You use AWS Cognito User Pool to configure a user directory for an application. You want to separate different users as readers, contributors, and editors of the app. For example, the readers can only read contents from AWS S3 buckets. Contributors can put contents into Amazon S3 buckets, and editors have the permissions to publish contents through an API in Amazon API Gateway. Which method is the best to achieve this requirement in AWS Cognito?

Answer options:

A.In IAM, add different groups and assign suitable IAM policies. In Amazon Cognito User Pool, assign users to the IAM groups.
B.Configure different IAM roles in IAM for readers, contributors and editors. In Amazon Cognito User Pool, configure each user with an IAM role.
C.In Amazon Cognito User Pool, create groups and assign IAM roles to them. Add users to the groups to assign the required permissions.
D.Directly attach an IAM policy to each user in Amazon Cognito User Pool. Make sure each user has an appropriate IAM policy according to the user role.

Correct Answer – C
In Amazon Cognito User Pool, you can configure users in groups to manage the permissions better. Each group can be linked with an IAM role ARN. The reference can be found in https://docs.aws.amazon.com/en_pv/cognito/latest/developerguide/cognito-user-pools-user-groups.html.
Option A is incorrect: Because users should be added into groups in the Cognito User Pool instead of IAM.
Option B is incorrect: Because users in Cognito User Pool cannot be configured directly with an IAM role.
Option C is CORRECT: Check the below example:
Group1 is linked with an IAM role, and User1 is added into the group.
Option D is incorrect: Similar to Option B, it is inappropriate to attach an IAM policy to each user directly.