AWS IAM Identity Center (formerly AWS SSO) is the recommended service for centrally managing workforce access to multiple AWS accounts and applications. It integrates seamlessly with AWS Organizations, allowing for scalable management. IAM Identity Center can connect to an external identity provider (IdP), enabling employees to use their existing corporate credentials to sign in. Users and groups can be provisioned from the IdP into IAM Identity Center, and then permission sets are used to grant role-based access to the various AWS accounts within the organization. This solution directly meets all the requirements for centralized, federated access for thousands of users across multiple accounts.

A. Creating individual IAM users for thousands of employees across 10 accounts is not scalable and is a significant management overhead. Federation provides temporary credentials to assume roles, not to authenticate IAM users.

B. Using the root user for regular access is a major security anti-pattern. The root user should be highly secured and used only for specific account management tasks, not for general employee access.

D. AWS Resource Access Manager (AWS RAM) is used for sharing specific AWS resources (e.g., subnets, Transit Gateways) across accounts, not for managing user identities or providing federated access to accounts.

1. AWS IAM Identity Center User Guide

"What is AWS IAM Identity Center?": "AWS IAM Identity Center (IAM Identity Center) helps you to securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications." This document also details connecting to an external identity provider under the "Choose your identity source" section.

2. AWS IAM Identity Center User Guide

"Manage access to AWS accounts": This section explains how IAM Identity Center uses permission sets to control access to AWS accounts within an AWS Organization

which is the core of the solution required by the question.

3. AWS IAM User Guide

"Identity providers and federation": This guide explains that federation allows you to manage user identities outside of AWS and grant them temporary credentials to access AWS resources by assuming IAM roles. This contrasts with creating permanent IAM users.

4. AWS Security Best Practices Whitepaper

"AWS Identity and Access Management" section: This whitepaper emphasizes using IAM Identity Center for managing human user access

stating

"For human users that require access to your AWS accounts and workloads

we recommend that you use AWS IAM Identity Center to provide a single sign-on experience." (Page 10).

5. AWS Resource Access Manager User Guide

"What is AWS Resource Access Manager?": "AWS Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization." This confirms RAM's purpose is resource sharing

not identity federation.