Which solution will meet these requirements with the LEAST amount of effort?
Create an Active Directory connector using AWS Directory Service. Create IAM users in the target accounts with the appropriate trust policy.
Create an Active Directory connector using AWS Directory Service. Associate the directory with AWS Single Sign-On (AWS SSO). Configure user access to target accounts through AWS SSO.
Create an Amazon Cognito federated identity pool. Associate the pool identity with the on-premises directory. Configure the IAM roles with the appropriate trust policy.
Create an identity provider in AWS IAM associated with the on-premises directory. Create IAM roles in the target accounts with the appropriate trust policy.
Explanations:
AWS Directory Service does not directly support managing IAM users across multiple AWS accounts. Creating IAM users in each target account would require additional configuration and effort.
AWS Directory Service can integrate with AWS SSO, allowing seamless access management across multiple AWS accounts using existing on-premises Active Directory credentials with minimal configuration.
Amazon Cognito is typically used for federating user identities for applications, not for managing AWS access across multiple accounts. Additionally, this would require more configuration compared to AWS SSO.
While it’s possible to create an identity provider in IAM, managing federated access to multiple AWS accounts using just IAM roles and trust policies can be complex and requires more manual configuration compared to AWS SSO integration.
In my opinion, the answer is:
Create an Active Directory connector using AWS Directory Service. Associate the directory with AWS Single Sign-On (AWS SSO). Configure user access to target accounts through AWS SSO.