AWS Certified Developer – Associate (DVA-C02) — Question 383

A company is developing an application that will be accessed through the Amazon API Gateway REST API. Registered users should be the only ones who can access certain resources of this API. The token being used should expire automatically and needs to be refreshed periodically.

How can a developer meet these requirements?

Answer options

• A. Create an Amazon Cognito identity pool, configure the Amazon Cognito Authorizer in API Gateway, and use the temporary credentials generated by the identity pool.
• B. Create and maintain a database record for each user with a corresponding token and use an AWS Lambda authorizer in API Gateway.
• C. Create an Amazon Cognito user pool, configure the Cognito Authorizer in API Gateway, and use the identity or access token.
• D. Create an IAM user for each API user, attach an invoke permissions policy to the API, and use an IAM authorizer in API Gateway.

Correct answer: C

Explanation

Amazon Cognito user pools are designed for user directory management, authentication, and token handling (ID, access, and refresh tokens) which inherently support automatic expiration. By integrating a Cognito Authorizer with Amazon API Gateway, the API can seamlessly validate these JSON Web Tokens (JWTs) without custom code. Using Cognito identity pools (Option A) or IAM users (Option D) is meant for AWS resource authorization rather than user-level API access control, while managing custom tokens in a database (Option B) introduces unnecessary operational overhead.