Exam AWS Certified Security - Specialty topic 1 question 471 discussion

@Noexperience, the link you provided speaks of B and not D instead. I guess you wanted to write AB? which is actually the answer. https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool/

I go with AD for D https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool/

A: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html Shortly before Amazon Cognito signs up a new user, it activates the pre sign-up AWS Lambda function. As part of the sign-up process, you can use this function to perform custom validation and, based on the results of your validation, accept or deny the registration request. B: https://aws.amazon.com/blogs/security/protect-your-amazon-cognito-user-pool-with-aws-waf/ A good way to protect these endpoints is to deploy rate-based AWS WAF rules. These rules will detect and block requests with high rates that could indicate an attempt to exceed your Amazon Cognito API request rate quotas and that could subsequently impact requests from legitimate users.

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html

Explanation of why B: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html A it's mandatory

A https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html B https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html#user-pool-waf-setting-up

A,D for me

AB: You can associate a Cognito user pool with a regional WAF web ACL. This can be done via CloudFormation, but you can also do it via the Cognito console (note: this only works in the “new” console experience for Cognito). https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool/

A. Creating a pre sign-up AWS Lambda trigger (Option A) allows you to execute custom validation logic before the sign-up process is completed in Amazon Cognito. In the Lambda function, you can include code to validate the user's location and decide whether to accept or deny the registration request based on the country of origin. D. Updating the application's Amazon Cognito user pool to configure a geographic restriction setting (Option D) enables you to specify that only sign-ups from specific countries or regions are allowed. In this case, you would set the restriction to only allow sign-ups from France. This helps prevent fraudulent sign-ups from users outside of France. By combining these two steps, you can perform custom validation at sign-up, leveraging the Lambda trigger to validate the user's location and the geographic restriction setting to enforce that sign-ups are only allowed from France.