AWS Certified Security – Specialty — Question 74

A Security Engineer is working with a Product team building a web application on AWS. The application uses Amazon S3 to host the static content, Amazon API
Gateway to provide RESTful services; and Amazon DynamoDB as the backend data store. The users already exist in a directory that is exposed through a SAML identity provider.
Which combination of the following actions should the Engineer take to enable users to be authenticated into the web application and call APIs? (Choose three.)

Answer options

• A. Create a custom authorization service using AWS Lambda.
• B. Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes.
• C. Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party.
• D. Configure an Amazon Cognito identity pool to integrate with social login providers.
• E. Update DynamoDB to store the user email addresses and passwords.
• F. Update API Gateway to use a COGNITO_USER_POOLS authorizer.

Correct answer: B, C, F

Explanation

The correct answers B, C, and F are essential for integrating SAML authentication with Amazon Cognito and enabling user access to the application and APIs. Option B allows for mapping SAML attributes to Cognito, option C ensures Cognito is recognized as a relying party by the SAML provider, and option F sets up API Gateway to authorize users based on Cognito user pools. Options A, D, and E are not necessary for SAML authentication, as they focus on different methods or components that do not directly facilitate the required authentication process.