Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 280 discussion

B. Verified Permissions works closely with Amazon Cognito user pools. Amazon Cognito JWTs have a predictable structure. Verified Permissions recognizes this structure and draws maximum benefit from the information that it contains. For example, you can implement a role-based access control (RBAC) authorization model with either ID tokens or access tokens. https://docs.aws.amazon.com/verifiedpermissions/latest/userguide/identity-sources.html

The correct answer is B. Amazon Verified Permissions is designed for fine-grained authorization using Cognito user attributes. It allows policies to be defined based on Cognito access tokens and user attributes (e.g., roles, permissions, or group memberships). Mapping Cognito attributes to the Verified Permissions schema ensures dynamic, attribute-based authorization. Why Use Verified Permissions? IAM roles and policies (Option A) control AWS resource access but are not ideal for fine-grained, application-level permissions. Verified Permissions allows policy-based, attribute-driven access control inside a custom application, which is better suited for fine-grained access control in a gaming application.

Explanation: Fine-grained authorization requires making access decisions based on user attributes, which go beyond standard IAM role-based access control. Amazon Verified Permissions provides policy-based access control (PBAC), allowing fine-grained authorization by evaluating policies against user attributes from Cognito. Mapping Cognito access tokens to Verified Permissions lets the application dynamically enforce access rules based on user attributes stored in Cognito.

A is the most straightforward and common solution for implementing fine-grained authorization using user attributes in Amazon Cognito. The approach uses IAM roles and policies, which are well-integrated with Cognito identity pools and can be configured dynamically based on user attributes, enabling fine-grained access control.