AWS Certified Security – Specialty — Question 426

A company has a single-page application (SPA) that is served by Amazon CloudFront. An Amazon S3 bucket is the origin of the CloudFront distribution. The company is using Amazon Cognito for authentication.

An external security review reveals that unauthenticated users can download the application source code from the SPA in index.html and view internal details of the SPA. A security engineer needs to implement a solution to avoid exposing the source code to unauthenticated users.

Which solution will meet these requirements?

Answer options

• A. Split the login logic to a separate login.html page. Designate the new page as the landing page. Attach an AWS WAF web ACL to the CloudFront distribution to deny unauthenticated requests to index html.
• B. Change the authentication method in Amazon Cognito to use an AWS Lambda authorizer. Configure the Lambda authorizer to control authentication and disallow downloads if the user is not authenticated.
• C. Implement an Amazon Cognito hosted UI for the login. Add Lambda@Edge logic to the CloudFront distribution to either serve content or redirect to the login page.
• D. Create an origin access identity (OAI). Associate the OAI with the CloudFront distribution. Configure S3 bucket permissions for the OAI to allow access to authenticated users only.

Correct answer: C

Explanation

Lambda@Edge allows you to run code at the AWS edge locations, intercepting requests to CloudFront to validate Amazon Cognito tokens before serving content like index.html. If a user is unauthenticated, Lambda@Edge can seamlessly redirect them to the Amazon Cognito hosted UI, keeping the SPA source code secure. Other options like AWS WAF or an OAI cannot natively validate Cognito authentication states to restrict static file delivery.