Which of the following is a possible reason that the developer’s department is still being reported as Engineering instead of Sales?

By:
In: DVA-C01
Tagged:
With: 2 Comments
A company’s developer is creating an application that uses Amazon API Gateway.The company wants to ensure that only users in the Sales department can use the application.The users authenticate to the application by using federated credentials from a third-party identity provider (ldP) through Amazon Cognito.The developer has set up an attribute mapping to map an attribute that is named Department and to pass the attribute to a custom AWS Lambda authorizer.To test the access limitation, the developer sets their department to Engineering in the IdP and attempts to log in to the application.The developer is denied access.The developer then updates their department to Sales in the IdP and attempts to log in.Again, the developer is denied access.The developer checks the logs and discovers that access is being denied because the developer’s access token has a department value of Engineering.

Which of the following is a possible reason that the developer’s department is still being reported as Engineering instead of Sales?

Authorization caching is enabled in the custom Lambda authorizer.

Authorization caching is enabled on the Amazon Cognito user pool.

The IAM role for the custom Lambda authorizer does not have a Department tag.

The IAM role for the Amazon Cognito user pool does not have a Department tag.

Explanations:

Authorization caching in the custom Lambda authorizer could cause it to reuse old data, such as the outdated “Engineering” department attribute. This means that even after the developer updates the department in the IdP, the cached authorization data from the previous session might still be used.

Authorization caching in the Amazon Cognito user pool would affect authentication but not the department attribute passed to the Lambda authorizer. The issue here lies with the authorizer, not the Cognito user pool caching.

The IAM role for the custom Lambda authorizer does not need a Department tag. The authorizer’s function is to validate the claims (such as the Department attribute) passed in the token, not rely on IAM role tags for this purpose.

The IAM role for the Amazon Cognito user pool does not need a Department tag to pass the Department attribute to the Lambda authorizer. The mapping of the attribute is handled in Cognito settings, not by IAM role tags.

2026-04-01

2 Comments

  1. Paul
    Author

    I calculate that the answer is:
    Authorization caching is enabled in the custom Lambda authorizer.

  2. Aaron
    Author

    I compute that the answer is:
    Authorization caching is enabled in the custom Lambda authorizer.

Leave a Reply

Your email address will not be published. Required fields are marked *

eight − 6 =