AWS Certified Security - Specialty

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.

The most suitable solution is to place the application behind an Application Load Balancer (ALB) and use Amazon Cognito for authentication. By defining a SAML-based Amazon Cognito user pool and connecting it to the on-premises ADFS, the employees can securely authenticate without requiring any changes to the legacy application's code. This approach leverages AWS managed services to handle authentication and integrates seamlessly with the existing ADFS setup. Options B, C, and D either do not directly address the need for a seamless integration with ADFS and maintaining the legacy application's existing code or involve more complex and less suitable methods for the given scenario.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Answer: Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

A company operates multiple workloads on AWS, where employees authenticate using on-premises ADFS and SSO for access to the AWS Management Console. Recently, a legacy web application was migrated to an Amazon EC2 instance. This application lacks an integrated authentication system, yet employees must securely access it from anywhere on the internet. What is the most appropriate method for a security engineer to ensure that only authenticated employees can access this application without modifying its existing code?

Exam-Like

Last updated: December 28, 2025 at 14:03

Place the application behind an Application Load Balancer (ALB). Use Amazon Cognito as authentication for the ALB. Define a SAML-based Amazon Cognito user pool and connect it to ADFS.

60.0%

Implement AWS IAM Identity Center (AWS Single Sign-On) in the management account and link it to ADFS as an identity provider. Define the EC2 instance as a managed resource, then apply an IAM policy on the resource.

20.0%

Define an Amazon Cognito identity pool, then install the connector on the Active Directory server. Use the Amazon Cognito SDK on the application instance to authenticate the employees using their Active Directory user names and passwords.

20.0%

Create an AWS Lambda custom authorizer as the authenticator for a reverse proxy on Amazon EC2. Ensure the security group on Amazon EC2 only allows access from the Lambda function.