Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 200 discussion

KEYWORD: LEAST operational overhead To control access to the REST API and reduce development efforts, the company can use an Amazon Cognito user pool authorizer in API Gateway. This will allow Amazon Cognito to validate each request and ensure that only authenticated users can access the API. This solution has the LEAST operational overhead, as it does not require the company to develop and maintain any additional infrastructure or code. Therefore, Option D is the correct answer. Option D. Configure an Amazon Cognito user pool authorizer in API Gateway to allow Amazon Cognito to validate each request.

Control access to a REST API using Amazon Cognito user pools as authorizer https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html

Answer D By integrating Amazon Cognito User Pools with API Gateway, you can secure your APIs and control access based on user authentication and authorization, allowing you to build secure and scalable web and mobile applications.

Option D. Configure an Amazon Cognito user pool authorizer in API Gateway to allow Amazon Cognito to validate each request.

A is possible if the authorisation logic makes sense and does not require operational overhead. B is too much overhead for each new user. C is lol D Company already has Cognito for it's users so just integrate it with the API gateway This question and options are poorly worded an A could be a reasonable choice if more information is provided. Just keep that in mind for the exam!

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html

The description of this question is really bad. Company is using Cognito to manage users already, but still verifying user info from dynamodb, very wired situation. But just select Cognito when you see Api gateway + cognito + authentication + least efforts

use Amazon Cognito to authorize user requests.

D. Configure an Amazon Cognito user pool authorizer in API Gateway to allow Amazon Cognito to validate each request

Option D is the best solution with the least operational overhead: Configure an Amazon Cognito user pool authorizer in API Gateway to allow Amazon Cognito to validate each request. The key reasons are: º Cognito user pool authorizers allow seamless integration between Cognito and API Gateway for access control. º API Gateway handles validating the access tokens from Cognito automatically without any custom code. º This is a fully managed solution with minimal ops overhead.

By configuring an Amazon Cognito user pool authorizer in API Gateway, you can leverage the built-in functionality of Amazon Cognito to authenticate and authorize users. This eliminates the need for custom development or managing access keys. Amazon Cognito handles user authentication, securely manages user identities, and provides seamless integration with API Gateway for controlling access to the REST API. A. Configuring an AWS Lambda function as an authorizer in API Gateway would require custom implementation and management of the authorization logic. B. Creating and assigning an API key for each user would require additional management and validation logic in an AWS Lambda function. C. Sending the user's email address in the header and validating it with an AWS Lambda function would also require custom implementation and management of the authorization logic. Option D, using an Amazon Cognito user pool authorizer, provides a streamlined and managed solution for controlling access to the REST API with minimal operational overhead.

solution will meet these requirements with the LEAST operational overhead is option D.

LEAST operational overhead = Serverless = Cognito user pool

D is correct.

Answer : D

D is correct

There is a difference between "Grant Access" (Authentication done by Cognito user pool), and "Control Access" to APIs (Authorization using IAM policy, custom Authorizer, Federated Identity Pool). The question very specifically asks about *Control access to REST APIs* which is a clear case of Authorization and not Authentication. So custom Authorizer using Lambda in API Gateway is the solution. Pls refer to this blog: https://aws.amazon.com/blogs/security/building-fine-grained-authorization-using-amazon-cognito-api-gateway-and-iam/