Which solution will meet the CISO’s requirements?
Define AWS IAM roles based on the functional responsibilities of the users in a central account. Create a SAML-based identity management provider. Map users in the on-premises groups to IAM roles. Establish trust relationships between the other accounts and the central account.
Deploy a common set of AWS IAM users, groups, roles, and policies in all of the AWS accounts using AWS Organizations. Implement federation between the on-premises identity provider and the AWS accounts.
Use AWS Organizations in a centralized account to define service control policies (SCPs). Create a SAML-based identity management provider in each account and map users in the on-premises groups to AWS IAM roles.
Perform a thorough analysis of the user base and create AWS IAM users accounts that have the necessary permissions. Set up a process to provision and deprovision accounts based on data in the on-premises solution.
Explanations:
This option allows for centralized management of permissions through IAM roles defined in a central account. By using SAML-based federation, the existing on-premises identity management solution can be integrated, enabling seamless authentication and mapping of on-premises user groups to AWS IAM roles across multiple accounts. This satisfies the requirement for centralized permission management and synchronization of user credentials.
While deploying a common set of IAM users, groups, roles, and policies across all accounts may simplify management, it does not provide a centralized authentication mechanism or integration with the on-premises identity provider. Federation would only work if implemented correctly, but this option does not emphasize the necessary central management or synchronization of credentials.
Creating SAML-based identity management providers in each account adds complexity and does not achieve centralized management of permissions. Although service control policies (SCPs) can help manage permissions, this option lacks a direct method to synchronize user credentials with the on-premises solution, making it less suitable for the CISO’s needs.
This option suggests creating individual IAM user accounts and a process for provisioning and deprovisioning, which does not provide centralized management of permissions or credential synchronization with the on-premises solution. This method is labor-intensive and does not scale well across multiple accounts, failing to meet the CISO’s requirements.
I strategize that the answer is:
Define AWS IAM roles based on the functional responsibilities of the users in a central account. Create a SAML-based identity management provider. Map users in the on-premises groups to IAM roles. Establish trust relationships between the other accounts and the central account.