AWS Certified Developer – Associate — Question 251

A developer created a web API that receives requests by using an internet-facing Application Load Balancer (ALB) with an HTTPS listener. The developer configures an Amazon Cognito user pool and wants to ensure that every request to the API is authenticated through Amazon Cognito.

What should the developer do to meet this requirement?

Answer options

• A. Add a listener rule to the listener to return a fixed response if the Authorization header is missing. Set the fixed response to 401 Unauthorized.
• B. Create an authentication action for the listener rules of the ALSet the rule action type to authenticate-cognito. Set the OnUnauthenticatedRequest field to "deny."
• C. Create an Amazon API Gateway API. Configure all API methods to be forwarded to the ALB endpoint. Create an authorizer of the COGNITO_USER_POOLS type. Configure every API method to use that authorizer.
• D. Create a new target group that includes an AWS Lambda function target that validates the Authorization header by using Amazon Cognito. Associate the target group with the listener.

Correct answer: B

Explanation

The correct answer is B because configuring an authentication action with the authenticate-cognito action type ensures that all requests are validated against the Amazon Cognito user pool, denying any unauthenticated access. Option A does not provide adequate authentication and only addresses missing headers, while Option C introduces unnecessary complexity by involving an API Gateway. Option D suggests using a Lambda function for validation, which is not as efficient or direct as using ALB's built-in Cognito authentication capabilities.