AWS Certified Security – Specialty (SCS-C02) — Question 297

A company uses Amazon Cognito for external user authentication for a web application. External users report that they can no longer log in to the application.

What is the FIRST step that a security engineer should take to troubleshoot the problem?

Answer options

• A. Review AWS CloudTrail logs to identify authentication errors that relate to Cognito users.
• B. Use AWS Identity and Access Management Access Analyzer to delete all unused IAM roles and users.
• C. Review any recent changes in Cognito configuration, IAM policies, and role trust policies to identify issues.
• D. Write a script that uses CLI commands to reset all user passwords in the Cognito user pool.

Correct answer: C

Explanation

The first logical step in troubleshooting a sudden authentication outage is to check for recent configuration changes that might have broken the integration, such as modifications to the Cognito user pool settings, IAM policies, or role trust policies. AWS CloudTrail does not log Cognito user pool data plane authentication events by default, making it ineffective for immediate login failure analysis. Deleting unused IAM resources or resetting all user passwords are disruptive actions that do not help diagnose the root cause of the issue.