What should the developer do to meet this requirement?
Add a listener rule to the listener to return a fixed response if the Authorization header is missing. Set the fixed response to 401 Unauthorized.
Create an authentication action for the listener rules of the ALSet the rule action type to authenticate-cognito. Set the OnUnauthenticatedRequest field to “deny.”
Create an Amazon API Gateway API. Configure all API methods to be forwarded to the ALB endpoint. Create an authorizer of the COGNITO_USER_POOLS type. Configure every API method to use that authorizer.
Create a new target group that includes an AWS Lambda function target that validates the Authorization header by using Amazon Cognito. Associate the target group with the listener.
Explanations:
A fixed response with 401 Unauthorized does not authenticate requests with Amazon Cognito. This is not sufficient for securing the API.
The correct approach is to configure the ALB with an authentication action using Amazon Cognito. Setting “OnUnauthenticatedRequest” to “deny” ensures that unauthenticated requests are rejected.
API Gateway can use Amazon Cognito for authentication, but this requires a separate service. The ALB itself needs to be configured to authenticate using Cognito directly.
Using an AWS Lambda function for authorization is possible but unnecessarily complex. The ALB’s built-in Cognito authentication action is simpler and more efficient.