Which solution meets these requirements?
With each AWS account, create dedicated IAM users that employees can assume through federation based upon group membership in their existing identity provider.
Use a centralized account with IAM roles that employees can assume through federation with their existing identity provider. Create a custom authorizer by using AWS SDK to give federated users the ability to assume their target role in the resource accounts.
Implement AWS Control Tower for multi-account management by integrating AWS Single Sign-On with the company’s existing identity provider. Create IAM roles for the identity provider to assume.
Configure the IAM trust policies within each account’s role to set up a trust back to the company’s existing identity provider. Allow users to assume the role based on their SAML token.
Explanations:
Creating dedicated IAM users in each AWS account is not scalable as it requires individual user management in each account, which can become cumbersome with hundreds of accounts. It also complicates access management and reduces operational efficiency.
While using a centralized account with IAM roles is a more scalable approach, creating a custom authorizer using AWS SDK adds unnecessary complexity and operational overhead. The solution does not fully leverage AWS services designed for identity federation and access management.
Implementing AWS Control Tower combined with AWS Single Sign-On (SSO) provides a scalable and efficient multi-account management solution. This setup allows for centralized management of access through an existing identity provider, simplifying user access and reducing administrative overhead.
Setting up IAM trust policies in each account to allow users to assume roles based on SAML tokens is not as efficient as centralized solutions. It requires manual configuration for each account and does not utilize a scalable, centralized identity management approach.