Question #834
A developer is building a mobile application that requires users to authenticate via third-party social platforms. The application uses AWS Lambda functions behind an Amazon API Gateway REST API to handle backend logic. The solution must ensure secure authentication, minimize operational overhead, and avoid storing or managing user credentials directly. Which approach meets these requirements?
Implement Amazon Cognito user pools with federated social identity providers and configure IAM roles using an identity pool.
Store user credentials in an Amazon DynamoDB table and validate logins using IAM policies attached to the table.
Create individual IAM users for each application user and assign IAM policies to grant resource access.
Use an Amazon RDS PostgreSQL database to store user credentials and manage permissions via database roles.
Explanation
Answer A is correct because:
- Amazon Cognito User Pools enable federated authentication via social identity providers (e.g., Facebook, Google), eliminating the need to store or manage user credentials.
- Identity Pools assign temporary IAM roles to authenticated users, allowing secure access to AWS resources (e.g., Lambda, API Gateway).
- Operational overhead is minimized as Cognito is fully managed and integrates seamlessly with AWS services.
Other options fail because:
- B and D involve storing credentials, violating the requirement.
- C requires creating IAM users per application user, which is operationally heavy and not scalable.
Key Points: Use Cognito for federated authentication and identity pools for IAM roles to avoid credential management and reduce overhead.
Answer
The correct answer is: A