Developer Associate · 26% of the exam

Security: free practice questions

5 sample questions from our 65-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real AWS exam.

1. A development team is building a mobile application that authenticates users with Amazon Cognito User Pools. After authentication, the app receives an ID token, an access token, and a refresh token. The team wants to understand the correct usage of each token. Which of the following statements accurately describes the intended use of the ACCESS TOKEN in this context? (Select TWO)

  • A. The access token is used to call Amazon Cognito User Pools API operations that require user authentication, such as changing a password✓ Correct
  • B. The access token contains identity claims about the user (name, email) and is passed to the application backend to identify the user
  • C. The access token is a JWT that contains scopes and group membership information used to authorize requests to an OAuth 2.0-protected API✓ Correct
  • D. The access token should be passed to Amazon Cognito Identity Pools to obtain temporary AWS IAM credentials
  • E. The access token is used to retrieve new ID and access tokens without requiring the user to re-authenticate
Explanation

Correct (A): The Cognito access token is specifically designed to authorize calls to Cognito User Pool API operations (e.g., ChangePassword, UpdateUserAttributes) that require the user to be authenticated. Correct (C): The access token is a JWT that carries OAuth 2.0 scopes and Cognito group memberships; it is the correct token to present to an API Gateway with a Cognito authorizer or a custom OAuth 2.0 resource server to authorize API access. Wrong (B): Identity claims about the user (name, email, sub, etc.) are contained in the ID TOKEN, not the access token. Wrong (D): To obtain temporary AWS credentials from an Identity Pool, the ID token (not the access token) is the correct token to present to the Identity Pool's GetId and GetCredentialsForIdentity calls. Wrong (E): Using a token to get new tokens without re-authentication is the role of the REFRESH TOKEN, not the access token.

2. A developer is configuring an Amazon Cognito Identity Pool to grant authenticated users temporary AWS credentials. Users authenticate via a Cognito User Pool. The developer needs to ensure that each authenticated user can only read objects from an Amazon S3 prefix that matches their own Cognito User Pool sub (user ID). Which feature of Cognito Identity Pools should the developer use to enforce this per-user S3 access restriction?

  • A. Configure a single authenticated IAM role with an S3 bucket policy that uses aws:PrincipalTag to match the user's sub
  • B. Use IAM policy variables in the authenticated role's trust policy to scope access to the user's S3 prefix using cognito-identity.amazonaws.com:sub
  • C. Enable Role-Based Access Control (RBAC) in the Identity Pool and create a separate IAM role for every user
  • D. Use IAM policy variables in the authenticated IAM role's permissions policy, referencing ${cognito-identity.amazonaws.com:sub} to restrict S3 access to the matching prefix✓ Correct
Explanation

Cognito Identity Pools support IAM policy variables that are resolved at credential vending time. By using ${cognito-identity.amazonaws.com:sub} in the IAM permissions policy (e.g., as a condition or resource ARN prefix), you dynamically scope each user's temporary credentials to their specific S3 prefix without needing per-user roles. The trust policy controls who can assume the role, not what the role can access — placing access restrictions there is incorrect. Creating a separate IAM role per user is not scalable and is not a supported Identity Pool feature for this use case. Using aws:PrincipalTag requires attribute mapping and tag propagation through session tags, which is a more complex pattern and not the standard Identity Pool variable approach for this scenario.

3. A developer is configuring a Lambda authorizer (REQUEST type) for an Amazon API Gateway REST API. The authorizer Lambda must return an IAM policy. The developer wants the authorization result to be cached so the authorizer Lambda is not invoked on every request. A security requirement states that cached policies must be scoped to a specific user, not shared across different users. How should the developer configure the authorizer caching?

