AWS Certified Security – Specialty (SCS-C03) — Question 6

A company allows users to download its mobile app onto their phones. The app is MQTT based and connects to AWS IoT Core lo subscribe la specific client-related topics.
Recently, the company discovered that some malicious attackers have been trying to get a Trojan horse onto legitimate mobile phones. The Trojan horse poses as the authentic application and uses a client ID with injected special characters to gain access to topics outside the client's privilege scope.
Which combination of actions should the company take to prevent this threat? (Choose two.)

Answer options

• A. In the application, use an IoT thing name as the client ID to conned the device to AWS IoT Core.
• B. In the application, add a client ID check. Disconnect from the server if any special character is detected.
• C. Apply an AWS IoT Core policy that allows "AWSIoTWirelessDataAccess" with the principal set to "client/${iot:Connection.Thing.ThingName}"
• D. Apply an AWS IoT Core policy to the device to allow "iot:Connect" with the resource set to "client/${iot:ClientId}".
• E. Apply an AWS IoT Core policy to the device to allow "iot:Connect" with the resource set to "client/${iot:Connection.Thing.ThingName)".

Correct answer: A, E

Explanation

Option A is correct because using an IoT thing name for the client ID helps ensure that only authorized devices can connect to AWS IoT Core. Option E is also correct as it uses the correct reference to the IoT thing name, further securing the connection. Options B, C, and D do not adequately prevent the Trojan horse threat or do not implement the necessary client ID checks effectively.