Your company is developing an application on AWS.
This would be a web-based application.
The application users will use their Facebook or Google identities for authentication.
The company wants to have the ability to manage user profiles efficiently.
Which of the below solutions would assist in this?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: C.
Options A is incorrect because you can use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account, but you cannot manage users.
Option B is incorrect because you use an IAM identity provider when you want to establish trust between a SAML-compatible IdP such as Shibboleth or Active Directory Federation Services and AWS so that users in your organization can access AWS resources.
This does not assist in managing user profiles.
Option C is CORRECT because a user pool is a user directory in Amazon Cognito.
The users can sign in to your web or mobile app through Amazon Cognito with a user pool.
Users can also sign in through social identity providers like Facebook or Amazon and through SAML identity providers.
Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK.
Option D is incorrect because managing thousands of users and their permissions would be a management and maintenance overhead.
The AWS Documentation mentions the following about User pools:
Sign-up and sign-in services.
A built-in, customizable web UI to sign in users.
Social sign-in with Facebook, Google, and log in with Amazon, as well as sign-in with SAML identity providers from your user pool.
User directory management and user profiles.
Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.
Customized workflows and user migration through AWS Lambda triggers.
For more information on Cognito User pools, kindly refer to the following URL:
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.htmlFor a web-based application, using third-party authentication providers like Facebook and Google is a common approach as it simplifies the authentication process and provides a seamless user experience. However, managing user profiles and permissions can be challenging without a centralized solution.
The options provided in the exam are all related to identity and access management (IAM) solutions offered by AWS. Let's examine each one in detail:
A. Create an OIDC identity provider in AWS: OpenID Connect (OIDC) is a widely adopted open standard for authentication and authorization. With this solution, the company can set up an identity provider (IDP) in AWS and use it to authenticate users. The IDP can be configured to use Facebook or Google as the authentication provider, so users can sign in with their social media accounts. Additionally, the IDP can store user profile information, which can be used to manage user profiles efficiently.
B. Create a SAML provider in AWS: Security Assertion Markup Language (SAML) is another standard for exchanging authentication and authorization data between parties. A SAML provider in AWS can be set up to authenticate users and store user profile information. Similar to OIDC, the SAML provider can be configured to use Facebook or Google as the authentication provider.
C. Use Amazon Cognito User Pools: Amazon Cognito User Pools is a fully managed user directory service that provides user sign-up, sign-in, and access control. With this solution, the company can create a user pool and configure it to use Facebook or Google as the authentication provider. User profile information can be stored in the user pool, and access control can be configured based on the user's attributes.
D. Use IAM users to manage the user profiles: IAM users are a feature of AWS that allows creating and managing users within an AWS account. However, IAM users are typically used for managing access to AWS resources and not for managing user profiles. While it is possible to store user profile information in IAM attributes, this is not an ideal solution as it can lead to complications and is not designed for user management.
Based on the requirements mentioned in the question, options A, B, and C are all viable solutions. However, option C (Amazon Cognito User Pools) is a better fit as it is specifically designed for user management and provides a more comprehensive solution for user sign-up, sign-in, and access control.