AWS Certified Developer – Associate — Question 336

A company has a web application in an Amazon Elastic Container Service (Amazon ECS) cluster running hundreds of secure services in AWS Fargate containers. The services are in target groups routed by an Application Load Balancer (ALB). Application users log in to the website anonymously, but they must be authenticated using any OpenID Connect protocol-compatible identity provider (IdP) to access the secure services.

Which authentication approach would meet these requirements with the LEAST amount of effort?

Answer options

• A. Configure the services to use Amazon Cognito.
• B. Configure the ALB to use Amazon Cognito.
• C. Configure the services to use AWS Security Token Service (AWS STS) with the OpenID Connect IdP.
• D. Configure the Amazon ECS cluster to use AWS Security Token Service (AWS STS) with the OpenID Connect IdP.

Correct answer: B

Explanation

Configuring authentication directly on the ALB using Amazon Cognito requires the least effort because it offloads the authentication process to the load balancer level, eliminating the need to write or maintain authentication code across hundreds of individual backend services. Amazon Cognito natively integrates with OIDC-compliant identity providers to authenticate users before routing their traffic. Modifying individual services or using AWS STS would introduce significant development complexity and administrative overhead.