Timed Mode Exam 3 – GraphQL API Backend Question

[jbeha]

A startup is building a mobile app and a custom GraphQL API backend that lets people post photos and videos of road potholes, faulty street lights, bridge damages, and other issues in the public infrastructure with 100-character summaries. The data gathered by the system will be used by the department of public works to facilitate fast resolution. The developers used a javascript-based React Native mobile framework so that it would run on various mobile and tablet devices. The app will be connecting to a custom GraphQL API that will be responsible for storing the photos and videos in an Amazon S3 bucket and will also access a DynamoDB table to store the summaries. The developers have recently deployed the mobile app prototype but it was found that there is an availability issue with the custom GraphQL API. To proceed with the project, the team decided to remove the API and instead, re-model the mobile app so that it will directly connect to both DynamoDB and S3 as well as handle user authentication.

Which of the following options provides the most cost-effective and scalable architecture for this project?

The wording on the incorrect answer seems to be too ambiguous and may need to be made more incorrect or marked as the correct answer:

1. Set up a web identity federation using Cognito and social identity providers like Amazon, Google, Facebook or any other OpenID Connect (OIDC)-compatible IdP.
2. Configure the IAM role in Cognito to allow access to S3 and DynamoDB.
3. The mobile app will use the AWS access and secret keys to store the photos and videos to an S3 bucket and persist the summaries to the DynamoDB database.

Temporary security credentials do involve AWS access and secret keys along with a session token. Using Cognito is also the better practice as it handles the different social identity providers and renewal of temporary credentials. The question should either say use long term or user credentials or change it to Cognito and temporary credentials. I understand TD exams are very good for nuances, but this one seems too ambiguous.

There is also a typo in another explanation:

The following option is incorrect because you should have used AssumRoleWithWebIdentity instead of AssumeRoleWithSAML API:

1. Set up a web identity federation using the AssumeRoleWithSAML API of STS and register with social identity providers like Amazon, Google, Facebook or any other OpenID Connect (OIDC)-compatible IdP.

2. Create an IAM role for that provider and set up permissions for the IAM role to allow access to S3 and DynamoDB.

3. The mobile app will use the AWS temporary security credentials to store the photos and videos to an S3 bucket and persist the summaries to the DynamoDB database.

Deeply appreciate the work that goes into these exams and just trying to help make them better.

• This discussion was modified 1 week, 6 days ago by  jbeha.