ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Developer Associate All Questions

View all questions & answers for the AWS Certified Developer Associate exam
Go to Exam

Exam AWS Certified Developer Associate topic 1 question 294 discussion

Exam question from Amazon's AWS Certified Developer Associate
Question #: 294
Topic #: 1
[All AWS Certified Developer Associate Questions]

A company's developer is creating an application that uses Amazon API Gateway. The company wants to ensure that only users in the Sales department can use the application. The users authenticate to the application by using federated credentials from a third-party identity provider (ldP) through Amazon Cognito. The developer has set up an attribute mapping to map an attribute that is named Department and to pass the attribute to a custom AWS Lambda authorizer.

To test the access limitation, the developer sets their department to Engineering in the IdP and attempts to log in to the application. The developer is denied access. The developer then updates their department to Sales in the IdP and attempts to log in. Again, the developer is denied access. The developer checks the logs and discovers that access is being denied because the developer's access token has a department value of Engineering.

Which of the following is a possible reason that the developer’s department is still being reported as Engineering instead of Sales?

  • A. Authorization caching is enabled in the custom Lambda authorizer.
  • B. Authorization caching is enabled on the Amazon Cognito user pool.
  • C. The IAM role for the custom Lambda authorizer does not have a Department tag.
  • D. The IAM role for the Amazon Cognito user pool does not have a Department tag.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by michaldavid at Nov. 27, 2022, 7:13 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
lrom
Highly Voted 2 years, 4 months ago
Selected Answer: A
https://docs.aws.amazon.com/apigateway/latest/developerguide/configure-api-gateway-lambda-authorization-with-console.html
upvoted 6 times
...
rcaliandro
Most Recent 1 year, 9 months ago
Selected Answer: A
A is correct because it is using lambda authorization caching policy. So, even if we pass another departement as string, the lambda will return the access denied in the cache rather than evaluate the parameter and send the most updated answer
upvoted 1 times
...
Ankit1010
2 years, 2 months ago
A The most likely reason that the developer's department is still being reported as Engineering instead of Sales is because authorization caching is enabled on the custom Lambda authorizer. This means that the Lambda function is caching the authorization decision and returning the cached result for subsequent requests with the same token, rather than re-evaluating the authorization policy for each request. If the developer's access token was issued before the Department attribute was updated in the IdP, then the cached authorization decision would still be based on the old attribute value. To fix this, the developer can either disable authorization caching on the custom Lambda authorizer or wait until the cache expires and try again with a fresh access token.
upvoted 1 times
...
pancman
2 years, 2 months ago
Selected Answer: A
Easy, the answer is A. A Lambda authorizer is an API Gateway feature that uses a Lambda function which controls access to the API. The problem here is that the developer has enabled caching. First time he tries accessing the API with department set to engineering, API gateway receives the information and caches it. The second time he tries to access the API, the information is not being checked again. So the department field doesn't get updated, because its value has been cached on the first try.
upvoted 1 times
...
by116549
2 years, 3 months ago
Being the question states this: "The developer has set up an attribute mapping to map an attribute that is named Department and to pass the attribute to a custom AWS Lambda authorizer" It rules out C and D leaving A or B. Seems A when checking this resource: https://docs.aws.amazon.com/apigateway/latest/developerguide/configure-api-gateway-lambda-authorization-with-console.html
upvoted 2 times
...
k1kavi1
2 years, 4 months ago
Selected Answer: A
Going with A
upvoted 2 times
...
michaldavid
2 years, 4 months ago
Difficult one. I guess either A or B..
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago