Exam AWS Certified Developer Associate topic 1 question 54 discussion

A. Configure Amazon Cognito identity pools and exchange the JSON Web Token (JWT) for temporary credentials.

A. The two main components of Amazon Cognito are user pools and identity pools. Identity pools provide AWS credentials to grant your users access to other AWS services. To enable users in your user pool to access AWS resources, you can configure an identity pool to exchange user pool tokens for AWS credentials. For more information see Accessing AWS Services Using an Identity Pool After Sign-in and Getting Started with Amazon Cognito Identity Pools (Federated Identities).

A) Correct - Amazon Cognito User Pools handle user authentication and return a JSON Web Token (JWT) upon successful login. Amazon Cognito Identity Pools allow authenticated users to exchange their JWT for temporary AWS credentials using the AWS Security Token Service (STS). These temporary credentials grant secure access to AWS services, such as DynamoDB, without the need to hardcode credentials or store them in the application.

here the key word is securely call, it means that the developer should configure Amazon Cognito identity pools and use JWTs to obtain temporary credentials for accessing DynamoDB securely. This approach is valid and aligns with AWS best practices for securing access to AWS services.

The rigth answer is A (B and C should be excluded a priori). Then, the app uses Cognito user pools for authentication but with user pools we can't access internal AWS services (at most we can call an URL or IP exposed by some AWS Service). For sure it is not suitable for DynamoDB. To access DynamoDB instead, we have to use cognito user identity pools which will provide a JWT token for temoporary access. Furthemore, cognito identity pools can communicate with cognito user pools. The first is used for authentication while the second is used for authorization

A is correct answer

A though tough question because you still have to convert your jwt to access tokens or something in order to access dynamoDB. but B and C are the wrong answer. and A is better than D because you need D is step 1 and A is step 2

A. Configure Amazon Cognito identity pools and exchange the JSON Web Token (JWT) for temporary credentials.

I know this is A, but why not B? I mean application run on EC2, EC2 role doesnt expose keys so it's secure so application will have the same permissions as EC2 role provides. Why this is incorrect?

D. The question is "how to call the API" not how to query dynamodb through its sdk. To call the API, simply use cognito as authorizer and use the jwt in the header.

Answer: A https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-scenarios.html With an identity pool, your users can obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB. Identity pools support anonymous guest users, as well as federation through third-party IdPs.

Answer: A

"D" is the correct answer, according to this link: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html

D After a successful authentication, Amazon Cognito returns user pool tokens to your app. You can use the tokens to grant your users access to your own server-side resources or to the Amazon API Gateway. Or you can exchange them for temporary AWS credentials to access other AWS services.

A is the answer User pool is for authentication and identity pool is for authorization on resource access

A using amazon cognito identity pool to access dynamodb apis

Why not D?