DVA-C02 · Question #267
A company's developer is creating an application that uses Amazon API Gateway. The company wants to ensure that only users in the Sales department can use the application. The users authenticate to th
The correct answer is A. Authorization caching is enabled in the custom Lambda authorizer.. When a Lambda authorizer has caching enabled, the cached authorization policy is reused for subsequent requests with the same token, even if the underlying IdP attributes have changed. The developer's new department attribute is ignored until the cache expires.
Question
A company's developer is creating an application that uses Amazon API Gateway. The company wants to ensure that only users in the Sales department can use the application. The users authenticate to the application by using federated credentials from a third-party identity provider (IdP) through Amazon Cognito. The developer has set up an attribute mapping to map an attribute that is named Department and to pass the attribute to a custom AWS Lambda authorizer. To test the access limitation, the developer sets their department to Engineering in the IdP and attempts to log in to the application. The developer is denied access. The developer then updates their department to Sales in the IdP and attempts to log in. Again, the developer is denied access. The developer checks the logs and discovers that access is being denied because the developer's access token has a department value of Engineering. Which of the following is a possible reason that the developer's department is still being reported as Engineering instead of Sales?
Options
- AAuthorization caching is enabled in the custom Lambda authorizer.
- BAuthorization caching is enabled on the Amazon Cognito user pool.
- CThe IAM role for the custom Lambda authorizer does not have a Department tag.
- DThe IAM role for the Amazon Cognito user pool does not have a Department tag.
How the community answered
(27 responses)- A67% (18)
- B19% (5)
- C4% (1)
- D11% (3)
Why each option
When a Lambda authorizer has caching enabled, the cached authorization policy is reused for subsequent requests with the same token, even if the underlying IdP attributes have changed. The developer's new department attribute is ignored until the cache expires.
API Gateway Lambda authorizer caching stores the policy returned for a given identity token for the configured TTL. After the developer updated their department in the IdP, the token presented to the authorizer still matched a cached 'deny' policy from the Engineering department check, so access remained denied regardless of the IdP change.
Amazon Cognito user pools do not have an 'authorization caching' feature; caching is a property of the API Gateway Lambda authorizer configuration, not the Cognito pool.
The IAM role for a Lambda authorizer governs what AWS actions the authorizer function itself can perform, not which user attributes are evaluated; Department tags on IAM roles are unrelated to this access control flow.
The IAM role for the Cognito user pool controls Cognito's ability to call AWS services internally; it does not affect how custom attributes like Department are evaluated in the Lambda authorizer.
Concept tested: API Gateway Lambda authorizer authorization caching
Source: https://docs.aws.amazon.com/apigateway/latest/developerguide/configure-api-gateway-lambda-authorization-with-console.html
Community Discussion
No community discussion yet for this question.