Q94 — AWS DVA-C02 Ch.2
Question 94 of 100 | ← Chapter 2
A company is developing an application accessed via an Amazon API Gateway REST API. Only registered users can access certain API resources. Credentials must expire and require periodic refresh.
- A. Create an Amazon Cognito identity pool, configure an Amazon Cognito authorizer in API Gateway, and use temporary credentials generated by the identity pool.
- B. Create and maintain a database record for each user, and use an AWS Lambda authorizer in API Gateway for validation.
- C. Create an Amazon Cognito user pool, configure a Cognito authorizer in API Gateway, and use ID tokens or access tokens. ✓
- D. Create an IAM user for each API user, attach an invoke-permission policy to the API, and use an IAM authorizer in API Gateway.
Correct Answer: C. Create an Amazon Cognito user pool, configure a Cognito authorizer in API Gateway, and use ID tokens or access tokens.
Explanation
Option C is correct because Amazon Cognito user pools provide built-in user management, including registration, sign-in, token generation, and automatic token expiration and refresh. Configuring API Gateway with a Cognito authorizer ensures only authenticated users access protected resources. ID tokens or access tokens issued by Cognito expire per configured lifetimes and can be refreshed using Cognito’s refresh token mechanism.