Which combination of steps will meet these requirements?
(Choose two.)
Use Amazon GuardDuty with a delegated administrator account Use GuardDuty to enforce denial of IAM user logins.
Use AWS IAM Identity Center to configure identity federation with SAML 2.0.
Create a permissions boundary in AWS IAM Identity Center to deny password logins for IAM users.
Create IAM groups in the Organizations management account to apply consistent permissions for all IAM users.
Create an SCP in Organizations to deny password creation for IAM users.
Explanations:
Amazon GuardDuty is a threat detection service and does not have capabilities to enforce authentication policies for IAM users. It cannot directly prevent IAM user logins based on authentication through a corporate IdP.
AWS IAM Identity Center (formerly AWS Single Sign-On) allows for the configuration of identity federation using SAML 2.0. This enables users to authenticate through the company’s corporate IdP, meeting the requirement for centralized authentication for AWS Management Console access.
While permissions boundaries can restrict the actions that IAM users can perform, they do not specifically prevent password logins or enforce external IdP authentication. Therefore, this option does not meet the requirement.
Creating IAM groups in the Organizations management account allows for consistent permissions but does not enforce authentication through the corporate IdP for AWS Management Console access. Thus, it does not meet the requirement.
Creating a Service Control Policy (SCP) in AWS Organizations to deny password creation for IAM users can effectively prevent users from using passwords to log in to the AWS Management Console, which aligns with the requirement for using a corporate IdP for authentication.
I think the answer is:
Use AWS IAM Identity Center to configure identity federation with SAML 2.0.