Home › AWS Developer Associate › cloudcomputing › awsdevsecurity › An API Gateway REST API needs to require a valid…
An API Gateway REST API needs to require a valid Amazon Cognito ID token on every call. Which method-level option does that with the least custom code?
ADisable auth and validate the token inside every downstream service
BConfigure a Cognito User Pool authoriser on each protected method
CWrite a custom Lambda authoriser that validates the JWT itself
DTrust the client to always send valid tokens — no server-side check
Answer & Solution
Correct answer: B. Configure a Cognito User Pool authoriser on each protected method
API Gateway has a first-class Cognito User Pool authoriser that validates the user-pool-issued JWT before the request reaches the integration. Custom Lambda authorisers are a fallback for non-Cognito IdPs. The other options are insecure.
Related questions
An S3 bucket policy grants `s3:GetObject` only when the request includes a specific VPC enWhich approach correctly handles environment-specific configuration (DB endpoints, featureAn application must encrypt user-uploaded files in S3 with a key the customer controls (CMWhich IAM feature lets a developer's IAM role temporarily "impersonate" a service-account-A Lambda function reads database credentials at cold start from AWS Secrets Manager and caWhich IAM construct is best for granting a CodeBuild project the right to read from one spWhich AWS service issues, manages, and auto-renews public TLS certificates for use with ALA static website served from S3 must allow time-limited downloads to authenticated users w