Logo
AWS Certified Developer – Associate / Question #1103 of 557

Question #1103

A developer is designing an authentication system for a web application. The application must allow users to register, log in, and securely interact with backend AWS services. Which approach fulfills these requirements?

D

Provision an Amazon Cognito identity pool linked to an identity provider. Define IAM roles for authenticated users to access AWS services. Integrate the identity pool with the web application to handle authentication and authorization.
A

Use AWS IAM to create a policy granting access to the necessary services. Establish an IAM role and attach the policy. Integrate the role with the application's authentication provider via AWS STS.
B

Set up an Amazon API Gateway with IAM authorization. Create an IAM role with appropriate permissions and attach it to the API Gateway. Integrate the API endpoint with the web application for user authentication.
C

Create an Amazon Cognito user pool with multi-factor authentication and password policies. Configure an app client and integrate it with the web app. Use the user pool tokens to access AWS resources directly.

Explanation

Option D is correct because:
1. Amazon Cognito Identity Pool (Federated Identities) allows users to obtain temporary AWS credentials after authentication, which are required to interact with AWS services securely.
2. It links to an identity provider (e.g., Cognito User Pool) to handle user registration and login, fulfilling the authentication requirement.
3. IAM roles defined for authenticated users grant granular permissions to AWS services, ensuring proper authorization.

Other options are incorrect because:
- A: IAM is not designed for end-user management. While STS provides temporary credentials, it lacks built-in user registration/login flows.
- B: API Gateway with IAM authorization requires AWS signatures, which are impractical for end-users without temporary credentials from an identity provider like Cognito.
- C: Cognito User Pool tokens alone cannot access AWS services directly; they must be exchanged for AWS credentials via an Identity Pool.

Key Points: Use Cognito User Pool for user management and Identity Pool for AWS access. Identity Pools map users to IAM roles, enabling secure, scalable access to AWS resources.

Answer

The correct answer is: D