A company wants to implement a single sign-on (SSO) solution for its employees to access multiple AWS accounts and business applications. The company uses Microsoft Active Directory on-premises. Which AWS service should be used to integrate with the existing directory?
Integrates with on-premises AD via AD Connector or managed AD.
Why this answer
AWS IAM Identity Center (formerly AWS SSO) can be integrated with an AWS Managed Microsoft AD directory to provide a single sign-on experience across multiple AWS accounts and business applications. This integration allows users to authenticate using their existing on-premises Active Directory credentials via AD Connector or a two-way forest trust, enabling seamless access to the AWS Management Console, command-line interface, and supported SAML 2.0 applications.
Exam trap
The trap here is that candidates often confuse AWS IAM Identity Center with AWS IAM, assuming IAM alone can provide SSO across multiple accounts, but IAM is account-scoped and lacks the centralized application portal and cross-account federation capabilities that IAM Identity Center provides.
How to eliminate wrong answers
Option A is wrong because Amazon Cognito user pools are designed for customer-facing identity and access management, not for integrating with an existing on-premises Microsoft Active Directory for employee SSO across multiple AWS accounts. Option B is wrong because AWS Organizations is a service for centrally managing and governing multiple AWS accounts, not for providing identity federation or SSO capabilities. Option C is wrong because AWS IAM is used for managing permissions for individual AWS users and roles, but it does not natively support SSO integration with on-premises Active Directory or provide a centralized portal for accessing multiple AWS accounts and business applications.