AWS Certified Developer – Associate (DVA-C02) — Question 344

A company has an internal website that contains sensitive data. The company wants to make the website public. The company must ensure that only employees who authenticate through the company's OpenID Connect (OIDC) identity provider (IdP) can access the website. A developer needs to implement authentication without editing the website.

Which combination of steps will meet these requirements? (Choose two.)

Answer options

• A. Create a public Network Load Balancer.
• B. Create a public Application Load Balancer.
• C. Configure a listener for the load balancer that listens on HTTPS port 443. Add a default authenticate action providing the OIDC IdP configuration.
• D. Configure a listener for the load balancer that listens on HTTP port 80. Add a default authenticate action providing the OIDC IdP configuration.
• E. Configure a listener for the load balancer that listens on HTTPS port 443. Add a default AWS Lambda action providing an Amazon Resource Name (ARN) to a Lambda authentication function.

Correct answer: B, C

Explanation

An Application Load Balancer (ALB) natively supports user authentication offloading using OpenID Connect (OIDC) compliant identity providers, enabling authentication without code modifications. This authentication flow must be configured on an HTTPS listener (port 443) to secure the exchange of tokens and user credentials. Network Load Balancers (NLB) do not support native OIDC authentication, and HTTP port 80 cannot be used for secure OIDC authentication actions.