What is the BEST method to allow access using current LDAP credentials?
Create an AWS Directly Service Simple AD. Replicate the on-premises LDAP directory to Simple AD.
Create a Lambda function to read LDAP groups and automate the creation of IAM users.
Use AWS CloudFormation to create IAM roles. Deploy Direct Connect to allow access to the on-premises LDAP server.
Federate the LDAP directory with IAM using SAML. Create different IAM roles to correspond to different LDAP groups to limit permissions.
Explanations:
Simple AD is a managed directory service that does not support direct replication of on-premises LDAP directories. It is not ideal for federating on-premises LDAP credentials with IAM.
A Lambda function can automate tasks, but it cannot directly manage LDAP group-to-IAM role mappings. This option lacks scalability and flexibility in handling complex IAM roles and permissions.
Direct Connect is used for establishing dedicated network connections but does not facilitate the federation of LDAP directories with AWS IAM roles. It would not be suitable for controlling access based on LDAP group membership.
Federating the on-premises LDAP directory with IAM using SAML is a common method to enable single sign-on (SSO) and allow access to AWS based on LDAP group membership. This allows the creation of specific IAM roles that match LDAP groups, ensuring proper access control.