Exam AWS Certified Developer - Associate DVA-C02 topic 1 question 102 discussion

The answer is A. Here is a reference directly from AWS docs: "If you need some of the capabilities of Lambda@Edge that are not available with CloudFront Functions, such as network access or a longer execution time, you can still use Lambda@Edge before and after content is cached by CloudFront." Since the requirement is to access the STS service, network access is required. Therefore, it can't be Cloudfront functions. Also, as a side note it's worth to mention that Cloudfront functions can only execute for up to 1ms. Apparently this isn't enough to fetch user creds (tokens) from STS. The table in the following link summarises the differences between Cloudfront functions and Lambda@edge https://aws.amazon.com/blogs/aws/introducing-cloudfront-functions-run-your-code-at-the-edge-with-low-latency-at-any-scale/

The difference between A and B is the SDK for Javascript in use here; Lambda@Edge functions can be written in a variety of programming languages, including Node.js, Python, and Java, while CloudFront functions are written in JavaScript.

B) Eliminated - CloudFront functions are lightweight JavaScript functions designed for simple HTTP request and response manipulations (e.g., header rewrites, URL rewrites). They cannot access AWS services like STS or assume roles C/D) Eliminated - Moving the credentials from the JSON file to the Lambda@Edge function does not eliminate the core issue of hardcoding credentials

A is the correct answer.

Why A is Correct: Lambda@Edge for Secure Credential Management: Lambda@Edge allows you to run Lambda functions in response to CloudFront events. By using Lambda@Edge, the developer can securely manage credentials by keeping them out of the client-side code. Invoking on Viewer Request: Invoking the Lambda@Edge function on viewer requests ensures that the credential generation happens in real-time, securely, and as needed, without exposing any sensitive information. Execution Role with STS Access: Assigning the Lambda function an execution role with permissions to access AWS STS (Security Token Service) enables the function to securely request temporary, limited-privilege credentials on behalf of the client. Moving SDK Calls to Lambda@Edge: Transferring all AWS SDK calls from the frontend to the Lambda@Edge function prevents exposing any credentials in the frontend code, enhancing security.

A. Lambda@Edge allows you to run Lambda functions in response to CloudFront events. By using a Lambda@Edge function, you can securely handle the process of obtaining credentials from AWS STS without exposing them in the client-side application code. The function's execution role can be granted the necessary permissions to interact with AWS STS, and SDK calls can be made from within this server-side environment. This approach centralizes credential management and AWS interactions in a more secure, server-side context.

I think i will also go with A as cloudfront functions can only read authorization headers from the viewer request if it sees the authorization header request. And Clouf front functions has no access to internet.

I will go for A, check the link below, Cloudfront functions are just within Cloudfront, hence, they DONT HAVE NETWORK ACCESS. Network access is required to make a call to AWS STS. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge-functions.html

The answer is B. I was in agreement with csG13 until a further research into the JavaScript SDK and STS. Found the following: https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cloudfront/classes/stsclient.html. Since the question states Js SDK and STS the answer is B.

Option A.

https://www.examtopics.com/discussions/amazon/view/89838-exam-aws-certified-developer-associate-topic-1-question-361/

Cloud front function doesn't have network access, it has to be lambda @ edge I l