Question #796
A developer is deploying a web application behind an internet-facing Application Load Balancer (ALB) with an HTTPS listener. The developer has set up an Amazon Cognito user pool and needs to ensure that all access to the application is authenticated through Amazon Cognito.
What should the developer implement to meet this requirement?
Configure a listener rule to return a 403 Forbidden response if the Authorization header is missing.
Add an authentication action to the ALB listener rules with action type authenticate-cognito. Set OnUnauthenticatedRequest to \"deny\".
Use Amazon API Gateway with a Cognito user pool authorizer, forwarding requests to the ALB.
Create a Lambda function to validate the Cognito token in the Authorization header and attach it as a target to a new ALB listener.
Explanation
Answer B is correct because the Application Load Balancer (ALB) natively supports Amazon Cognito integration via listener rules. By configuring an authentication action with type 'authenticate-cognito', the ALB handles user authentication through the Cognito user pool. Setting 'OnUnauthenticatedRequest' to 'deny' blocks unauthenticated requests, ensuring only authenticated users access the application.
Option A is incorrect because manually checking the Authorization header does not leverage ALB's built-in Cognito integration and may not handle session cookies properly. Option C introduces unnecessary complexity by adding API Gateway, which is not required since ALB can directly integrate with Cognito. Option D uses a Lambda function for token validation, which is less efficient compared to ALB's native authentication capabilities. The key takeaway is that ALB's 'authenticate-cognito' action is the standard and recommended method for enforcing Cognito authentication at the load balancer level.
Answer
The correct answer is: B