What should the DevOps engineer do next to meet the requirements?
Configure an external IdP as an identity source. Configure automatic provisioning of users and groups by using the SCIM protocol.
Configure AWS Directory Service as an identity source. Configure automatic provisioning of users and groups by using the SAML protocol.
Configure an AD Connector as an identity source. Configure automatic provisioning of users and groups by using the SCIM protocol.
Configure an external IdP as an identity source Configure automatic provisioning of users and groups by using the SAML protocol.
Explanations:
Configuring an external IdP as an identity source allows employees to use their existing corporate credentials for AWS access. SCIM (System for Cross-domain Identity Management) enables automatic provisioning of users and groups, making it suitable for the requirement of syncing Active Directory groups with AWS IAM.
AWS Directory Service is not necessary because the company already has an external SAML 2.0 IdP configured. Additionally, SAML is used for authentication, not for automatic provisioning, which requires SCIM.
An AD Connector would not directly meet the requirement since the existing setup already has an external IdP. Moreover, SCIM is the correct protocol for automatic provisioning, but using AD Connector implies an unnecessary additional layer of integration.
While configuring an external IdP is correct, SAML is primarily for authentication rather than provisioning. To meet the requirement of automatically managing user and group provisioning, SCIM should be used instead.
Based on what I know, the answer is:
Configure an external IdP as an identity source. Configure automatic provisioning of users and groups by using the SCIM protocol.