AWS Certified Developer – Associate — Question 322

A developer is creating a new application that will be accessed by users through an API created using Amazon API Gateway. The users need to be authenticated by a third-party Security Assertion Markup Language (SAML) identity provider. Once authenticated, users will need access to other AWS services, such as Amazon S3 and Amazon DynamoDB.

How can these requirements be met?

Answer options

• A. Use an Amazon Cognito user pool with SAML as the resource server.
• B. Use Amazon Cognito identity pools with a SAML identity provider as one of the authentication providers.
• C. Use the AWS IAM service to provide the sign-up and sign-in functionality.
• D. Use Amazon CloudFront signed URLs to connect with the SAML identity provider.

Correct answer: B

Explanation

Amazon Cognito identity pools enable federated authentication, allowing users authenticated via an external SAML identity provider to obtain temporary AWS credentials to access services like Amazon S3 and Amazon DynamoDB. Amazon Cognito user pools are used for user directories and authentication rather than directly granting temporary AWS credentials for resource access. Neither AWS IAM nor Amazon CloudFront signed URLs are designed to handle SAML federation and user sign-in flows in this manner.