An organization is using AWS IAM Identity Center (successor to AWS SSO) integrated with their on-premises Active Directory. Users are complaining about access denied errors when assuming roles in member accounts, despite being in the correct AD groups. Which TWO areas should the architect investigate? (Select TWO)

Answer options:

Check if the IAM users in the member accounts have the correct policies attached.

Verify the VPC Peering connection between the member accounts and the on-premises AD.

Review the Permission Sets assigned to the AD groups in IAM Identity Center.

Check the Service Control Policies (SCPs) applied to the member accounts.

Ensure the AWS Directory Service AD Connector is deployed in every member account.

Verify the SAML metadata file is uploaded to each member account.

How to approach this question

Understand how IAM Identity Center permissions and Organizations SCPs interact.

Full Answer

C,D

Access issues in IAM Identity Center are typically caused by misconfigured Permission Sets (which define the role's policies) or restrictive SCPs at the Organization level that override the allowed permissions.

Common mistakes

Looking for IAM users or local SAML configurations in a centralized Identity Center setup.

Question 19 All questions Question 21

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2

75 questions · hints · full answers · grading

More questions from this exam

Q01A company is setting up a multi-account AWS environment using AWS Organizations. They need to ens...Easy Q02An enterprise needs to connect its on-premises data center to AWS. They require a dedicated, priv...Easy Q03A company wants to share a single AWS Transit Gateway across multiple AWS accounts within their A...Easy Q04An architect needs to design a highly available database architecture that spans multiple AWS Reg...Easy Q05A global financial institution is migrating its core banking application to AWS. The application ...Medium

View all 75 questions →