AWS Certified Developer – Associate (DVA-C02) — Question 248

A company’s developer is creating an application that uses Amazon API Gateway. The company wants to ensure that only users in the Sales department can use the application. The users authenticate to the application by using federated credentials from a third-party identity provider (IdP) through Amazon Cognito. The developer has set up an attribute mapping to map an attribute that is named Department and to pass the attribute to a custom AWS Lambda authorizer.

To test the access limitation, the developer sets their department to Engineering in the IdP and attempts to log in to the application. The developer is denied access. The developer then updates their department to Sales in the IdP and attempts to log in. Again, the developer is denied access. The developer checks the logs and discovers that access is being denied because the developer’s access token has a department value of Engineering.

Which of the following is a possible reason that the developer’s department is still being reported as Engineering instead of Sales?

Answer options

• A. Authorization caching is enabled in the custom Lambda authorizer.
• B. Authorization caching is enabled on the Amazon Cognito user pool.
• C. The IAM role for the custom Lambda authorizer does not have a Department tag.
• D. The IAM role for the Amazon Cognito user pool does not have a Department tag.

Correct answer: A

Explanation

The correct answer is A because if authorization caching is enabled in the custom Lambda authorizer, it may return a cached response based on the initial department value, Engineering, instead of fetching the updated value. Options B, C, and D do not directly relate to how the custom Lambda authorizer retrieves and processes the user's department attribute after authentication.