How does AWS IAM Identity Center support centralized access management in a multi-account environment?

• A. It provides centralized identity across a single AWS account only
• B. It provides centralized identity, SSO to multiple AWS accounts via permission sets, and centralized user management with MFA and auditing
• C. It replaces AWS Organizations for cross-account management
• D. It disables MFA by default for convenience

Answer: (B)

Centralized access management across multiple AWS accounts is achieved by IAM Identity Center by acting as the central identity source and delivering SSO to many accounts through permission sets. You manage users and groups in one place, and then assign them to different AWS accounts with specific permission sets that define what they can do in each account. This setup lets a single user sign in once and access multiple accounts with consistent, predefined permissions, rather than juggling separate credentials for each account.

IAM Identity Center also centralizes user management with MFA enforcement and keeps an auditable trail of sign-ins and access changes, often via CloudTrail and Identity Center activity data. This combination provides a unified, secure, and compliant way to handle access across a multi-account environment.

It doesn’t replace AWS Organizations; rather, it works with it to enable SSO across accounts. The option describing access limited to a single account, or replacing Organizations, or disabling MFA, would not fit how IAM Identity Center is designed to operate.