AWS Certified Developer – Associate (DVA-C02) — Question 238

A developer created a web API that receives requests by using an internet-facing Application Load Balancer (ALB) with an HTTPS listener. The developer configures an Amazon Cognito user pool and wants to ensure that every request to the API is authenticated through Amazon Cognito.

What should the developer do to meet this requirement?

Answer options

• A. Add a listener rule to the listener to return a fixed response if the Authorization header is missing. Set the fixed response to 401 Unauthorized.
• B. Create an authentication action for the listener rules of the ALSet the rule action type to authenticate-cognito. Set the OnUnauthenticatedRequest field to “deny.”
• C. Create an Amazon API Gateway API. Configure all API methods to be forwarded to the ALB endpoint. Create an authorizer of the COGNITO_USER_POOLS type. Configure every API method to use that authorizer.
• D. Create a new target group that includes an AWS Lambda function target that validates the Authorization header by using Amazon Cognito. Associate the target group with the listener.

Correct answer: B

Explanation

The correct answer is B because it directly configures the ALB to authenticate requests using Amazon Cognito, ensuring that unauthenticated requests are denied. Option A only responds with an error if the Authorization header is missing but does not enforce authentication. Option C adds unnecessary complexity by introducing API Gateway when ALB can handle the authentication directly, and Option D relies on a Lambda function, which is less efficient than using built-in ALB authentication features.