ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A healthcare SaaS provider hosts a static React portal in an Amazon S3 bucket served through Amazon CloudFront. New compliance rules require each external user to authenticate with two distinct factors (knowledge and possession). The DevOps team wants a fully managed, serverless solution that avoids custom authentication code. Which option best meets the requirement?
Require CloudFront mutual TLS with ACM-issued client certificates and add the certificates to each user's mobile wallet.
Configure an Amazon Cognito user pool, enable TOTP-based MFA, and use the Cognito hosted sign-in UI to protect the CloudFront origin.
Enable AWS IAM Identity Center, create users in the directory, and enforce a 15-character password with quarterly rotation.
Store salted password hashes in AWS Secrets Manager and invoke them from a Lambda@Edge function on every login request.
Amazon Cognito user pools natively support MFA that combines a password (something the user knows) with either SMS or TOTP one-time codes (something the user has). When the hosted sign-in UI is used, authentication workflows, factor enrollment, and challenge screens are managed entirely by the service, so no application code changes or servers are necessary.
AWS IAM Identity Center can enforce strong passwords but does not, by itself, add a second factor for internet-facing applications without additional integration work. Storing credentials in Secrets Manager or executing custom Lambda@Edge logic still requires writing and maintaining authentication code, violating the team's constraint. Mutual TLS with client certificates proves device possession but does not add a knowledge factor, so it is not true MFA. Therefore, using Amazon Cognito with TOTP-based MFA and the hosted UI is the most appropriate solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon Cognito and how does it support MFA?
Open an interactive chat with Bash
What is TOTP-based MFA and why is it useful?
Open an interactive chat with Bash
Why isn't mutual TLS alone sufficient for MFA?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .