Question #932
A company is building a serverless application using Amazon API Gateway HTTP API. They need to ensure that only authenticated users can invoke specific routes, and the authentication tokens must automatically expire and be refreshed periodically. Which approach meets these requirements?
Set up an Amazon Cognito identity pool, use the Cognito Authorizer in API Gateway, and utilize the temporary AWS credentials from the identity pool.
Implement a custom Lambda authorizer that validates tokens stored in a DynamoDB table, which are issued during user login and refreshed manually.
Configure an Amazon Cognito user pool, integrate it with API Gateway using a JWT authorizer, and use the issued access or identity tokens.
Create IAM roles for each user, attach a resource-based policy to the API Gateway, and use IAM authorization.
Explanation
Option C is correct because:
- Amazon Cognito User Pools provide JWT tokens (access/identity tokens) with built-in expiration and refresh mechanisms. Users can refresh tokens automatically using a refresh token, ensuring periodic renewal without manual intervention.
- JWT Authorizer in API Gateway validates these tokens, allowing only authenticated users to invoke specific routes.
Other options fail because:
- A: Cognito identity pools grant temporary AWS credentials (IAM roles), not JWT tokens, and are not designed for route-specific authentication in API Gateway.
- B: A custom Lambda authorizer with manual token refresh does not meet the requirement for automatic token expiration/refresh.
- D: IAM roles per user are not scalable, and IAM authorization uses AWS credentials instead of JWT tokens.
Key Points: Use Cognito User Pools for JWT-based authentication with auto-expiring/refreshing tokens and API Gateway's JWT authorizer for validation.
Answer
The correct answer is: C