Learn how to use Amazon Cognito user pools to secure user records and enable multi-factor authentication (MFA) for your application. Discover how to send login activity notifications by email using AWS Lambda and Amazon SES.
Table of Contents
Question
A company has an application that uses Amazon Cognito user pools as an identity provider. The company must secure access to user records. The company has set up multi-factor authentication (MFA). The company also wants to send a login activity notification by email every time a user logs in.
What is the MOST operationally efficient solution that meets this requirement?
A. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Add an Amazon API Gateway API to invoke the function. Call the API from the client side when login confirmation is received.
B. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Add an Amazon Cognito post authentication Lambda trigger for the function.
C. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Create an Amazon CloudWatch Logs log subscription filter to invoke the function based on the login status.
D. Configure Amazon Cognito to stream all logs to Amazon Kinesis Data Firehose. Create an AWS Lambda function to process the streamed logs and to send the email notification based on the login status of each user.
Answer
B. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Add an Amazon Cognito post authentication Lambda trigger for the function.
Explanation
The most operationally efficient solution that meets the requirement is B. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification. Add an Amazon Cognito post authentication Lambda trigger for the function.
This solution will meet the requirement because it will allow the company to send a login activity notification by email every time a user logs in to the application using Amazon Cognito user pools. Amazon Cognito user pools are user directories that provide sign-up and sign-in options for your web and mobile app users. Amazon Cognito supports Lambda triggers, which are custom workflows that run in response to events related to your user pool. A post authentication Lambda trigger runs after a user is authenticated successfully. The company can create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send an email notification to the user with the login details, such as time, location, and device. The company can then add the Lambda function as a post authentication Lambda trigger for the user pool.
The other options are not optimal or efficient for the following reasons:
A. Creating an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification and adding an Amazon API Gateway API to invoke the function will not meet the requirement, as it will introduce unnecessary complexity and latency to the application. The company will have to manage and maintain the API Gateway API, the API authorization, and the API invocation from the client side. This solution also relies on the client side to call the API when login confirmation is received, which may not be reliable or secure.
C. Creating an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send the email notification and creating an Amazon CloudWatch Logs log subscription filter to invoke the function based on the login status will not meet the requirement, as it will incur additional costs and overhead to the application. The company will have to enable logging for Amazon Cognito user pools, which is not enabled by default. The company will also have to create and update a log subscription filter that matches the login status from the log events and invokes the Lambda function.
D. Configuring Amazon Cognito to stream all logs to Amazon Kinesis Data Firehose and creating an AWS Lambda function to process the streamed logs and to send the email notification based on the login status of each user will not meet the requirement, as it will introduce unnecessary complexity and overhead to the application. The company will have to enable logging for Amazon Cognito user pools, which is not enabled by default. The company will also have to create and manage a Kinesis Data Firehose delivery stream that receives and delivers the log data. The company will also have to create and update a Lambda function that processes the log data and sends the email notification.
The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.