Q28 — AWS DVA-C02 Ch.3
Question 28 of 100 | ← Chapter 3
A developer created a web API using Amazon Elastic Container Service (Amazon ECS) and an Application Load Balancer (ALB). An Amazon CloudFront distribution uses the API as the origin for web clients. The application has received numerous requests containing invalid JSON Web Tokens (JWTs) in the Authorization header. The developer has extended the application to handle unauthenticated requests. How should the developer reduce the number of unauthenticated requests to the API?
- A. Add a request routing rule to the ALB to return a 401 status code when the Authorization header is missing.
- B. Add a container to the ECS task definition to validate JWTs and configure the new container as a dependency of the application container.
- C. Create a CloudFront Function for the distribution and use cryptographic modules within the function to validate JWTs. ✓
- D. Add an AWS Lambda custom authorizer to the CloudFront distribution to validate JWTs.
Correct Answer: C. Create a CloudFront Function for the distribution and use cryptographic modules within the function to validate JWTs.
Explanation
For this scenario, the developer needs to add additional security measures to validate and reduce unauthenticated requests. Given that the API is served via Amazon CloudFront as the origin for web clients and JWT validation issues already exist, here is an analysis of each option: Option A only returns a 401 status code when the Authorization header is missing, which does not address JWT validation. Option B, while feasible, does not directly resolve JWT validation at the CloudFront distribution layer. Option C—creating a CloudFront Function and using cryptographic modules within it to validate JWTs—is an effective solution. This enables authentication at the edge layer, filtering unauthorized requests before they reach the backend servers. Option D—adding an AWS Lambda custom authorizer to CloudFront—can validate JWTs but requires more configuration and integration effort. Therefore, the most direct and effective solution is Option C, using a CloudFront Function to validate JWTs, adding a security layer at the edge to efficiently reduce unauthenticated requests. 【Lantern Certification provided by: swufelp1999】