What should the solutions architect do to meet these requirements?
Create an IAM user for each user in the company. Attach the appropriate policies to each user.
Use Amazon Cognito with an Active Directory user pool. Create roles with the appropriate policies attached.
Define cross-account roles with the appropriate policies attached. Map the roles to the Active Directory groups.
Configure Security Assertion Markup Language (SAML) 2 0-based federation. Create roles with the appropriate policies attached Map the roles to the Active Directory groups.
Explanations:
Creating an IAM user for each of the 1,500 users would require significant administrative overhead and would not integrate with the existing Active Directory (AD) setup, leading to the need for separate credentials for AWS access. This goes against the requirement of avoiding maintenance of another identity for users.
Amazon Cognito is primarily used for building applications with user authentication and management. It is not designed to directly integrate with existing Active Directory groups for the purpose of accessing AWS resources in a corporate environment without introducing another identity management layer.
Cross-account roles are used for delegating access across different AWS accounts, but they do not directly address the integration with Active Directory for authentication. Therefore, this option does not meet the requirement to manage user access seamlessly while preserving existing AD credentials.
Configuring SAML 2.0-based federation allows users to authenticate using their existing Active Directory credentials. By mapping the roles to AD groups, the company can effectively manage access to AWS resources without requiring users to maintain separate identities, fulfilling the requirement for seamless integration with on-premises resources.