  • A. Enable authorizer caching with a TTL and set the Identity Source to method.request.header.Authorization only, ensuring each unique token maps to a cached policy
  • B. Enable authorizer caching with a TTL and set the Identity Source to a combination of values that uniquely identifies the caller (e.g., method.request.header.Authorization and method.request.header.X-User-Id), so the cache key is unique per user✓ Correct
  • C. Disable authorizer caching entirely, because REQUEST type authorizers cannot cache policies per user
  • D. Enable authorizer caching and return a policy with a Condition block that restricts reuse to the requesting IP address, which API Gateway enforces automatically
Explanation

For REQUEST type authorizers, the cache key is derived from the Identity Source fields configured by the developer. By including multiple request parameters (e.g., Authorization header plus a user-identifying header or query string), the cache key becomes unique per user, ensuring cached policies are not shared across different callers. Using only the Authorization header (option A) works if each user has a unique token, but the question implies a more explicit user-scoping requirement where combining multiple identity sources is the correct, explicit approach. REQUEST type authorizers do support caching — the claim that they cannot is false. API Gateway does not automatically enforce IP-based conditions from IAM policies in cached responses; the Condition-in-policy approach does not prevent the cached policy from being returned for a different user if the cache key is not unique.

4. A developer is configuring AWS WAF on an Amazon CloudFront distribution to protect a web application. The developer needs to block requests that contain a specific SQL injection pattern in query strings AND rate-limit any single IP address to no more than 500 requests per 5 minutes. Which WAF rule configuration achieves BOTH goals simultaneously?

  • A. Create a single Managed Rule Group that includes both the SQLi rule and a rate-based rule with a 500 request limit
  • B. Create one rule using the SQL injection match condition with Action: Block, and a separate rate-based rule with a limit of 500 and Action: Block; associate both with a Web ACL on the CloudFront distribution✓ Correct
  • C. Create a geo-match rule that blocks the originating country and a rate-based rule; WAF does not support SQL injection detection natively
  • D. Configure CloudFront to use Lambda@Edge for SQL injection filtering and a separate WAF rate-based rule for rate limiting
Explanation

AWS WAF natively supports both SQLi match conditions (via SQL injection match statements or AWS Managed Rules for SQLi) and rate-based rules. You create two separate rules in a Web ACL: (1) a rule with a SQL injection match statement targeting query strings, with Action: Block; and (2) a rate-based rule with a limit of 500 requests per 5-minute window, with Action: Block. Both rules are independent and work simultaneously within the same Web ACL associated with the CloudFront distribution. [A] Wrong – AWS Managed Rule Groups (e.g., AWSManagedRulesSQLiRuleSet) do not include rate-based rules. Managed Rules and rate-based rules are different rule types and must be added separately to the Web ACL. [C] Wrong – AWS WAF does natively support SQL injection detection through SQL injection match statements and managed rule groups. Geo-match rules filter by geography, which is unrelated to SQLi detection. [D] Wrong – While Lambda@Edge can perform custom request filtering, it adds complexity and latency. WAF already provides native SQLi detection without requiring custom code. Combining Lambda@Edge with WAF for this requirement is over-engineered and incorrect — WAF handles both requirements natively.

5. A developer is designing the trust policy for an IAM role that will be assumed by an Amazon EC2 instance in the same AWS account. Which trust policy correctly allows EC2 to assume the role?

  • A. { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" }✓ Correct
  • B. { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole" }
  • C. { "Effect": "Allow", "Principal": { "Federated": "ec2.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity" }
  • D. { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" }
Explanation

Option A is correct. An EC2 instance profile assumes a role using the EC2 service principal "ec2.amazonaws.com" with the sts:AssumeRole action. This trust policy statement is placed in the role's trust policy (not the permission policy) and allows the EC2 service to assume the role on behalf of the instance. Option B is incorrect because using the account root ARN as the principal allows any IAM entity in the account to assume the role (if they also have an identity-based policy allowing it), which is overly permissive and not specific to EC2. Option C is incorrect because the "Federated" principal type is used for web identity or SAML federation (e.g., Cognito, Google), not for EC2 service principals; additionally, sts:AssumeRoleWithWebIdentity is for federated web identity, not EC2 instance profiles. Option D is incorrect because lambda.amazonaws.com is the service principal for Lambda functions, not EC2 instances; using this would allow Lambda to assume the role, not EC2.

60 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free