AWS Certified Security – Specialty — Question 440

A company in France uses Amazon Cognito with the Cognito Hosted UI as an identity broker for sign-in and sign-up processes. The company is marketing an application and expects that all the application's users will come from France.

When the company launches the application, the company's security team observes fraudulent sign-ups for the application. Most of the fraudulent registrations are from users outside of France.

The security team needs a solution to perform custom validation at sign-up. Based on the results of the validation, the solution must accept or deny the registration request.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.
• B. Use a geographic match rule statement to configure an AWS WAF web ACL. Associate the web ACL with the Amazon Cognito user pool.
• C. Configure an app client for the application's Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted UI.
• D. Update the application's Amazon Cognito user pool to configure a geographic restriction setting.
• E. Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted UI.

Correct answer: A, B

Explanation

An AWS WAF web ACL with a geographic match rule can block network requests from outside France before they reach the user pool. Furthermore, a pre sign-up AWS Lambda trigger allows the system to run custom validation code during the registration process to accept or reject the sign-up request. Amazon Cognito user pools do not natively support direct geographic restrictions, and social IdPs or app clients cannot block registrations based on geographic criteria in this scenario.