nerdexam
Amazon

DVA-C02 · Question #533

A developer is writing a mobile application that allows users to view images from an S3 bucket. The users must be able to log in with their Amazon login, as well as supported social media accounts. Ho

The correct answer is A. Use Amazon Cognito with web identity federation.. Amazon Cognito with web identity federation enables users to authenticate using external identity providers such as Amazon, Facebook, and Google to obtain temporary AWS credentials.

Submitted by anna_se· Mar 5, 2026Development with AWS Services

Question

A developer is writing a mobile application that allows users to view images from an S3 bucket. The users must be able to log in with their Amazon login, as well as supported social media accounts. How can the developer provide this authentication functionality?

Options

  • AUse Amazon Cognito with web identity federation.
  • BUse Amazon Cognito with SAML-based identity federation.
  • CUse IAM access keys and secret keys in the application code to allow Get* on the S3 bucket.
  • DUse AWS STS AssumeRole in the application code and assume a role with Get* permissions on

How the community answered

(27 responses)
  • A
    89% (24)
  • C
    7% (2)
  • D
    4% (1)

Why each option

Amazon Cognito with web identity federation enables users to authenticate using external identity providers such as Amazon, Facebook, and Google to obtain temporary AWS credentials.

AUse Amazon Cognito with web identity federation.Correct

Amazon Cognito identity pools support web identity federation, allowing users to sign in with Amazon login or social providers (Facebook, Google, Apple) and receive temporary AWS credentials scoped to an IAM role. This is the purpose-built AWS service for this use case and avoids embedding long-term credentials in mobile app code.

BUse Amazon Cognito with SAML-based identity federation.

SAML-based identity federation is designed for enterprise SSO systems (e.g., Active Directory, Okta) and does not natively support consumer social media or Amazon login flows.

CUse IAM access keys and secret keys in the application code to allow Get* on the S3 bucket.

Embedding IAM access keys and secret keys directly in application code is a severe security anti-pattern and violates AWS security best practices.

DUse AWS STS AssumeRole in the application code and assume a role with Get* permissions on

AssumeRole requires the caller to already have valid AWS credentials; a mobile app user cannot call STS directly without first authenticating, creating a chicken-and-egg problem.

Concept tested: Amazon Cognito web identity federation for mobile apps

Source: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice