AWS Certified SysOps Administrator SOA-C01 – Question148

You are managing the AWS account of a big organization. The organization has more than 1000+ employees and they want to provide access to the various services to most of the employees. Which of the below mentioned options is the best possible solution in this case?

A.
The user should create a separate IAM user for each employee and provide access to them as per the policy
B. The user should create an IAM role and attach STS with the role. The user should attach that role to the EC2 instance and setup AWS authentication on that server
C. The user should create IAM groups as per the organization’s departments and add each user to the group for better access control
D. Attach an IAM role with the organization’s authentication service to authorize each user for various AWS services

Correct Answer: D

Explanation:

Explanation: AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. The user is managing an AWS account for an organization that already has an identity system, such as the login system for the corporate network (SSO). In this case, instead of creating individual IAM users or groups for each user who need AWS access, it may be more practical to use a proxy server to translate the user identities from the organization network into the temporary AWS security credentials. This proxy server will attach an IAM role to the user after authentication.