A company wants to allow its employees to authenticate to the AWS Management Console using their existing corporate credentials. Which AWS service should be used to integrate with the company's identity provider?
IAM Identity Center supports federation with external IdPs.
Why this answer
AWS IAM Identity Center (formerly AWS SSO) is the correct service because it is specifically designed to enable single sign-on (SSO) from an external identity provider (IdP) to AWS accounts and business applications. It supports federation via SAML 2.0 or OIDC, allowing employees to authenticate using their existing corporate credentials and then access the AWS Management Console without needing separate IAM users.
Exam trap
The trap here is that candidates often confuse AWS Directory Service for Microsoft Active Directory with federation, but Directory Service is for managing AD domains in AWS, not for integrating with an external corporate IdP to provide SSO to the AWS console—that requires IAM Identity Center or IAM SAML federation.
How to eliminate wrong answers
Option A is wrong because AWS Secrets Manager is a service for securely storing and rotating secrets (e.g., database credentials, API keys), not for federating identity or integrating with an external IdP for console access. Option B is wrong because AWS Directory Service for Microsoft Active Directory is used to create a managed Microsoft AD domain in AWS or connect to an on-premises AD, but it does not directly provide the federation layer to authenticate corporate users to the AWS Management Console via an external IdP; that requires IAM Identity Center or IAM SAML federation. Option C is wrong because AWS Certificate Manager (ACM) manages SSL/TLS certificates for securing network traffic, not identity federation or authentication to the AWS console.