Exam AWS Certified Developer Associate topic 1 question 78 discussion

C seems right to me https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example-function-validate-token.html

A) Eliminated - ALB does not have built-in support for JWT validation. It cannot determine if a JWT is valid or invalid, only whether the authorization header exists. B) Eliminated - This approach introduces unnecessary complexity and does not efficiently reduce unauthenticated requests. D) Eliminated - it is less efficient than CloudFront functions - due to increase cost

A. AWS CloudTrail AWS CloudTrail provides detailed logging and auditing capabilities for API actions across various AWS services, including AWS Lambda and Amazon S3. By enabling CloudTrail, the developer can capture the API calls made to create the S3 buckets and review the logs to identify any errors or issues in the Lambda function execution. With CloudTrail, the developer can track the API activity and see if the Lambda function is invoked properly when a new S3 bucket is created. It can help identify any errors, exceptions, or misconfigurations that may be causing the S3 Lifecycle policy not to be attached. By reviewing the CloudTrail logs, the developer can gain visibility into the sequence of API calls, parameters, and responses, allowing them to troubleshoot and resolve the issue with the Lambda function not attaching the S3 Lifecycle policy as expected.

D should be the answer . This is from ChatGpt :- Option C, creating a CloudFront function for the distribution to validate the JWT, is not recommended as the crypto module is not officially supported by AWS for use in CloudFront functions. Moreover, it can be complex to manage and maintain custom code in a CloudFront function.

I don’t think you guys are correct. The answer Should be D. A custom authorizer is an AWS Lambda function that verifies the token and returns an IAM policy that specifies the permissions for the requested resource. This will ensure that only authenticated requests are passed through to the API, reducing the number of unauthenticated requests.

C is correct.

You can offload authorization by using CloudFront Function. Find full example code here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example-function-validate-token.html

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html The question states the JWT is sent as part of authorization header. In the solution C, it assumes that JWT will be sent as part of query string.

I vote for C! The following example function validates a JSON web token (JWT) in the query string of a request. If the token is valid, the function returns the original, unmodified request to CloudFront. If the token is not valid, the function generates an error response. This function uses the crypto module. This function assumes that requests contain a JWT value in a query string parameter named jwt. Also, for this function to work, you must configure CloudFront to cache based on the jwt query string parameter. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/example-function-validate-token.html