AWS IAM Identity Center (formerly AWS SSO) is designed for centrally managing Single Sign-On (SSO) access to multiple AWS accounts and applications. It integrates with AWS Organizations to provide a single point of administration. By configuring the existing on-premises Active Directory as the identity source (typically via AWS Directory Service AD Connector), the company can allow employees to use their current credentials. IAM Identity Center has built-in capabilities to enforce multi-factor authentication (MFA). Permissions are managed centrally by creating permission sets and assigning Active Directory groups to these sets for specific AWS accounts, fulfilling all the stated requirements in a streamlined and recommended manner.

A. This approach is decentralized and inefficient. Managing IAM identity providers and roles in each account separately defeats the purpose of central management, which is a core benefit of IAM Identity Center.

B. This solution creates a new, separate directory instead of using the existing on-premises Active Directory, which directly violates a primary requirement of the company.

D. This describes a complex, custom synchronization solution that creates duplicate IAM users. This is an anti-pattern that increases management overhead and security risks compared to using federation with IAM Identity Center.

1. AWS IAM Identity Center User Guide - How it works: "IAM Identity Center is integrated with AWS Organizations

which helps you to centrally manage the billing

apply policies

and simplify access management across multiple AWS accounts... You can choose to manage your users and groups in IAM Identity Center

or manage them in a connected directory

including AWS Directory Service

or an external identity provider." This supports the central management and identity source aspects of option C.

Source: AWS IAM Identity Center User Guide

"What is AWS IAM Identity Center?"

"How it works" section.

2. AWS IAM Identity Center User Guide - Choose your identity source: "When you use Active Directory as your identity source

your users can sign in to the AWS access portal with their Active Directory credentials. You can connect to your self-managed Active Directory in your on-premises data center..." This confirms the ability to use an existing on-premises AD.

Source: AWS IAM Identity Center User Guide

"Manage your identity source"

"Choose your identity source" section.

3. AWS IAM Identity Center User Guide - Multi-factor authentication: "You can enable multi-factor authentication (MFA) for your users in IAM Identity Center... When MFA is enabled

users are prompted for an MFA code from their authenticator app when they sign in to the AWS access portal." This confirms the MFA enforcement capability.

Source: AWS IAM Identity Center User Guide

"Security"

"Multi-factor authentication" section.

4. AWS Directory Service Administration Guide - AD Connector: "AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud." This explains the mechanism for connecting the on-premises AD.

Source: AWS Directory Service Administration Guide

"What is AWS Directory Service?"

"AD Connector" section.