Q14 — AWS DVA-C02 Ch.3
Question 14 of 100 | ← Chapter 3
A company is developing an application accessible via an Amazon API Gateway REST API. Only registered users should access certain API resources. Credentials must expire automatically and require periodic refresh. How should the developer meet these requirements?
- A. Create an Amazon Cognito identity pool, configure an Amazon Cognito Authorizer in API Gateway, and use temporary credentials issued by the identity pool.
- B. Create and maintain database records with tokens for each user, and use an AWS Lambda authorizer in API Gateway.
- C. Create an Amazon Cognito user pool, configure a Cognito Authorizer in API Gateway, and use ID or access tokens. ✓
- D. Create an IAM user for each API user, attach invocation permissions policies to the API, and use an IAM authorizer in API Gateway.
Correct Answer: C. Create an Amazon Cognito user pool, configure a Cognito Authorizer in API Gateway, and use ID or access tokens.
Explanation
Option C satisfies all requirements: Amazon Cognito User Pools provide scalable, secure user authentication and authorization; the Cognito Authorizer in API Gateway enforces access control based on validated tokens; and Cognito supports configurable token expiration and refresh mechanisms, ensuring secure, time-limited access. Identity pools (option A) are intended for unauthenticated/federated identities—not registered end users—and IAM (option D) is unsuitable for managing large numbers of end-user credentials.