🔥 3-day streak
AWS Certified Solutions Architect - Professional86 / 186
Question 86 of 186

A financial services company runs 40 AWS accounts under AWS Organizations. Today, engineers authenticate against the company's corporate Active Directory and assume IAM roles in individual accounts using manually distributed cross-account role ARNs and long-lived SAML metadata configured separately in each account's IAM SAML identity provider. Adding a new account requires the security team to manually create SAML providers and roles in it, and offboarding a departing employee requires editing trust policies across many accounts. The company wants to centralize federated console and CLI access, automatically extend access to newly provisioned accounts, and manage user-to-account-to-permission assignments in one place while keeping Active Directory as the source of truth. Which approach best meets these requirements with the least ongoing operational overhead?

Reviewed for accuracy · Report an issueNext question