Question #908
A company hosts an internal API that processes sensitive customer data. The company wants to expose the API publicly while ensuring only employees authenticated via the company's OpenID Connect (OIDC) identity provider (IdP) can access it. A developer must implement authentication without modifying the API. Which combination of steps will meet these requirements? (Choose two.)
Create a public Network Load Balancer.
Create a public Application Load Balancer.
Configure a listener for the load balancer that listens on HTTPS port 443. Add a default authenticate action providing the OIDC IdP configuration.
Configure a listener for the load balancer that listens on HTTP port 80. Add a default authenticate action providing the OIDC IdP configuration.
Configure a listener for the load balancer that listens on HTTPS port 443. Add a default AWS Lambda action providing an Amazon Resource Name (ARN) to a Lambda authorization function.
Explanation
To expose the API securely without modifying it, an Application Load Balancer (ALB) must be used (B) because it supports layer-7 features like OIDC authentication. Configuring the ALB listener on HTTPS port 443 (C) ensures encrypted traffic and proper OIDC integration.
- Why not A/D/E? A Network Load Balancer (NLB) (A) operates at layer 4 and cannot handle OIDC authentication. HTTP port 80 (D) is insecure and incompatible with OIDC. Lambda authorization (E) requires custom code, which violates the 'no API modification' requirement.
Key Points: ALB supports OIDC authentication; HTTPS is mandatory for OIDC; NLBs/Lambda are unsuitable for this scenario.
Answer
The correct answer is: BC