DVA-C02 · Question #389
A company is developing an application that will be accessed through the Amazon API Gateway REST API. Registered users should be the only ones who can access certain resources of this API. The token b
The correct answer is C. Create an Amazon Cognito user pool, configure the Cognito Authorizer in API Gateway, and use. Amazon Cognito user pools issue JWT tokens (ID, access, and refresh tokens) that automatically expire and can be refreshed, and the Cognito Authorizer in API Gateway validates these tokens to restrict access to registered users only.
Question
A company is developing an application that will be accessed through the Amazon API Gateway REST API. Registered users should be the only ones who can access certain resources of this API. The token being used should expire automatically and needs to be refreshed periodically. How can a developer meet these requirements?
Options
- ACreate an Amazon Cognito identity pool, configure the Amazon Cognito Authorizer in API
- BCreate and maintain a database record for each user with a corresponding token and use an
- CCreate an Amazon Cognito user pool, configure the Cognito Authorizer in API Gateway, and use
- DCreate an IAM user for each API user, attach an invoke permissions policy to the API, and use an
How the community answered
(31 responses)- A16% (5)
- B3% (1)
- C74% (23)
- D6% (2)
Why each option
Amazon Cognito user pools issue JWT tokens (ID, access, and refresh tokens) that automatically expire and can be refreshed, and the Cognito Authorizer in API Gateway validates these tokens to restrict access to registered users only.
Cognito identity pools provide temporary AWS credentials (via STS) for accessing AWS services directly, not JWT tokens for authenticating API Gateway requests from registered application users.
Building a custom database-backed token system requires significant custom development for token generation, storage, validation, and expiry logic, introducing far more complexity than using the managed Cognito service.
A Cognito user pool handles user registration, authentication, and token issuance. The access and ID tokens have a configurable expiry (default 1 hour), and the refresh token allows clients to obtain new tokens without re-authenticating. Configuring a Cognito Authorizer in API Gateway ensures only valid, non-expired tokens from registered users can access the protected resources.
IAM users use long-lived access keys, not automatically expiring tokens suitable for end-user API authentication; distributing IAM credentials to application users is a security anti-pattern.
Concept tested: Amazon Cognito user pool authorizer with expiring JWT tokens
Source: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
Community Discussion
No community discussion yet for this question.