Logo
AWS Certified Solutions Architect - Professional / Question #940 of 529

Question #940

A company is hosting a legacy web application on AWS using Docker containers deployed with Amazon ECS on Fargate. The application is fronted by an Application Load Balancer (ALB). The company needs to restrict access to a predefined set of users who must authenticate using multi-factor authentication (MFA). The application cannot be modified, and integration with external identity providers is not allowed.

Which solution meets these requirements?

D

Deploy a bastion host with MFA enabled and require users to connect to the bastion host via SSH before accessing the application through port forwarding. Limit access to the bastion host using security group rules and allow only authenticated users.
A

Create an Amazon Cognito user pool with MFA enabled. Add the required users to the pool. Configure the ALB to authenticate users via the Cognito user pool's hosted UI before routing traffic to the Fargate service.
B

Use AWS IAM to manage user access. Attach an IAM policy to the ALB requiring MFA authentication. Configure the ALB to validate IAM credentials for user access to the application.
C

Set up AWS IAM Identity Center (AWS Single Sign-On) and create a permission set requiring MFA. Configure the ALB to redirect users to IAM Identity Center for authentication before granting access.

Explanation

Correct Answer (A):
- Amazon Cognito allows creating a user pool with MFA enforcement, enabling predefined users to authenticate via a hosted UI. The ALB can directly integrate with Cognito to authenticate users before routing traffic to the Fargate service. This meets the requirement of no application modification and avoids external identity providers.

Incorrect Options:
- B: AWS IAM policies cannot enforce MFA for ALB-authenticated web apps. IAM is for AWS resource access, not end-user web authentication.
- C: AWS IAM Identity Center (SSO) does not integrate natively with ALB for authentication. ALB supports Cognito or third-party OIDC providers, not IAM Identity Center.
- D: A bastion host adds unnecessary complexity, requires SSH access (not web-based), and bypasses the ALB’s existing authentication capabilities.

Key Points:
- ALB’s native integration with Cognito offloads authentication without app changes.
- Cognito user pools support MFA and predefined user management.
- Legacy app constraints rule out code modifications or non-ALB authentication methods.

Answer

The correct answer is: A