Amazon SCS-C02: Combination steps to perform custom validation at sign-up.

Question

A company in France uses Amazon Cognito with the Cognito Hosted UI as an identity broker for sign-in and sign-up processes. The company is marketing an application and expects that all the application’s users will come from France. When the company launches the application, the company’s security team observes fraudulent sign-ups for the application. Most of the fraudulent registrations are from users outside of France.

The security team needs a solution to perform custom validation at sign-up. Based on the results of the validation, the solution must accept or deny the registration request. Which combination of steps will meet these requirements? (Choose two.)

A. Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.
B. Use a geographic match rule statement to configure an AWS WAF web ACL. Associate the web ACL with the Amazon Cognito user pool.
C. Configure an app client for the application’s Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted UI.
D. Update the application’s Amazon Cognito user pool to configure a geographic restriction setting.
E. Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted UI.

Answer

A. Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.
D. Update the application’s Amazon Cognito user pool to configure a geographic restriction setting.

Explanation

The correct answer is A and D.

A. Create a pre sign-up AWS Lambda trigger. Associate the Amazon Cognito function with the Amazon Cognito user pool.

This option is correct because a pre sign-up Lambda trigger can be used to perform custom validation and accept or deny the registration request based on the results of the validation². The Lambda function can check the user’s location and compare it to a list of allowed countries, such as France. If the user is not from an allowed country, the function can deny the registration request and return an error message.

D. Update the application’s Amazon Cognito user pool to configure a geographic restriction setting.

This option is correct because Amazon Cognito user pools have advanced security features that can review location and device information from the user’s sign-in requests and apply an automatic response to secure the user accounts against suspicious activity. The advanced security features can assign a risk score to user activity and assign an automatic response based on the risk level. For example, Amazon Cognito can block sign-in or require MFA for users from high-risk locations. The advanced security features can also send email notifications to users about suspicious activity on their accounts.

B. Use a geographic match rule statement to configure an AWS WAF web ACL. Associate the web ACL with the Amazon Cognito user pool.

This option is incorrect because AWS WAF web ACLs are used to protect web applications from common web exploits, not to validate user registration requests. AWS WAF web ACLs can be associated with CloudFront distributions, Application Load Balancers, or API Gateway APIs, but not with Amazon Cognito user pools.

C. Configure an app client for the application’s Amazon Cognito user pool. Use the app client ID to validate the requests in the hosted UI.

This option is incorrect because app client IDs are used to identify different applications that access a user pool, not to validate user registration requests. App client IDs are required for using the hosted UI, but they do not provide any geographic restriction functionality.

E. Use Amazon Cognito to configure a social identity provider (IdP) to validate the requests on the hosted UI.

This option is incorrect because social identity providers are used to allow users to sign in with their existing social media accounts, such as Facebook or Google, not to validate user registration requests. Social identity providers do not provide any geographic restriction functionality.

Reference

• Pre sign-up Lambda trigger – Amazon Cognito
• Adding advanced security to a user pool – Amazon Cognito
• Restricting the geographic distribution of your content – Amazon CloudFront
• Automatically confirm users in Amazon Cognito | AWS re:Post (repost.aws)
• Customizing user pool workflows with Lambda triggers – Amazon Cognito
• Regional data considerations – Amazon Cognito
• Signing up and confirming user accounts – Amazon Cognito
• Customizing the built-in sign-in and sign-up webpages – Amazon Cognito
• Managing user existence error responses – Amazon Cognito

Amazon AWS Certified Security – Specialty certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty exam and earn Amazon AWS Certified Security – Specialty certification.