWS SSO) with the IdP as the identity source for AWS SSO.