AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The scalable pattern is to federate with SAML and pass Entra ID attributes as session tags, then use those tags in IAM policies. Because an IAM role can trust only a SAML provider that exists in the same AWS account, you automate the creation of an identical SAML identity-provider resource in every member account-commonly with AWS CloudFormation StackSets or delegated admin tooling. Entra ID is configured to emit user attributes (for example, group or department) as SAML attributes using the PrincipalTag prefix so STS converts them to session tags. Each account needs only one generic IAM role that trusts its local SAML provider. The role's permissions policy references the tags with aws:PrincipalTag condition keys, so access automatically adjusts when user attributes change. No per-user IAM objects are required, and policy updates are unnecessary when teams or resources grow.

• Creating a separate IAM role for every Entra ID group in every account leads to role sprawl and is RBAC, not ABAC.
• AD Connector integrates with on-premises Active Directory, not with cloud-only Entra ID, and does not support SAML attribute pass-through.
• OIDC federation would require the sts:AssumeRoleWithWebIdentity API, not sts:AssumeRole, and still lacks the rich SAML session-tagging features needed here.