Answer: C
Explanation: Cognito User Pools manage user authentication and provide JSON Web Tokens (ID and Access tokens) upon login, but do not directly issue AWS credentials. To get AWS access keys/token after user login, you integrate with a Cognito Identity Pool (federated identities). All other options (social login integration, MFA, hosted UI) are true features of user pools.

Answer: C
Explanation: Never hard-code long-term credentials in your application. AWS best practices advise using IAM Roles (for AWS resources like EC2, Lambda, ECS tasks, etc.) or AWS STS to generate temporary, limited-privilege credentials for applications. This minimizes exposure from key leakage and allows automatic key rotation. Options A, B, and D are insecure: using root credentials or shared static keys is strongly discouraged due to the risk and lack of fine-grained control.

Answer: B
Explanation: Every IAM role has a trust policy (also called an assume role policy document) which lists the principals that are allowed to assume the role. This is where you specify either AWS services (e.g., EC2, Lambda) or other AWS accounts/ARNs that can use the role. The role’s permission policy, by contrast, defines what actions the role can perform once assumed. Instance profiles are just a mechanism to attach roles to EC2, and tags don’t grant trust by themselves.

Answer: A
Explanation: A Cognito Identity Pool often defines two IAM roles: one for authenticated identities (users who have logged in via some identity provider and received an identity), and one for unauthenticated identities (guest users, if you allow guest access). Cognito will switch between these based on whether the user is signed in. You would not create an identity pool per user (the pool holds many users' identities), and Identity Pools absolutely do use IAM roles under the hood. Sharing one static IAM user’s credentials for all users is not how Cognito is designed – instead it gives each user a federated identity and ephemeral creds.

Answer: A
Explanation: Customer Managed Policies are ideal for this scenario. You can define the exact permissions once and attach that single policy to multiple IAM principals (users, in this case). This is easier to maintain – if the policy needs updating, you update it in one place. Option B (inline on each user) means 15 separate policies to manage (error-prone and not scalable). An AWS Managed Policy might not fit your exact needs or could grant more than necessary; it’s best to create a least-privilege custom policy. Groups (with a policy attached) could also solve the scenario by attaching a managed policy to a group – but option D as stated has no policy, so it wouldn’t grant anything.

Answer: B
Explanation: Amazon Cognito User Pools follow the OpenID Connect standard, returning an ID Token (JWT) that contains user identity claims (name, email, etc.), an Access Token (for authorizing access to user pool-protected APIs or resources), and a Refresh Token (to get new tokens when the current ones expire). The ID Token is meant to share user identity info with your application (e.g., to personalize the UI), whereas the Access Token is used for authorization checks (it contains scopes or groups but not all profile attributes).

Answer: A
Explanation: When you assume a role or get session credentials from STS, you receive an Access Key ID, a Secret Access Key, and a Session Token. These work together as a set. The Access Key ID and Secret Key function like a normal credential pair, and the Session Token is a special token that must be included in API requests to prove the temporary credentials are valid. (Usernames/passwords or key pairs are not what STS provides; those are different auth mechanisms.)

Answer: C
Explanation: To allow an IAM principal in Account B to assume a role in Account A, you must update the role’s trust policy in Account A to trust that principal. Typically, this is done by specifying Account B’s account ID (or a specific user/role ARN in Account B) as a principal in the trust policy. Additionally, the user in Account B needs IAM permission to call STS:AssumeRole on that role. Sharing root credentials is insecure and not at all required. Simply “enabling” cross-account access in a service console is not how IAM roles work; it’s done via roles and policies. And IAM roles are not automatically assumable by everyone – only principals explicitly listed (or those that match a condition in the trust policy) can assume them.

Answer: B
Explanation: Web Identity Federation allows users who authenticate with an external identity provider (e.g., Facebook, Google, Amazon, or any OpenID Connect provider) to obtain temporary AWS credentials. Cognito Identity Pools facilitate this by trusting the external provider’s token and then calling STS to get credentials mapped to an IAM role. In this case, the user uses Facebook login, Cognito Identity Pool trades the Facebook OAuth token for AWS credentials tied to an IAM role (with, say, S3 access). EC2 assuming a role in another account is cross-account IAM (not web identity federation). AWS SSO is for enterprise SSO, and IAM user login is just a direct IAM authentication (not federating a web identity).

Answer: B
Explanation: The key advantage of a managed policy is reusability – you create it once (or use an AWS-provided one) and then attach it to many identities as needed. This also allows central updates. Inline policies, by contrast, are one-to-one attached to a single identity and cannot be easily reused or centrally managed. Option A is wrong because AWS doesn’t auto-optimize your policies; you must design them. All policies (inline or managed) have equal evaluation weight (no priority for managed vs inline, aside from explicit denies). And managed policies are visible in your account just like other policies (no “security through obscurity” there).

Answer: D
Explanation: Cognito User Pools support Lambda Triggers that execute your custom code at various stages of the authentication lifecycle. In this case, a Pre-Authentication Lambda trigger can be used to run custom validation before the user is allowed to sign in. (Other triggers exist for pre sign-up, post confirmation, token generation, etc.) EventBridge or SNS are not direct mechanisms for inline auth validation, and “Advanced Security” in Cognito refers to adaptive risk-based authentication, not arbitrary custom checks.

Answer: B
Explanation: An IAM user can call GetSessionToken (part of STS) with their long-term credentials and an MFA token code to get temporary session credentials. The returned session’s credentials will be valid only if MFA was used, satisfying any policies that require MFA (condition aws:MultiFactorAuthPresent). AssumeRole is typically used to assume IAM roles (and can include MFA if the role’s trust policy demands it, but for a direct IAM user session with MFA, GetSessionToken is the appropriate call). AssumeRoleWithWebIdentity is for federating via web identity providers, and GetCallerIdentity just returns details about the current credentials – it doesn’t issue new ones.

Answer: D
Explanation: An External ID is a string value that you, as the account owner, add as a condition in the role’s trust policy, and the third party must supply that same External ID in its AssumeRole API call. This ensures that only someone explicitly knowing the External ID (presumably the trusted third-party service) can assume the role, mitigating the “confused deputy” problem. MFA can be used for internal users, but a third-party service won’t have an MFA device in your account. IP address conditions might be used in some scenarios but are less reliable and not unique to the third party. Using access keys (long-term credentials) isn’t as secure or controllable as using a role with an external ID.

Answer: D
Explanation: Cognito Identity Pools use STS under the hood. For public identity providers (OIDC/OAuth2 like Google, Facebook, or even Cognito User Pool tokens), the Identity Pool uses the AssumeRoleWithWebIdentity API to trade the IdP's token for AWS credentials associated with the appropriate IAM role. (If using Cognito User Pools, Cognito acts as an OpenID Connect provider and similarly the call is AssumeRoleWithWebIdentity using the user pool’s ID token). GetFederationToken is an older method for custom federation using IAM users, and AssumeRole is used when you already have AWS credentials and just need to assume a role (not directly with a web ID token).

Answer: A
Explanation: An inline policy is embedded directly in an IAM principal (user, group, or role) and maintains a strict one-to-one relationship. If you delete that role, the inline policy goes with it automatically. This makes sense for exclusive, principle-specific rules that shouldn’t outlive the principal. A customer managed policy is a separate entity in your account – if you detach it or delete the role, that policy remains in the account (or could still be attached elsewhere). AWS managed policies are general-purpose and not tied to a single role. SCPs are used at the organization level (in AWS Organizations) and don’t attach to individual roles/users.