An enterprise uses AWS IAM Identity Center (AWS SSO) integrated with their on-premises Active Directory. Users are complaining that they cannot access a newly created AWS account within the organization. What is the MOST likely cause?

Answer options:

The new account has not been joined to the on-premises Active Directory domain.

Permission sets have not been provisioned to the new account for the relevant AD groups.

An SCP is blocking the sts:AssumeRoleWithSAML action in the new account.

The Active Directory Connector needs to be restarted to sync the new account.

How to approach this question

Understand how IAM Identity Center grants access: Users/Groups + Permission Sets + Target Accounts.

B.Permission sets have not been provisioned to the new account for the relevant AD groups.✓ Correct

Access in IAM Identity Center is granted by creating assignments, which map a User or Group to a Permission Set in a specific AWS Account.

Assuming access is automatic when an account is created in Organizations.

75 questions · hints · full answers · grading