AWS Certified Developer – Associate — Question 211

A company is building a serverless microservice for an existing application that uses AWS Lambda functions and Amazon API Gateway. The microservice needs to automate an on-premises identity provider (IdP) that supports the OpenID Connect (OIDC) standard.

What should the company do to implement the API authorization mechanism with the LEAST operational overhead?

Answer options

• A. Use an API Gateway HTTP API to invoke the Lambda functions. Set the JSON Web Token (JWT) issuer as the public OIDC endpoint of the on-premises IdP.
• B. Use an API Gateway HTTP API to invoke the Lambda functions. Create an Amazon Cognito identity pool. Create a federation between the identity pool and the on-premises IdP. Set the identity pool as the JSON Web Token (JWT) issuer.
• C. Use an API Gateway REST API to invoke the Lambda functions. Configure the JSON Web Token (JWT) issuer to link to the on-premises IdP over the public internet.
• D. Use an API Gateway REST API to invoke the Lambda functions. Create an Amazon Cognito identity pool. Create a federation between the identity pool and the on-premises IdP. Set Amazon Cognito as the authorizer.

Correct answer: D

Explanation

Option D is correct because it utilizes Amazon Cognito, which simplifies the integration with the on-premises IdP while providing built-in authorization features. The other options either do not leverage Cognito for federation or use HTTP APIs, which do not support the same level of authorization features as REST APIs.