What is the BEST method to allow access using current LDAP credentials?
Create an AWS Directory Service Simple AD. Replicate the on-premises LDAP directory to Simple AD.
Create a Lambda function to read LDAP groups and automate the creation of IAM users.
Use AWS CloudFormation to create IAM roles. Deploy Direct Connect to allow access to the on-premises LDAP server.
Federate the LDAP directory with IAM using SAML. Create different IAM roles to correspond to different LDAP groups to limit permissions.
Explanations:
While creating an AWS Directory Service Simple AD could facilitate some integration with AWS, it does not directly support federating existing LDAP credentials. Replicating the on-premises LDAP directory to Simple AD would also involve additional complexity and would not provide a seamless single sign-on experience.
Automating the creation of IAM users through a Lambda function based on LDAP groups would not efficiently leverage existing LDAP credentials for authentication and would require ongoing maintenance to manage IAM users and their permissions, which is not ideal for an organization with a large IT department.
Using AWS CloudFormation to create IAM roles and deploying Direct Connect would not directly allow users to authenticate using their existing LDAP credentials. This approach focuses more on infrastructure deployment rather than enabling seamless access management based on LDAP authentication.
Federating the LDAP directory with IAM using SAML allows users to authenticate with their existing LDAP credentials. By creating different IAM roles corresponding to different LDAP groups, the organization can effectively limit permissions based on job functions, aligning well with best practices for access control in AWS.