Logo
AWS Certified Solutions Architect - Associate / Question #1811 of 1019

Question #1811

A mobile application development company uses Amazon VPC to host its backend services. The company needs to provide secure access to RESTful APIs for millions of users, requiring authentication via a dedicated user identity service. Which solution offers the MOST operational efficiency while meeting these requirements?

D

Use IAM roles for user authentication. Deploy Amazon API Gateway HTTP APIs with an IAM authorizer.
A

Configure an Amazon Cognito user pool for user authentication. Deploy Amazon API Gateway REST APIs with a Cognito authorizer.
B

Configure an Amazon Cognito identity pool for user authentication. Deploy Amazon API Gateway HTTP APIs with a Cognito authorizer.
C

Implement a custom AWS Lambda function for user authentication. Deploy Amazon API Gateway REST APIs with a Lambda authorizer.

Explanation

The correct answer is A because:

- Amazon Cognito User Pools are purpose-built for user authentication, offering features like user registration, sign-in, and token management, which aligns with the requirement for a dedicated user identity service.
- API Gateway REST APIs with Cognito Authorizer enable seamless integration with Cognito User Pools. The authorizer automatically validates JWT tokens issued by Cognito, ensuring secure access to APIs without custom code.
- Operational Efficiency: Cognito and API Gateway are fully managed services, eliminating the need to maintain servers or custom authentication logic, which is critical for scaling to millions of users.

Why other options are incorrect:
- B: Cognito Identity Pools (now "Identity Pools") grant temporary AWS credentials for accessing AWS services, not user authentication. HTTP APIs are less feature-rich than REST APIs for this use case.
- C: A custom Lambda authorizer introduces operational complexity and maintenance overhead compared to a managed Cognito solution.
- D: IAM roles are unsuitable for end-user authentication, as they require AWS credentials, which are impractical for mobile users.

Key Points:
- Use Cognito User Pools for user authentication.
- Pair with API Gateway REST APIs and Cognito Authorizer for secure, scalable API access.
- Avoid custom solutions or IAM for large-scale end-user authentication.

Answer

The correct answer is: A