An application uses Amazon API Gateway and AWS Lambda. The API is public, but the company wants to restrict access so that only users who have authenticated via a third-party OpenID Connect (OIDC) identity provider can call the API. <br/><br/>What is the MOST appropriate way to secure the API?

Answer options:

Use an Amazon Cognito User Pool as an authorizer for the API Gateway.

Configure API Gateway to use AWS IAM authorization and create IAM users for each client.

Implement the OIDC validation logic inside the backend Lambda function.

Use AWS WAF to validate the OIDC tokens in the HTTP headers.

How to approach this question

Identify the service that handles third-party identity federation and integrates natively with API Gateway.

Full Answer

A.Use an Amazon Cognito User Pool as an authorizer for the API Gateway.✓ Correct

Amazon Cognito User Pools support federation with OIDC providers. You can configure an API Gateway method to use a Cognito User Pool authorizer, which validates the JWT token provided by the client before allowing the request to reach the backend.

Common mistakes

Choosing to implement validation in Lambda, which violates the best practice of offloading authorization to the API Gateway layer.

Question 14 All questions Question 16

Practice the full AWS SAA-C03 Practice Exam 4

65 questions · hints · full answers · grading

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team wants...Medium Q02An application running on Amazon EC2 instances needs to access an Amazon DynamoDB table. Both res...Easy Q03A company is designing a web application that will be hosted on AWS. The application will use an ...Medium Q04A company is building a mobile app that requires users to authenticate using their social media a...Hard Q05A solutions architect is designing a VPC for a three-tier web application. The database tier must...Medium

View all 65 questions →