Logo
AWS Certified Solutions Architect - Associate / Question #1503 of 1019

Question #1503

A company aims to restructure its existing AWS accounts into a multi-account architecture using AWS Organizations. The company needs centralized authentication across all accounts via its existing corporate directory service while ensuring proper governance. Which combination of steps should a solutions architect take to fulfill these requirements? (Choose two.)

A

Create a new AWS Organizations organization with all features enabled. Move existing AWS accounts into the organization.
B

Deploy an Amazon Cognito user pool for identity management. Link the user pool to AWS IAM Identity Center (AWS Single Sign-On).
C

Implement service control policies (SCPs) to enforce permissions. Integrate AWS Directory Service with the corporate directory.
D

Establish a new AWS Organizations organization. Configure AWS Directory Service as the primary authentication source for the organization.
E

Enable AWS IAM Identity Center (AWS Single Sign-On) within the organization. Integrate IAM Identity Center with the corporate directory service.

Explanation

To meet the requirements:

- A is correct because AWS Organizations is foundational for multi-account management. Enabling all features allows the use of Service Control Policies (SCPs) for governance and consolidates billing.
- E is correct because AWS IAM Identity Center (AWS SSO) centralizes authentication across AWS accounts and integrates with existing corporate directories (e.g., Active Directory) for SSO, eliminating the need for separate user pools.

Why other options are incorrect:
- B: Amazon Cognito is designed for customer-facing applications, not enterprise directory integration.
- C: While SCPs are part of governance, integrating AWS Directory Service duplicates efforts if the corporate directory already exists.
- D: AWS Directory Service isn't necessary if IAM Identity Center directly integrates with the existing directory.

Key Points:
1. Use AWS Organizations for multi-account governance via SCPs.
2. Use IAM Identity Center (AWS SSO) for centralized authentication with existing directories.

Answer

The correct answer is: AE