Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 70 discussion

https://www.examtopics.com/discussions/amazon/view/69172-exam-aws-certified-solutions-architect-professional-topic-1/ You are correct, I apologize for the oversight. To meet the requirements of the IT support workers, option D would be the correct solution: This option will first enable all features in AWS Organizations, then create and configure an AD Connector to connect to the company's on-premises Active Directory. Then, it will configure IAM Identity Center (AWS SSO) and set the AD Connector as the identity source, allowing the IT support workers to access the console using their existing Active Directory credentials. Finally, it will create permission sets and map them to the existing groups within the company's Active Directory. This solution will also be cost-effective as it does not involve creating a new directory in AWS Directory Service.

D is the correct answer.. B is wrong answer From aws documentation: Q: Which AWS accounts can I connect to IAM Identity Center? You can add any AWS account managed using AWS Organizations to IAM Identity Center. You need to enable all features in your organizations to manage your accounts single sign-on.

All features is not required.

Lower cost compared to AWS Managed Microsoft AD, since AD Connector does not require an additional managed directory service. Also, is answer D AWS Organizations does not require "all features" for IAM Identity Center to work with AD Connector. "All features" is needed for SCPs and governance, not for SSO setup.

"Need to turn on all features" didn't sound cost effective...but apparently it's a requirement to provide SSO

Question asks "MOST cost-effectively". Turning on all features is free of charge but used resources will make up a cost. D is wrong because: enabling All Features in AWS Organizations introduces governance tools that the company does not require, making it less cost-effective than B.

D. Create an organization in AWS Organizations. Turn on all features for the organization. Create and configure an AD Connector to connect to the company’s on-premises Active Directory. Configure IAM Identity Center and set the AD Connector as the identity source. Create permission sets and map them to the existing groups within the company’s Active Directory.

B, Turn on the IAM Identity Center feature in Organizations... similar to D, but without enabling directy the SSO, you can't configure it...

Option D is the best because AWS FAQs asked the following question and answered: "Which AWS accounts can I connect to IAM Identity Center? You can add any AWS account managed using AWS Organizations to IAM Identity Center. You need to enable all features in your organizations to manage your accounts single sign-on." Link: https://aws.amazon.com/iam/identity-center/faqs/#product-faqs#iam-identity-center-faqs#identity-sources-and-applications-support. With the clarification that enabling all features in AWS Organizations is necessary for integrating with IAM Identity Center, Option D becomes the most accurate and compliant solution. It correctly combines the need to enable all features in AWS Organizations with the use of an AD Connector for a direct connection to the company’s on-premises Active Directory, which remains the most cost-effective way to leverage existing Active Directory credentials for AWS console access.

Most cost effective is D. But C is also technically a valid solution that meets all the other requirements. A two way trust means AD users in the on-premise AD can be added to AD groups in the AWS-managed AD.

A = you do not turn on AWS IdC feature only in AWS Orgs. It is either Consolidation billing or All features B = same as above C = requirements is to login users based on-premise AD, for this there is no need to AWS Managed AD with a local domain/directory and 2-way trust. AD Connector is enough and cheaper D = correct

I love such questions, while both B and D seems reasonable, I thinking more about B because of this https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html

you can absolutely use an AD Connector as the identity source for AWS IAM Identity Center without turning on all features in your AWS organization. In fact, it's the most cost-effective and recommended approach if you only need single sign-on functionality with your existing on-premises Active Directory

https://docs.aws.amazon.com/singlesignon/latest/userguide/prereq-orgs.html ```If you've already set up AWS Organizations and are going to add IAM Identity Center to your organization, make sure that all AWS Organizations features are enabled. When you create an organization, enabling all features is the default.```

see dev112233xx's answer

https://docs.aws.amazon.com/singlesignon/latest/userguide/get-started-prereqs-considerations.html#:~:text=if%20you've%20already%20set%20up%20aws%20organizations%2C%20make%20sure%20that%20all%20features%20are%20enabled.

i think it's b because having all the features enabled is not a requirement, otherwise it could incour in more charges. the features are not enabled by default , you have to go one by one or select all to enable them