AWS Certified Developer – Associate — Question 260

A company's developer is creating an application that uses Amazon API Gateway. The company wants to ensure that only users in the Sales department can use the application. The users authenticate to the application by using federated credentials from a third-party identity provider (ldP) through Amazon Cognito. The developer has set up an attribute mapping to map an attribute that is named Department and to pass the attribute to a custom AWS Lambda authorizer.

To test the access limitation, the developer sets their department to Engineering in the IdP and attempts to log in to the application. The developer is denied access. The developer then updates their department to Sales in the IdP and attempts to log in. Again, the developer is denied access. The developer checks the logs and discovers that access is being denied because the developer's access token has a department value of Engineering.

Which of the following is a possible reason that the developer’s department is still being reported as Engineering instead of Sales?

Answer options

• A. Authorization caching is enabled in the custom Lambda authorizer.
• B. Authorization caching is enabled on the Amazon Cognito user pool.
• C. The IAM role for the custom Lambda authorizer does not have a Department tag.
• D. The IAM role for the Amazon Cognito user pool does not have a Department tag.

Correct answer: A

Explanation

The correct answer, A, indicates that authorization caching in the custom Lambda authorizer is retaining the Engineering department value, which prevents the updated department from being recognized. Option B is incorrect because the issue lies with the Lambda authorizer, not Cognito's user pool. Options C and D focus on IAM roles, which do not affect the department mapping in this scenario.