Which of the following is a possible reason that the developer’s department is still being reported as Engineering instead of Sales?

By:
On:
In: DVA-C02
Tagged:
With: 0 Comments
A company’s developer is creating an application that uses Amazon API Gateway.The company wants to ensure that only users in the Sales department can use the application.The users authenticate to the application by using federated credentials from a third-party identity provider (IdP) through Amazon Cognito.The developer has set up an attribute mapping to map an attribute that is named Department and to pass the attribute to a custom AWS Lambda authorizer.To test the access limitation, the developer sets their department to Engineering in the IdP and attempts to log in to the application.The developer is denied access.The developer then updates their department to Sales in the IdP and attempts to log in.Again, the developer is denied access.The developer checks the logs and discovers that access is being denied because the developer’s access token has a department value of Engineering.

Which of the following is a possible reason that the developer’s department is still being reported as Engineering instead of Sales?

Authorization caching is enabled in the custom Lambda authorizer.

Authorization caching is enabled on the Amazon Cognito user pool.

The IAM role for the custom Lambda authorizer does not have a Department tag.

The IAM role for the Amazon Cognito user pool does not have a Department tag.

Explanations:

Authorization caching in the custom Lambda authorizer may be causing the function to return a cached response with the old department value (Engineering) instead of the updated value (Sales). If the authorizer does not invalidate its cache upon receiving a new access token, it will continue to use the previously cached result.

Authorization caching on the Amazon Cognito user pool would not directly affect the department attribute passed to the custom Lambda authorizer. The user pool manages user authentication but does not cache the values that the authorizer uses for authorization checks.

The IAM role for the custom Lambda authorizer does not need a Department tag to function correctly regarding the department value in the access token. IAM role tags are used for resource-based policies and do not influence how the authorizer processes token attributes.

Similar to option C, the IAM role for the Amazon Cognito user pool does not need a Department tag for the application to function correctly. Tags are not related to the actual attribute mapping and the authorization process.

Leave a Reply

Your email address will not be published. Required fields are marked *

three × 2 =