ExpertAWS SAP-C02 · Question 46 · Domain 1.2: Security Controls
A company uses Amazon Cognito User Pools for customer authentication. They want to implement a custom security requirement: if a user logs in from an IP address that is different from their last login, they must be prompted for Multi-Factor Authentication (MFA). If the IP is the same, MFA should be bypassed. How can the architect implement this logic?
A company uses Amazon Cognito User Pools for customer authentication. They want to implement a custom security requirement: if a user logs in from an IP address that is different from their last login, they must be prompted for Multi-Factor Authentication (MFA). If the IP is the same, MFA should be bypassed. How can the architect implement this logic?
Answer options:
Enable Cognito Advanced Security Features and set the risk-based authentication to 'High'.
Use an AWS Lambda trigger for the 'Define Auth Challenge' and 'Create Auth Challenge' stages in Cognito.
Configure AWS WAF with a custom rule to inspect the IP and trigger an MFA redirect.
Use an IAM policy with the aws:SourceIp condition key attached to the Cognito User Pool.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 4
75 questions · hints · full answers · grading