AWS Certified Developer – Associate — Question 420

A developer has created a web API that uses Amazon Elastic Container Service (Amazon ECS) and an Application Load Balancer (ALB). An Amazon CloudFront distribution uses the API as an origin for web clients. The application has received millions of requests with a JSON Web Token (JWT) that is not valid in the authorization header. The developer has scaled out the application to handle the unauthenticated requests.
What should the developer do to reduce the number of unauthenticated requests to the API?

Answer options

• A. Add a request routing rule to the ALB to return a 401 status code if the authorization header is missing.
• B. Add a container to the ECS task definition to validate JWTs Set the new container as a dependency of the application container.
• C. Create a CloudFront function for the distribution Use the crypto module in the function to validate the JWT.
• D. Add a custom authorizer for AWS Lambda to the CloudFront distribution to validate the JWT.

Correct answer: C

Explanation

CloudFront Functions operate at edge locations closer to the client, allowing you to validate JWTs using the built-in crypto module before the requests ever reach the ALB or ECS backend. This effectively filters out unauthorized traffic at the edge, reducing backend load and preventing unnecessary scaling. Other solutions like ALB routing rules cannot validate JWT signatures, and ECS-level validation still requires the backend to process the incoming requests.