SCS-C02 Question #289: Real Exam Question with Answer & Explanation

Question

A security engineer has created an Amazon Cognito user pool. The engineer needs to manually verify the ID and access token sent by the application for troubleshooting purposes. What is the MOST secure way to accomplish this?

Options

• AExtract the subject (sub), audience (aud), and cognito:username from the ID token payload
• BSearch for the public key with a key ID that matches the key ID In the header of the token.
• CVerify that the token is not expired. Then use the token_use claim function In Amazon Cognito to
• DCopy the JSON Web Token (JWT) as a JSON document Obtain the public JSON Web Key (JWK)

Explanation

Verifying the sub, aud, and cognito:username claims directly from the ID token payload is the recommended AWS approach for manual token inspection - these claims confirm the user identity, intended audience (your app client ID), and Cognito-specific username without relying on external tooling or unfinished steps. Option B (matching the key ID to a public key) is only one step in signature validation - stopping there doesn't complete the verification. Option C only checks expiration, which is a necessary but insufficient condition; skipping claim validation leaves the door open for token misuse. Option D risks exposing the JWT to third-party decoding services (like jwt.io), which undermines confidentiality and is explicitly discouraged by AWS for production tokens.

Memory tip: Think "SAC" - Sub (who the user is), Aud (which app the token is for), Cognito:username (the Cognito identity). Confirming all three from the payload gives you a complete, self-contained identity check without sending your token anywhere insecure.

No community discussion yet for this question.