Ends in

$2 OFF ALL AWS, Azure, Google Cloud & Kubernetes Practice Exams!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Review Mode Set 2 – AWS Certified Security Specialty

  • Review Mode Set 2 – AWS Certified Security Specialty

  • blamingjessy

    September 25, 2021 at 9:25 pm


    Category: SEC – Identity and Access Management

    A Software Engineer has developed a web application to monitor the pending/processed orders on the corporate sales server. The application needs to be accessed by Delivery, Finance, and Admin teams. The Security Administrator decided to integrate Amazon Cognito to the application to provide user sign-in functionality for the members of each team. The Delivery team should be able to update entries on the application while the Finance team only needs read permissions to verify the flow of orders.

    Which of the following options will help the Administrator grant distinct permissions for each team member?

    1. Cognito federated identities

    2. Cognito identity pool

    3. Cognito user pool groups

    4. Cognito sync


    Shouldn’t the answer be (2) instead of (3)? The question is clearly asking about an authorization service since it mentions “granting permissions for team members”…

    Can you shed some insight on this one?

    Thanks in advance!

  • Carlo-TutorialsDojo

    September 28, 2021 at 12:54 am

    Hello blamingjessy,

    Thanks for your feedback.

    When users sign in to the User Pool, they would still get temporary credentials from Identity Pool. However, the permissions that will be associated with those users are determined by the IAM roles that you assigned to them in the User Pool Groups. For this question, you can specify distinct permissions for each team by using User Pool Groups.

    Let me know if this answers your question.


    Carlo @ Tutorials Dojo

  • Zackn

    October 7, 2021 at 3:31 am

    OP: it is a tricky question indeed. I had the same reflex at first. However, I think the answer is in this AWS doc link:


    “After you create a user pool, you can create, confirm, and manage users accounts. With Amazon Cognito user pools groups you can manage your users and their access to resources by mapping IAM roles to groups.”

    So basically, User Pool Groups are used to create separate groups depending on different permissions (IAM roles) you decided to assign them. Anytime I see STS or directly accessing resources on AWS (via STS), I choose Identity Pool as the answer. However, in this question, I still think User Pool is the correct answer as it mentions User Pools and Groups. The word “grant” is tricky to say the least.

    • Carlo-TutorialsDojo

      October 8, 2021 at 3:33 am

      Thanks for sharing your insight, Zackn.

Viewing 1 - 3 of 3 replies

Log in to reply.

Original Post
0 of 0 posts June 2018