AWS Certified Security – Specialty (SCS-C02) — Question 156

A company in France uses Amazon Cognito with the Cognito Hosted UI as an identity broker for sign-in and sign-up processes. The company is marketing an application and expects that all the application’s users will come from France.

When the company launches the application, the company’s security team observes fraudulent sign-ups for the application. Most of the fraudulent registrations are from users outside of France.

The security team needs a solution to perform custom validation at sign-up. Based on the results of the validation, the solution must accept or deny the registration request.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.
• B. Use a geographic match rule statement to configure an AWS WAF web ACL Associate the web ACL with the Amazon Cognito user pool.
• C. Configure an app client for the application's Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted UI.
• D. Update the application’s Amazon Cognito user pool to configure a geographic restriction setting.
• E. Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted UI.

Correct answer: A, B

Explanation

Option A is correct because creating a pre sign-up AWS Lambda trigger allows for custom validation logic to be applied to registration requests. Option B is also correct as using a geographic match rule in an AWS WAF web ACL can help block requests from outside France. Options C, D, and E do not provide the necessary custom validation mechanism needed to prevent fraudulent sign-ups effectively.