What should the developer do to meet this requirement?

By:
In: DVA-C02
Tagged:
With: 1 Comment
A developer created a web API that receives requests by using an internet-facing Application Load Balancer (ALB) with an HTTPS listener.The developer configures an Amazon Cognito user pool and wants to ensure that every request to the API is authenticated through Amazon Cognito.

What should the developer do to meet this requirement?

Add a listener rule to the listener to return a fixed response if the Authorization header is missing. Set the fixed response to 401 Unauthorized.

Create an authentication action for the listener rules of the ALSet the rule action type to authenticate-cognito. Set the OnUnauthenticatedRequest field to “deny.”

Create an Amazon API Gateway API. Configure all API methods to be forwarded to the ALB endpoint. Create an authorizer of the COGNITO_USER_POOLS type. Configure every API method to use that authorizer.

Create a new target group that includes an AWS Lambda function target that validates the Authorization header by using Amazon Cognito. Associate the target group with the listener.

Explanations:

Adding a listener rule to return a fixed response if the Authorization header is missing does not authenticate requests. Instead, it simply denies access by returning a 401 Unauthorized response, which does not enforce authentication through Amazon Cognito.

Creating an authentication action for the ALB listener rules with the action type set to authenticate-cognito effectively enforces authentication for all requests. Setting the OnUnauthenticatedRequest field to “deny” ensures that any unauthenticated requests are blocked, thus meeting the requirement for authentication through Amazon Cognito.

While creating an Amazon API Gateway API with a Cognito authorizer could enforce authentication, this solution involves additional complexity and does not directly integrate with the ALB setup as required. The requirement is specifically to authenticate requests via the ALB, not to use an intermediary API Gateway.

Creating a target group with a Lambda function to validate the Authorization header adds unnecessary complexity and does not directly utilize Amazon Cognito for authentication. It also introduces latency and does not conform to the simpler and more efficient method of using the ALB’s built-in authentication capabilities.

2025-10-16

1 Comment

  1. Olivia
    Author

    From what I’ve heard, the answer is:
    Create an authentication action for the listener rules of the ALSet the rule action type to authenticate-cognito. Set the OnUnauthenticatedRequest field to “deny.”

Leave a Reply to Olivia Cancel reply

Your email address will not be published. Required fields are marked *

five × two =