A company that uses AWS Organizations is using AWS IAM Identity Center to administer access...

AWS IAM Identity Center permission sets that include customer managed policies require those policies to exist in each target account. According to the AWS Certified Security – Specialty Study Guide, customer managed policies are account-scoped and are not automatically propagated across accounts by Identity Center.

When assigning a permission set across multiple accounts, Identity Center attempts to attach the referenced customer managed policy in each account. If the policy does not exist, the assignment fails. Creating the same customer managed policy with identical name and permissions in every target account resolves the issue.

Option B increases complexity. Option C does not address the root cause. Option D violates Identity Center management best practices.

AWS documentation clearly states that customer managed policies must be present in all accounts where permission sets are applied.

Referenced AWS Specialty Documents:

AWS Certified Security – Specialty Official Study Guide

AWS IAM Identity Center Permission Sets

AWS Organizations and Identity Center Policy Management