Which combination of steps should the security engineer take to meet these requirements?

By:
In: SCS-C01
Tagged:
With: 2 Comments
A security engineer is working for a parent company that provides hosting and services to client companies.The parent company maintains an organization in AWS Organizations for all client company accounts.The parent company adds any new accounts to the organization when the new accounts are created.The parent company currently uses IAM users to administer the client company accounts.As more client accounts are added, the administration of the IAM accounts takes more time.The security engineer must design a solution to reduce the amount of time that the parent company spends on administration and access provisioning for client accounts.

Which combination of steps should the security engineer take to meet these requirements?

(Choose two.)

Provision an external identity provider (IdP) for the parent company. Implement AWS Single Sign-On (AWS SSO) with the IdP as the identity source for AWS SSO.

Provision an external identity provider (IdP) for each client company. Implement AWS Single Sign-On (AWS SSO) with the IdPs as the identity source for AWS SSO.

Provision an external identity provider (IdP) for the parent company. Implement AWS Single Sign-On (AWS SSO) with employee IAM roles as the identity source for AWS SSO.

In the AWS Single Sign-On console, select the users who require access to client accounts. Assign these users to the accounts.

In the IAM console, select the users who require access to client accounts. Assign these users to the accounts.

Explanations:

Using AWS SSO with an external identity provider (IdP) as the identity source allows for centralized user management across all client accounts, reducing administrative overhead.

Provisioning an IdP for each client company is not necessary. A single external IdP for the parent company can be used to manage access to all client accounts through AWS SSO.

Employee IAM roles are not suitable as an identity source for AWS SSO. AWS SSO requires an IdP to manage user identities, not IAM roles.

AWS SSO allows the security engineer to assign users to client accounts, simplifying access management without needing to manage individual IAM users in each account.

IAM users are difficult to manage at scale, and using IAM console to manually assign users to client accounts would not address the problem of reducing administrative overhead.

2026-04-05

2 Comments

  1. Kevin
    Author

    I map out that the answer is:
    Provision an external identity provider (IdP) for the parent company. Implement AWS Single Sign-On (AWS SSO) with the IdP as the identity source for AWS SSO.

  2. Samantha
    Author

    It appears that the answer is:
    Provision an external identity provider (IdP) for the parent company. Implement AWS Single Sign-On (AWS SSO) with the IdP as the identity source for AWS SSO.

Leave a Reply to Samantha Cancel reply

Your email address will not be published. Required fields are marked *

three × five =