What is the MOST operationally efficient solution that meets these requirements?

By:
In: SOA-C02
Tagged:
With: 2 Comments
A company uses AWS Organizations to host several applications across multiple AWS accounts.Several teams are responsible for building and maintaining the infrastructure of the applications across the AWS accounts.A SysOps administrator must implement a solution to ensure that user accounts and permissions are centrally managed.The solution must be integrated with the company’s existing on-premises Active Directory environment.The SysOps administrator already has enabled AWS IAM Identity Center (AWS Single Sign-On) and has set up an AWS Direct Connect connection.

What is the MOST operationally efficient solution that meets these requirements?

Create a Simple AD domain, and establish a forest trust relationship with the on-premises Active Directory domain. Set the Simple AD domain as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

Create an Active Directory domain controller on an Amazon EC2 instance that is joined to the on-premises Active Directory domain. Set the Active Directory domain controller as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

Create an AD Connector that is associated with the on-premises Active Directory domain. Set the AD Connector as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

Use the built-in SSO directory as the identity source for IAM Identity Center. Copy the users and groups from the on-premises Active Directory domain. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

Explanations:

Creating a Simple AD domain and establishing a forest trust would require significant management overhead and complexity. Additionally, AWS IAM Identity Center does not support using Simple AD as an identity source directly, making it less operationally efficient.

Setting up an Active Directory domain controller on an EC2 instance adds unnecessary complexity and operational overhead. This approach requires ongoing maintenance of the EC2 instance and does not provide the integration benefits that AWS AD Connector offers.

Creating an AD Connector provides a seamless integration with the on-premises Active Directory environment, allowing for centralized user and permission management with minimal operational overhead. It efficiently uses IAM Identity Center to manage user access across AWS accounts.

Using the built-in SSO directory requires duplicating users and groups from the on-premises Active Directory, leading to potential synchronization issues and increased administrative effort. It is not the most efficient solution compared to using AD Connector.

2026-03-21

2 Comments

  1. Lucas
    Author

    Based on what I know, the answer is:
    Create an AD Connector that is associated with the on-premises Active Directory domain. Set the AD Connector as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

  2. Theresa
    Author

    My best guess is:
    Create an AD Connector that is associated with the on-premises Active Directory domain. Set the AD Connector as the identity source for IAM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

Leave a Reply to Theresa Cancel reply

Your email address will not be published. Required fields are marked *

two × 1 =