A company wants to use its existing corporate identities (such as Active Directory) to centrally provide employees with single sign-on (SSO) access to multiple AWS accounts. Which service is the MOST suitable?
A question asking which mechanism provides SSO to multiple accounts using existing identities.
Create a separate IAM user for each employee in each AWS account.
Creating IAM users per account means employees hold as many credentials as there are accounts, which is cumbersome to manage.
It does not meet the requirement to centrally SSO with existing identities, so it is incorrect.
Share the root user among employees.
Sharing the root user is a serious security risk and is not a means of SSO.
It does not suit the requirement at all, so it is incorrect.
Share access keys within the company.
Sharing access keys has a high risk of leakage and makes individuals impossible to identify.
It is unrelated to SSO with existing identities, so it is incorrect.
Use AWS IAM Identity Center (federation).
This is correct. AWS IAM Identity Center connects (federates) with existing corporate identities (Active Directory or an external IdP) and centrally provides employees with SSO access to multiple AWS accounts and applications.
Employees log in once with their usual corporate credentials (plus MFA) and can switch from the portal to multiple authorized accounts and SaaS apps without logging in again. You can define a role once and assign it to multiple accounts in bulk, such as "finance gets read-only, developers get admin," and removing access on departure or transfer is reflected across all accounts just by an operation on the corporate identity side. There is no need to create IAM users per account, which also prevents unauthorized access from forgotten deletions.
"SSO with existing identities" and "centralized management of multiple accounts" mean IAM Identity Center (formerly AWS SSO) / federation. Creating separate IAM users per account is inefficient and does not fit the requirement.