What is the BEST method to allow access using current LDAP credentials?

Explanations:

While creating an AWS Directory Service Simple AD could facilitate some integration with AWS, it does not directly support federating existing LDAP credentials. Replicating the on-premises LDAP directory to Simple AD would also involve additional complexity and would not provide a seamless single sign-on experience.

Automating the creation of IAM users through a Lambda function based on LDAP groups would not efficiently leverage existing LDAP credentials for authentication and would require ongoing maintenance to manage IAM users and their permissions, which is not ideal for an organization with a large IT department.

Using AWS CloudFormation to create IAM roles and deploying Direct Connect would not directly allow users to authenticate using their existing LDAP credentials. This approach focuses more on infrastructure deployment rather than enabling seamless access management based on LDAP authentication.

Federating the LDAP directory with IAM using SAML allows users to authenticate with their existing LDAP credentials. By creating different IAM roles corresponding to different LDAP groups, the organization can effectively limit permissions based on job functions, aligning well with best practices for access control in AWS.