Question #1113
A company is developing a web application hosted on AWS and wants users to authenticate using social media platforms such as Google and Facebook. The solution must integrate seamlessly with these identity providers (IdPs) without managing user credentials. Which AWS service should be used to fulfill this requirement?
AWS IAM
Amazon Cognito
AWS Single Sign-On (SSO)
AWS Directory Service
Explanation
Amazon Cognito (B) is designed specifically for user identity and access management in web/mobile apps. It supports social identity providers (IdPs) such as Google and Facebook via OpenID Connect (OIDC) and SAML, allowing users to sign in without the application managing credentials. Cognito User Pools handle user registration, sign-in, and federation, offloading security responsibilities to the IdPs.
Why other options are incorrect:
- AWS IAM (A): Manages access to AWS resources, not end-user authentication via social IdPs.
- AWS SSO (C): Focuses on enterprise single sign-on for AWS accounts or SAML-enabled apps, not social login for web apps.
- AWS Directory Service (D): Integrates Microsoft Active Directory for enterprise networks, not social media authentication.
Key Points:
- Use Cognito for social/third-party IdP integration in apps.
- Avoid managing credentials by relying on federated identities.
- Cognito User Pools handle authentication flows and token management.
Answer
The correct answer is: B