Question 25
Domain 4: Identity and Access ManagementA company runs a cuslom online gaming application. The company uses Amazon Cognito for user authentication and authorization. A security engineer wants to use AWS to implement fine-grained authorization on resources in the custom application. The security engineer must implement a solution that uses the user attributes that exist in Cognito. The company has already set up a user pool and an identity pool in Cognito. Which solution will meet these requirements?
Correct answer: B
Explanation
Amazon Verified Permissions is designed for fine-grained authorization in custom applications, and its policy store holds the authorization policies. Cognito can serve as the identity source, and its access token claims map user attributes into the Verified Permissions schema so decisions can use those attributes.
Why each option is right or wrong
A. Create a set of 1AM roles and 1AM policies Configure the Cognito identity pool to assign users to the 1AM roles.
IAM roles from identity pools mainly grant AWS resource access, not custom app fine-grained authorization logic.
B. Create a policy store in Amazon Verified Permissions. Configure Cognito as the identity source Map Cognito access tokens to the Verified Permissions schema.
Amazon Verified Permissions is the AWS service built for application-level, fine-grained authorization, and its policy store is where the authorization logic is evaluated against a defined schema. Under the service’s integration model, Amazon Cognito can be configured as the identity source, and the user’s Cognito access token claims are mapped into the Verified Permissions schema so attributes from the user pool can be used in authorization decisions.
C. Create customer managed permissions by using AWS Resource Access Manager (AWS RAM) Configure the Cognito identity pool to assign users to the customer managed permissions
AWS RAM shares AWS resources across accounts; it is not a permissions engine for end-user application authorization.
D. Create a set of 1AM users and 1AM policies. Configure the Cognito user pool to assign users to the 1AM users.
Cognito user pools do not assign users to IAM users; IAM users are separate AWS identities.