AWS Certified Security – Specialty (SCS-C02) — Question 86

A security engineer is working with a product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API Gateway to provide RESTful services, and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.

Which combination of the following actions should the engineer take to allow users to be authenticated into the web application and call APIs? (Choose three.)

Answer options

• A. Create a custom authorization service using AWS Lambda.
• B. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
• C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
• D. Configure an Amazon Cognito identity pool to integrate with social login providers.
• E. Update DynamoDB to store the user email addresses and passwords.
• F. Update API Gateway to use a COGNITO_USER_POOLS authorizer.

Correct answer: B, C, F

Explanation

The correct actions are B, C, and F. Option B allows the mapping of SAML attributes to Cognito user pool attributes, ensuring proper user identification. Option C ensures that the SAML identity provider recognizes the Cognito user pool, facilitating authentication. Option F configures API Gateway to use the Cognito user pools for authorizing API requests, which is essential. Options A, D, and E are not necessary for the given scenario or do not directly contribute to user authentication via SAML.