AWS Certified Solutions Architect – Associate (SAA-C03) — Question 775

A solutions architect is designing a user authentication solution for a company. The solution must invoke two-factor authentication for users that log in from inconsistent geographical locations, IP addresses, or devices. The solution must also be able to scale up to accommodate millions of users.

Which solution will meet these requirements?

Answer options

• A. Configure Amazon Cognito user pools for user authentication. Enable the risk-based adaptive authentication feature with multifactor authentication (MFA).
• B. Configure Amazon Cognito identity pools for user authentication. Enable multi-factor authentication (MFA).
• C. Configure AWS Identity and Access Management (IAM) users for user authentication. Attach an IAM policy that allows the AllowManageOwnUserMFA action.
• D. Configure AWS IAM Identity Center (AWS Single Sign-On) authentication for user authentication. Configure the permission sets to require multi-factor authentication (MFA).

Correct answer: A

Explanation

Amazon Cognito user pools scale to millions of users and offer advanced security features, including risk-based adaptive authentication, which automatically prompts for MFA when unusual login patterns (like new devices or locations) are detected. Amazon Cognito identity pools are designed for federating temporary AWS credentials rather than managing user directories. AWS IAM and AWS IAM Identity Center are built for managing administrative access to AWS resources and are not designed to scale to millions of external application users.