What should the solutions architect do to meet these requirements?
Create an IAM group for each job function. In AWS SSO for the management account, create a permission set for each job function. Add users to the appropriate groups. Assign roles to the corresponding groups in all AWS accounts.
Create a group in AWS SSO for each job function. In AWS SSO for the management account, create a permission set for each job function. Add users to the appropriate groups. Assign groups to AWS accounts with corresponding permission sets.
Create an IAM role for each job function in all AWS accounts. Create a group in the management account for each job function. In AWS SSO for the management account, create a permission set for each job function.
Create an IAM role for each job function in the management account. In AWS SSO for the management account, create a permission set for each IAM role.
Explanations:
This option suggests creating IAM groups and assigning roles, which is not aligned with the AWS SSO model. AWS SSO manages permissions using permission sets, not IAM groups or roles, making this approach incorrect for granular access management.
This option correctly utilizes AWS SSO’s functionality by creating groups in AWS SSO for each job function. It then establishes permission sets for those groups, allowing users to have granular access to AWS accounts based on their job functions. This approach is efficient and aligns with AWS best practices for managing permissions centrally.
This option implies creating IAM roles for job functions in each AWS account, which is unnecessary with AWS SSO. AWS SSO handles permissions through permission sets, and creating IAM roles per job function contradicts the central management that AWS SSO provides.
This option suggests creating IAM roles in the management account instead of using AWS SSO’s permission sets. It does not utilize AWS SSO effectively for managing access, which is contrary to the purpose of AWS SSO for centralized access management across multiple accounts.
If memory serves me right, the answer is:
Create a group in AWS SSO for each job function. In AWS SSO for the management account, create a permission set for each job function. Add users to the appropriate groups. Assign groups to AWS accounts with corresponding permission sets.