Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in when to use Cognito user pools vs identity pools and how to manage unauthenticated users securely and effectively. In production, this is about knowing exactly how guest users get temporary credentials and how authentication state is tracked for analytics and access control. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
NovaStream, a startup developing a mobile video streaming app, wants to offer a preview mode where guests can watch selected free video samples without creating an account. However, they also want to recognize returning registered users to provide full library access once they log in. Additionally, NovaStream needs to monitor how many guest users convert by signing up over time.
The Requirement: #
Design an authentication and authorization solution that:
- Allows guest users to access sample content without registration.
- Identifies users who have registered and logged in.
- Tracks conversion from guest to authenticated user.
- Provides fine-grained access permissions for guest vs registered users.
The Options #
- A) Create an Amazon Cognito User Pool. Enable unauthenticated access. Exchange user tokens for temporary credentials to allow authenticated users to assume roles.
- B) Create an Amazon Cognito Identity Pool. Configure the identity pool to allow unauthenticated identities. Exchange unique identities for temporary credentials to allow all users to assume roles.
- C) Create an Amazon CloudFront distribution. Allow unauthenticated users. Exchange user tokens for temporary credentials to allow all users to assume roles.
- D) Create one IAM role for authenticated users with full content access. Create a separate IAM role for unauthenticated users with access only to samples.
- E) Allow all users to access sample content by default. Create an IAM role for authenticated users to access the other content.
Google adsense #
leave a comment:
Correct Answer #
B, D
Quick Insight: The Developer Imperative #
In AWS developer-focused auth workflows, Cognito Identity Pools manage authentication state by issuing temporary AWS credentials for both guest (unauthenticated) and signed-in users. This is how your app can securely grant scoped access based on authentication.
Meanwhile, role separation via IAM roles assigned in the Identity Pool ensures differentiation of access levels. That’s fundamental for managing permissions correctly between guest and authenticated users.
Cognito User Pools alone don’t support unauthenticated guest credentials, and CloudFront is unrelated to authentication token exchange.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Options B and D
The Winning Logic #
-
Option B is the cornerstone: the Amazon Cognito Identity Pool supports both authenticated and unauthenticated users by issuing temporary AWS credentials tied to unique identities. This allows NovaStream’s app to give guests secure, limited access and authenticated users expanded access, all while tracking unique IDs for analytics.
-
Option D complements this by using two separate IAM roles attached to the Identity Pool: one role grants read access to sample content for unauthenticated users (guests), and a second role grants full content access to authenticated users. This separation is essential for enforcing permissions correctly without mixing access scopes.
-
Why not A? Cognito User Pools handle user directory and sign-in but do not directly provide unauthenticated guest access or temporary AWS credentials necessary for role assumption. User Pools authenticate users but cannot track unauthenticated user sessions.
-
Why not C? CloudFront is a CDN service; it does not provide token exchange or authentication workflows.
-
Why not E? Assigning default open access to all users for sample content is a poor security practice and does not leverage IAM’s fine-grained control through roles. This would prevent accurate tracking of guest vs authenticated access differentiation.
The Technical Blueprint #
# CLI snippet to create roles for authenticated and unauthenticated users in Identity Pool
aws cognito-identity create-identity-pool \
--identity-pool-name "NovaStreamIdentityPool" \
--allow-unauthenticated-identities
# Example IAM trust policy snippet for unauthenticated role
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": { "Federated": "cognito-identity.amazonaws.com" },
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "IDENTITY_POOL_ID"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
}]
}
The Comparative Analysis #
| Option | API Complexity | Performance | Use Case |
|---|---|---|---|
| A | Medium (User Pools auth tokens) | Not suited for guest access | Good for user auth only, no guest support |
| B | Low (Identity Pool token & role) | Fast, optimized for guest & auth users | Best for mixed auth + unauth access + tracking |
| C | N/A (CloudFront unrelated) | N/A | CDN, not auth |
| D | Low (Roles in Identity Pool) | Efficient role-based access | Fine grained permission for guest vs auth users |
| E | Low (Default access rule) | Potentially opens content | Weak access control and tracking |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick Amazon Cognito Identity Pool when you see guest (unauthenticated) user access with role-based temporary credentials.
Real World #
In production, we often combine User Pools for user management and Identity Pools for federation with roles. This hybrid approach lets you manage sign-in flows cleanly while enabling guest access and temporary credentials seamlessly.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the DVA-C02 exam.