An IOS developer is creating a simple notes APP that includes functions such as notes creation, retrieval, and deletion for an authenticated user.The mobile application also requires sign-up and sign-in functionality. An API exposes the notes service through API Gateway. The developer would like to implement authorization in the API to identify the authenticated user and perform operations in the context of that user, such as Create Note and Delete Note. Which of the following should be used to achieve this requirement by AWS Cognito?

Answer options:

A.In Amazon Cognito, create an Identity pool used to return an ID and Access Token to the app for the authenticated user if the user logins successfully. The Access Token can then be used to authorize API invocations through API Gateway.
B.In Amazon Cognito, create users with proper IAM roles. Ensure the roles have proper policies to access API resources. Return the user.id if the user signs in successfully. The user.id can be used to invoke API for the notes service.
C.In Amazon Cognito, create an Identity Pool and User Pool. Connect the Identity Pool with the User Pool. First, authenticate with the identity pool to get the token, then exchange the token with the user pool to get temporary credentials. These credentials can be used to invoke API for the notes service.
D.In Amazon Cognito, create a User Pool and Identity Pool. Connect the Identity Pool with the User Pool. First, authenticate with the user pool to get the token, then exchange the token with the identity pool to get temporary credentials. These credentials can be used to invoke API for the notes service.

Correct Answer – D
 
Amazon Cognito has key components of user pools and identity pools, which can be used in several scenarios. User pools are user directories that provide sign-up and sign-in options. And Identity pools provide AWS credentials to grant your users access to other AWS services.
In this question, the App needs Cognito to implement the function of authorization for the API in the API gateway. It requires both the User pools and Identity Pools. In the first step, your app user signs in through a user pool and receives user pool tokens after successful authentication. Next, your app exchanges the user pool tokens for AWS credentials through an identity pool.
Option A is INCORRECT: Because it is User Pool, not Identity Pool which provides ID and Access Token.
Option B is INCORRECT: Because Cognito has used User Pool as a central place to manage user access instead of IAM roles. Moreover, user.id is not used to authorize users.
Option C is INCORRECT because User Pool should be used for authentication and the Identity Pool should be used for authorization.
Option D is CORRECT because both the identity and the user pool are connected. Identity pool is used to exchange tokens for AWS credentials.
Please refer to page 1 on the below link-
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-dg.pdf