Q54 — AWS DVA-C02 Ch.2
Question 54 of 100 | ← Chapter 2
A company’s developer is building an application using Amazon API Gateway. The company wants to ensure only users from the Sales department can use the application. Users authenticate via Amazon Cognito using federated credentials from a backend identity provider (IdP). The developer has configured a claim mapping to map a Department claim and pass it to a custom AWS Lambda authorizer. To test access restrictions, the developer sets their department to Engineering in the IdP and attempts to log in—the request is denied. Then, the developer updates their department to Sales in the IdP and attempts to log in again—but is still denied. The developer checks logs and finds the access denial occurred because the Department claim in the authorization context still has the value Engineering. What is the most likely reason the Department claim remains Engineering instead of updating to Sales?
- A. Authorization caching is enabled in the custom Lambda authorizer. ✓
- B. Authorization caching is enabled on the Amazon Cognito user pool.
- C. The IAM role for the custom Lambda authorizer does not have a Department tag.
- D. The IAM role for the Amazon Cognito user pool does not have a Department tag.
Correct Answer: A. Authorization caching is enabled in the custom Lambda authorizer.
Explanation
Option A is correct: If authorization caching is enabled in the custom Lambda authorizer, previously cached authorization decisions may persist for a period, preventing immediate updates to claims—even after the Department claim is changed in the IdP. This would explain why the developer continues to be denied access with the old Engineering value. Other options are unrelated to claim propagation or caching behavior between the IdP and the Lambda authorizer. 【Lantern Certification provided by: swufelp1999】