nerdexam
Amazon

DVA-C02 · Question #389

A company is developing an application that will be accessed through the Amazon API Gateway REST API. Registered users should be the only ones who can access certain resources of this API. The token b

The correct answer is C. Create an Amazon Cognito user pool, configure the Cognito Authorizer in API Gateway, and use. Amazon Cognito user pools issue JWT tokens (ID, access, and refresh tokens) that automatically expire and can be refreshed, and the Cognito Authorizer in API Gateway validates these tokens to restrict access to registered users only.

Submitted by sofia.br· Mar 5, 2026Security

Question

A company is developing an application that will be accessed through the Amazon API Gateway REST API. Registered users should be the only ones who can access certain resources of this API. The token being used should expire automatically and needs to be refreshed periodically. How can a developer meet these requirements?

Options

  • ACreate an Amazon Cognito identity pool, configure the Amazon Cognito Authorizer in API
  • BCreate and maintain a database record for each user with a corresponding token and use an
  • CCreate an Amazon Cognito user pool, configure the Cognito Authorizer in API Gateway, and use
  • DCreate an IAM user for each API user, attach an invoke permissions policy to the API, and use an

How the community answered

(31 responses)
  • A
    16% (5)
  • B
    3% (1)
  • C
    74% (23)
  • D
    6% (2)

Why each option

Amazon Cognito user pools issue JWT tokens (ID, access, and refresh tokens) that automatically expire and can be refreshed, and the Cognito Authorizer in API Gateway validates these tokens to restrict access to registered users only.

ACreate an Amazon Cognito identity pool, configure the Amazon Cognito Authorizer in API

Cognito identity pools provide temporary AWS credentials (via STS) for accessing AWS services directly, not JWT tokens for authenticating API Gateway requests from registered application users.

BCreate and maintain a database record for each user with a corresponding token and use an

Building a custom database-backed token system requires significant custom development for token generation, storage, validation, and expiry logic, introducing far more complexity than using the managed Cognito service.

CCreate an Amazon Cognito user pool, configure the Cognito Authorizer in API Gateway, and useCorrect

A Cognito user pool handles user registration, authentication, and token issuance. The access and ID tokens have a configurable expiry (default 1 hour), and the refresh token allows clients to obtain new tokens without re-authenticating. Configuring a Cognito Authorizer in API Gateway ensures only valid, non-expired tokens from registered users can access the protected resources.

DCreate an IAM user for each API user, attach an invoke permissions policy to the API, and use an

IAM users use long-lived access keys, not automatically expiring tokens suitable for end-user API authentication; distributing IAM credentials to application users is a security anti-pattern.

Concept tested: Amazon Cognito user pool authorizer with expiring JWT tokens

Source: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice