How can a developer meet these requirements?
Create an Amazon Cognito identity pool, configure the Amazon Cognito Authorizer in API Gateway, and use the temporary credentials generated by the identity pool.
Create and maintain a database record for each user with a corresponding token and use an AWS Lambda authorizer in API Gateway.
Create an Amazon Cognito user pool, configure the Cognito Authorizer in API Gateway, and use the identity or access token.
Create an IAM user for each API user, attach an invoke permissions policy to the API, and use an IAM authorizer in API Gateway.
Explanations:
An Amazon Cognito identity pool provides temporary AWS credentials for unauthenticated users and authenticated users, but it is not specifically designed for managing user authentication and token expiration for REST APIs. It does not directly handle user sign-up and sign-in, which is typically managed by a user pool.
Maintaining a database record for each user with a corresponding token increases complexity and security risks. Using a Lambda authorizer is also less efficient and scalable compared to using a managed service like Amazon Cognito for user management and token validation.
An Amazon Cognito user pool provides user management features, including registration, authentication, and automatic token expiration and refresh. By configuring the Cognito Authorizer in API Gateway, the application can securely authorize registered users to access the API resources using the identity or access tokens generated by the user pool.
Creating IAM users for each API user is not scalable and goes against best practices for user authentication in applications. IAM is intended for managing AWS resources, not for managing application users, and using IAM roles would not facilitate automatic token expiration and refresh.