AWS Certified Generative AI – Professional (AIP-C01) — Question 76

A company is developing a new AI-powered application that needs to integrate with various specialized tools. These tools currently run as Model Context Protocol (MCP) servers on the local machines of developers and do not maintain states between invocations. The company plans to deploy each MCP server as an AWS Lambda function to support the company's production application.
The solution must be accessible to both internal applications and authorized third-party partners. The solution must use strict authentication and authorization controls.
Which additional steps will meet these requirements with the LEAST operational overhead?

Answer options

• A. Create a custom Lambda invocation transport by using the Lambda Invoke API. Implement IAM authentication and grant InvokeFunction permissions to authorized users and roles.
• B. Expose the Lambda functions through Amazon API Gateway REST API endpoints. Implement API keys for authentication. Configure the applications that need to access the MCP servers to use standard HTTP requests instead of the MCP protocol.
• C. Create Lambda function URLs and enable a custom Streamable HTTP transport and SigV4. Implement AWS IAM authentication. Grant InvokeFunctionUrl permissions to authorized users and roles.
• D. Expose the Lambda function through Amazon API Gateway HTTP API endpoints with the Streamable HTTP transport. Use Amazon Cognito to implement OAuth authentication. Configure API Gateway to validate OAuth tokens.

Correct answer: D

Explanation

Option D is correct because it efficiently uses Amazon API Gateway with OAuth authentication through Amazon Cognito, ensuring strict access controls with minimal operational overhead. Options A and C involve additional complexity with custom transports or configurations that may require more maintenance, while option B lacks the strong authentication needed for third-party access.