You are managing the AWS account of a big organization. The organization already has a third-party service to perform the user authentication. The organization has more than 1000+ employees, and they want to provide access to various AWS services to most of the employees. Which of the below mentioned options is the best possible solution in this case?

Answer options:

A.The user should create a separate IAM user for each employee and provide access to them as per the policy.
B.The user should create an IAM role and attach STS with the role. The user should attach that role to the EC2instance and setup AWS authentication on that server.
C.The user should create IAM groups for each user as per the organization’s departments and add each user to the group for better access control.
D.Create IAM roles to work with the organization’s authentication service to authorize users for various AWS services.

Answer – D
The best practice for IAM is to create roles that have specific access to an AWS service and then give the user permission to the AWS service via the role.
Option A is incorrect because creating a separate IAM user is not a feasible solution here. Instead, creating an IAM role would be a more appropriate solution.
Option B is incorrect because this is an invalid workflow of using IAM roles for authenticating the users.
Option C is incorrect because creating an IAM group for each user is not a best practice.
Option D is CORRECT because it authenticates the users with the organization’s authentication service and associates an appropriate IAM Role for accessing the AWS services.
For the best practices on IAM policies, please visit the link
http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html