Which solution will meet these requirements?
Configure AWS Single Sign-On (AWS SSO) to connect to Active Directory by using SAML 2.0. Enable automatic provisioning by using the System for Cross- domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using attribute-based access controls (ABACs).
Configure AWS Single Sign-On (AWS SSO) by using AWS SSO as an identity source. Enable automatic provisioning by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using AWS SSO permission sets.
In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use a SAML 2.0 identity provider. Provision IAM users that are mapped to the federated users. Grant access that corresponds to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM users.
In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use an OpenID Connect (OIDC) identity provider. Provision IAM roles that grant access to the AWS account for the federated users that correspond to appropriate groups in Active Directory. Grant access to the required AWS accounts by using cross-account IAM roles.
Explanations:
AWS Single Sign-On (AWS SSO) can integrate with Active Directory via SAML 2.0, allowing for centralized user management. The use of SCIM v2.0 enables automatic provisioning of users, and attribute-based access controls (ABAC) allow conditional access based on user attributes, satisfying the security policy requirements.
While AWS SSO as an identity source does enable user management, it does not utilize the existing on-premises Active Directory setup. This option would require separate user identities in AWS SSO instead of leveraging the existing Active Directory, violating the requirement for a single identity management location.
Configuring IAM with a SAML 2.0 identity provider is feasible, but this option involves provisioning IAM users instead of leveraging federated access through AWS SSO. This would complicate user management and would not meet the requirement for single location identity management. Cross-account access also becomes more complex and cumbersome.
Similar to option C, this involves configuring IAM with an OIDC identity provider, which is not necessary since the requirement is to utilize the existing Active Directory. It also requires IAM roles and does not provide a centralized identity management solution, thus failing to meet the company’s requirements for user identity management.