The least operational overhead approach is to use AWS Directory Service with AWS Managed Microsoft AD and establish a trust relationship with the existing on-premises Microsoft Active Directory. This pattern lets employees continue using their existing corporate credentials while AWS operates the directory infrastructure (patching, monitoring, availability, and domain controller management), reducing the burden compared to building and maintaining custom federation components. With a trust in place, identities and group memberships from the on-premises directory can be used for authentication and authorization workflows in AWS.

To provide role-based access to AWS resources and the AWS Management Console, users should assume IAM roles that grant permissions based on job function. IAM roles with appropriate trust policies enable temporary credentials and least-privilege access without creating long-lived IAM users for every employee. This aligns with AWS best practices of centralized identity management and using roles for access control.

Option B is not a standard direct integration pattern: IAM does not “LDAP bind” directly to on-premises AD for console access. Option C can work (custom identity broker + STS) but increases operational overhead because the company must build, secure, operate, and maintain the broker, including availability, updates, and incident response. Option D is not the typical solution for employee console federation from AD; Amazon Cognito is primarily aimed at customer identity and application sign-in, not as the primary mechanism for workforce console access to AWS accounts.

Therefore, A provides the required federation with the smallest operational footprint while supporting role-based access control.