Q57 — AWS DVA-C02 Ch.3
Question 57 of 100 | ← Chapter 3
A company has an application that uses Amazon Cognito User Pools as its identity provider. The company must ensure secure access to user records. The company has already enabled multi-factor authentication (MFA). The company also wants to send login activity notifications via email each time a user logs in. What is the most efficient solution to meet these requirements?
- A. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send email notifications. Add an Amazon API Gateway API to invoke the function. Call the API from the client after receiving login confirmation.
- B. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send email notifications. Add an Amazon Cognito Post Authentication Lambda trigger for the function. ✓
- C. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send email notifications. Create an Amazon CloudWatch Logs subscription filter to invoke the function based on login status.
- D. Configure Amazon Cognito to stream all logs to Amazon Kinesis Data Firehose. Create an AWS Lambda function to process the streamed logs and send email notifications based on each user’s login status.
Correct Answer: B. Create an AWS Lambda function that uses Amazon Simple Email Service (Amazon SES) to send email notifications. Add an Amazon Cognito Post Authentication Lambda trigger for the function.
Explanation
Option B is optimal. Amazon Cognito supports Post Authentication Lambda triggers, which execute synchronously immediately after successful user authentication. This enables real-time, secure, and automatic delivery of login activity notifications without requiring client-side orchestration (Option A), log parsing overhead (Options C and D), or custom infrastructure. Using Amazon SES ensures reliable, scalable email delivery. This approach is natively integrated, secure, efficient, and fully managed.