AWS Certified Developer – Associate — Question 398

A company has an application that uses Amazon Cognito user pools as an identity provider. The company must secure access to user records. The company has set up multi-factor authentication (MFA). The company also wants to send a login activity notification by email every time a user logs in.
What is the MOST operationally efficient solution that meets this requirement?

Answer options

• A. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Add an Amazon API Gateway API to invoke the function. Call the API from the client side when login confirmation is received.
• B. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Add an Amazon Cognito post authentication Lambda trigger for the function.
• C. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Create an Amazon CloudWatch Logs log subscription filter to invoke the function based on the login status.
• D. Configure Amazon Cognito to stream all logs to Amazon Kinesis Data Firehose. Create an AWS Lambda function to process the streamed logs and to send the email notification based on the login status of each user.

Correct answer: B

Explanation

Using an Amazon Cognito post authentication Lambda trigger is the most operationally efficient method because it natively integrates with the authentication flow to execute custom code immediately after a user signs in. Other solutions, such as relying on client-side API calls or parsing log streams from CloudWatch or Kinesis, introduce unnecessary architectural complexity and latency. Utilizing Amazon SES within this trigger allows for direct and reliable delivery of login notification emails.