Exam AWS Certified Security - Specialty topic 1 question 102 discussion

A is incorrect. It is more complex then other answers B is incorret. we dont need a second user pool. A Cognito group suffices C ?? D is correct. It is the correct method Developers have the ability to add users and remove users from Cognito's groups and manage group permissions for sets of users. fine-grained Role-Based Access Control (RBAC) in Cognito Federated Identities allows developers to now assign different IAM roles to different authenticated users. Previously, Amazon Cognito only supported one IAM role for all authenticated users. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html A user pool is a user directory in Amazon Cognito. It provides user profiles for users. You create groups on user pools https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/

D is Correct

Correct answer is D

As per AWS documentation: With Groups support in Cognito, developers can easily customize users’ app experience by creating groups which represent different user types and app usage permissions. Developers have the ability to add users and remove users from groups and manage group permissions for sets of users. Therefore, D should suffice.

Option D. Move suspended customers to a second Cognito group and define an appropriate IAM access policy for the group. This approach allows you to separate the suspended customers into a different group, and assign them a different IAM access policy that limits their permissions, without modifying the application logic. It also reduces complexity and eliminates the need for additional database fields or a second user pool, thus avoiding potential for future security issues.

Support for groups in Amazon Cognito user pools enables you to create and manage groups, add users to groups, and remove users from groups. You can assign an AWS Identity and Access Management (IAM) role to a group to define the permissions for members of a group. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html

Option D make sense to me.

D is correct

D is correct answer

The correct answer is D as per below. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html "Support for groups in Amazon Cognito user pools enables you to create and manage groups, add users to groups, and remove users from groups. Use groups to create collections of users to manage their permissions or to represent different types of users. You can assign an AWS Identity and Access Management (IAM) role to a group to define the permissions for members of a group."

D however does not helps long term, imagine having to move each and every suspended users... A may seems complex, but it is the most effective and yet secured way of doing things.

D seems correct, but could it also be B? Or is that too much

Ans: D

D is Correct

Ans > D https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html

Ans (D) https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.htm

D is correct. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html