AWS Certified Developer – Associate (DVA-C02) — Question 551

A developer is troubleshooting an application. The application includes several AWS Lambda functions that invoke an Amazon API Gateway API. The API Gateway's method request is set up to use an Amazon Cognito authorizer for authentication.

All the Lambda functions pass the user ID as part of the Authorization header to the API Gateway API. The API Gateway API returns a 403 status code for all GET requests.

How should the developer resolve this issue?

Answer options

• A. Modify the client GET request to include a valid API key in the Authorization header.
• B. Modify the client GET request to include a valid token in the Authorization header.
• C. Update the resource policy for the API Gateway API to allow the execute-api:Invoke action.
• D. Modify the client to send an OPTIONS preflight request before the GET request.

Correct answer: B

Explanation

Amazon Cognito authorizers require a valid identity or access token in the Authorization header to successfully authenticate requests, rather than a raw user ID. Because the Lambda functions are currently passing the user ID instead of a valid token, the Cognito authorizer denies the request and returns a 403 Forbidden error. Modifying the client to send a valid Cognito token resolves this authentication failure.