🔐 Amazon Cognito - DVA-C02 Practice Questions

Implement user authentication and authorization with Cognito User Pools, Identity Pools, hosted UI, OAuth 2.0 / OIDC flows, MFA, custom attributes, and triggers.

16Questions Available
1Exam Domains

Practice Cognito Questions Now

Start a timed practice session focusing on Amazon Cognito topics from the DVA-C02 question bank.

Start DVA-C02 Practice Quiz →

DVA-C02 Cognito Question Bank (16 Questions)

Browse all 16 practice questions covering Amazon Cognito for the DVA-C02 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Security

    A developer implements API Gateway with Cognito User Pool authorization. A user's JWT token has expired. What HTTP status code does API Gateway return?

    A400 Bad Request
    B401 Unauthorized
    C403 Forbidden
    D404 Not Found

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  2. Question 2Security

    An application uses Cognito User Pools for authentication. After sign-in, which token should the application use to authorize API calls?

    ARefresh token
    BAccess token
    CID token
    DAuthorization code

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  3. Question 3Security

    A developer implements a sign-in flow with Cognito User Pools. After successful authentication, which tokens are returned?

    AAccess token only
    BID token, access token, and refresh token
    CJWT token and SAML assertion
    DTemporary AWS credentials

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  4. Question 4Security

    A developer uses Cognito User Pools and wants to require email verification before a user can sign in. Which trigger enforces this?

    APre-authentication trigger
    BCustom message trigger
    CCognito's built-in email verification (VerifyAuthChallengeResponse)
    DCognito account confirmation flow (auto-send verification code on sign-up)

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  5. Question 5Security

    A developer implements the Cognito Hosted UI for sign-in. After sign-in, Cognito redirects to the application with an authorization code. Which endpoint exchanges this code for tokens?

    ACognito /oauth2/authorize
    BCognito /oauth2/token
    CCognito /oauth2/userInfo
    DCognito /oauth2/revoke

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  6. Question 6Security

    A developer uses Cognito User Pools with a custom domain for the hosted UI. Where must the ACM certificate be created?

    AIn the same region as the Cognito User Pool
    BIn us-east-1 regardless of the Cognito pool region
    CIn the nearest region to the user
    DIn the global region

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  7. Question 7Security

    Which Cognito feature allows adding custom claims to JWT tokens during authentication via a Lambda function?

    APre-authentication trigger
    BPost-confirmation trigger
    CPre-token-generation trigger
    DCustom message trigger

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  8. Question 8Security

    A developer uses Cognito User Pools with MFA. Which MFA methods are supported natively?

    AHardware tokens only
    BSMS (OTP via SNS) and TOTP (authenticator apps)
    CEmail OTP and push notifications
    DSMS only

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  9. Question 9Security

    Which Cognito flow is recommended for server-side authentication where the client secret can be stored securely?

    AImplicit grant flow
    BAuthorization code flow with PKCE
    CUser pool API with USER_SRP_AUTH flow
    DClient credentials flow

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  10. Question 10Security

    A developer implements Cognito User Pools. Which built-in feature prevents brute-force login attacks?

    ACognito identity federation
    BAdvanced Security features (Adaptive Authentication)
    CIAM role trust policies
    DLambda post-authentication trigger

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  11. Question 11Security

    A Cognito User Pool is configured with a custom domain. Which service must be provisioned for the custom domain to work?

    ARoute 53 record pointing to the User Pool
    BACM certificate in us-east-1 for the custom domain
    CCloudFront distribution for the User Pool
    DAPI Gateway custom domain

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  12. Question 12Security

    A developer uses Cognito Identity Pools with an unauthenticated role. What does the unauthenticated role enable?

    AFull admin access for anonymous users
    BLimited AWS access for guest users without login
    CAccess to all Cognito User Pool features
    DAccess only to the Cognito hosted UI

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  13. Question 13Security

    A developer uses Cognito User Pools with social sign-in (Google). After a user signs in with Google, what does Cognito return to the application?

    AGoogle OAuth tokens directly
    BCognito JWT tokens (ID, access, refresh) regardless of the identity provider
    CAWS temporary credentials
    DA SAML assertion

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  14. Question 14Security

    A mobile application uses Cognito Identity Pools to get AWS credentials. The user's role gets a policy that includes 'cognito-identity.amazonaws.com:sub' as a condition. What does this enforce?

    AUsers can only access resources in a specific region
    BUsers can only access their own DynamoDB items (using their Cognito identity as the partition key)
    CUsers must be authenticated before accessing the API
    DUsers can only upload to their own S3 folder

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  15. Question 15Security

    A developer uses Cognito User Pools and wants to add a custom attribute to the user profile (e.g., user role). How are custom attributes defined?

    AIn the Lambda pre-authentication trigger
    BAs custom attributes in the Cognito User Pool schema (e.g., custom:role)
    CIn DynamoDB linked to the Cognito user ID
    DIn the Cognito Identity Pool

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz
  16. Question 16Security

    A developer implements OAuth 2.0 with Cognito. Which grant type is appropriate for a mobile app where the client secret cannot be kept confidential?

    AClient credentials grant
    BAuthorization code grant with PKCE
    CImplicit grant
    DResource owner password credentials grant

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start DVA-C02 Quiz

Key Cognito Concepts for DVA-C02

cognitouser poolidentity poolauthenticationauthorizationoauthoidcjwtmfahosted uitrigger

DVA-C02 Cognito Exam Tips

Amazon Cognito questions in DVA-C02 are typically scenario-based. Focus on application development patterns, event-driven integration, and secure coding on AWS. Priority concepts: cognito, user pool, identity pool, authentication, authorization, oauth.

What DVA-C02 Expects

  • Anchor your answer in select developer-friendly managed services and patterns that minimize custom undifferentiated code.
  • Cognito scenarios for DVA-C02 are frequently mapped to Domain 2 (26%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where Cognito interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value Cognito Concepts

  • Know the core Cognito building blocks cold: cognito, user pool, identity pool, authentication.
  • Review the edge-case features and limits for authorization, oauth; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Cognito pairs with API Gateway, IAM, Lambda in real deployment patterns.
  • For DVA-C02, explain why the chosen Cognito design meets reliability, security, and cost expectations better than the alternatives.

Common DVA-C02 Traps

  • Watch for using infrastructure-centric answers instead of application-centric ones.
  • Questions in Security often include distractors that look correct for Cognito but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Cognito implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Security (26%) outcomes for DVA-C02?
  • Can you explain security and access boundaries for Cognito without relying on default-open assumptions?
  • Can you describe how Cognito integrates with API Gateway and IAM during failure, scaling, and monitoring events?

Exam Domains Covering Cognito

Domain 2Security26%

Related Resources

🎯 Free DVA-C02 Mock Exam API Gateway Questions IAM Questions Lambda Questions

More DVA-C02 Study Resources

← DVA-C02 Study Hub30-Day Study PlanFull Practice Exam