Which combination of steps will meet these requirements?
(Choose three.)
Create a new AWS account to serve as a management account. Deploy an organization in AWS Organizations. Invite each existing AWS account to join the organization. Ensure that each account accepts the invitation.
Configure each AWS account’s email address to be [email protected] so that account management email messages and invoices are sent to the same place.
Deploy AWS IAM Identity Center (AWS Single Sign-On) in the management account. Connect IAM Identity Center to the Azure Active Directory. Configure IAM Identity Center for automatic synchronization of users and groups.
Deploy an AWS Managed Microsoft AD directory in the management account. Share the directory with all other accounts in the organization by using AWS Resource Access Manager (AWS RAM).
Create AWS IAM Identity Center (AWS Single Sign-On) permission sets. Attach the permission sets to the appropriate IAM Identity Center groups and AWS accounts.
Configure AWS Identity and Access Management (IAM) in each AWS account to use AWS Managed Microsoft AD for authentication and authorization.
Explanations:
Creating a new AWS management account and setting up AWS Organizations is necessary for centralizing billing and management. Inviting existing accounts to the organization ensures they are governed under a single management umbrella.
Configuring a specific email address for all accounts does not address the need for central management or identity federation. This step is unrelated to the main requirements.
AWS IAM Identity Center (SSO) allows identity federation with Azure Active Directory. By connecting IAM Identity Center to Azure AD, users can authenticate using their Azure AD credentials, meeting the temporary credentials requirement.
Deploying an AWS Managed Microsoft AD and sharing it via AWS RAM is unnecessary because IAM Identity Center is a more appropriate solution for federating Azure AD identities with temporary credentials.
Permission sets in AWS IAM Identity Center allow the assignment of roles and permissions to users and groups. This enables centralized access management for the various AWS accounts.
Using AWS Managed Microsoft AD with IAM for authentication in each account is not as efficient as using IAM Identity Center, which is specifically designed for identity federation and managing temporary credentials across multiple AWS accounts.
I value that the answer is:
Create a new AWS account to serve as a management account. Deploy an organization in AWS Organizations. Invite each existing AWS account to join the organization. Ensure that each account accepts the invitation.