AWS Certified Security – Specialty (SCS-C02) — Question 277

A company runs a custom online gaming application. The company uses Amazon Cognito for user authentication and authorization.

A security engineer wants to use AWS to implement fine-grained authorization on resources in the custom application. The security engineer must implement a solution that uses the user attributes that exist in Cognito. The company has already set up a user pool and an identity pool in Cognito.

Which solution will meet these requirements?

Answer options

• A. Create a set of IAM roles and IAM policies. Configure the Cognito identity pool to assign users to the IAM roles.
• B. Create a policy store in Amazon Verified Permissions. Configure Cognito as the identity source. Map Cognito access tokens to the Verified Permissions schema.
• C. Create customer managed permissions by using AWS Resource Access Manager (AWS RAM). Configure the Cognito identity pool to assign users to the customer managed permissions.
• D. Create a set of IAM users and IAM policies. Configure the Cognito user pool to assign users to the IAM users.

Correct answer: B

Explanation

Amazon Verified Permissions is specifically designed to provide fine-grained authorization for custom applications and natively supports Amazon Cognito as an identity source, allowing user attributes from tokens to be mapped to authorization policies. Using IAM roles or users (Options A and D) is intended for AWS infrastructure-level access control rather than application-level resource permissions. AWS Resource Access Manager (Option C) is used for sharing AWS resources across accounts and does not handle application-level authorization based on Cognito attributes.