Question #809
A company’s developer is creating an application that uses Amazon API Gateway. The company wants to ensure that only users in the Development team can access the application. The users authenticate via a third-party identity provider (IdP) through Amazon Cognito, with an attribute mapping for a 'Team' attribute passed to a custom AWS Lambda authorizer. The developer tests by changing their team from Support to Development in the IdP but is denied access. The logs indicate the access token still reflects a team value of Support. Which of the following is a possible reason the developer’s team is still reported as Support instead of Development?
Authorization caching is enabled in the custom Lambda authorizer.
Authorization caching is enabled on the Amazon Cognito user pool.
The IAM role for the custom Lambda authorizer does not have a Team tag.
The IAM role for the Amazon Cognito user pool does not have a Team tag.
Explanation
Answer B is correct because Amazon Cognito user pools can cache authorization tokens. When the developer changes their 'Team' attribute in the IdP, Cognito may still serve the older cached token until the cache duration expires. This explains why the access token retains the 'Support' value despite the update.
Option A is incorrect because Lambda authorizer caching affects policy decisions, not the token's attribute values. Options C and D are irrelevant because IAM role tags do not influence user attribute mappings or token generation. Key takeaway: Cognito's token caching can delay attribute updates, requiring cache expiration or token refresh to reflect changes.
Answer
The correct answer is: B