Which set of strategies should a solutions architect use?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A company wants to host a global web application on AWS.It has the following design requirements:* The access pattern must allow for fetching data from multiple data sources.* Minimize the cost of API calls.* Keep page load times to within 50 ms.* Provide user authentication and authorization and manage data access for different user personas (for example, administrator, manager, or engineer).* Use a serverless design.

Which set of strategies should a solutions architect use?

Use Amazon CloudFront with Amazon S3 to host the web application. Use Amazon API Gateway to build the application APIs with AWS Lambda for the custom authorizer. Authorize data access by performing user lookup in Simple AD.

Use Amazon CloudFront with AWS WAF to host the web application. Use AWS AppSync to build the application APIs. Use IAM groups for each user persona. Authorize data access by leveraging IAM groups in AWS AppSync resolvers.

Use Amazon CloudFront with Amazon S3 to host the web application. Use AWS AppSync to build the application APIs. Use Amazon Cognito groups for each user persona. Authorize data access by leveraging Amazon Cognito groups in AWS AppSync resolvers.

Use AWS Direct Connect with Amazon S3 to host the web application. Use Amazon API Gateway to build the application APIs. Use AWS Lambda for custom authentication and authorization. Authorize data access by leveraging IAM roles.

Explanations:

This option uses Amazon Simple AD for user lookup, which is not ideal for managing fine-grained access control in a serverless architecture. Simple AD does not provide the flexibility needed to integrate seamlessly with AWS Lambda or API Gateway for complex access control. Using AWS Cognito would be a better choice for authentication and authorization.

While AWS AppSync is a good choice for building APIs and managing data access, using IAM groups in AppSync resolvers is not an optimal way to handle user authorization. AWS AppSync is designed to integrate with more sophisticated user management systems like Amazon Cognito, which provides better control for different personas.

This option correctly leverages Amazon CloudFront for hosting the web application, Amazon S3 for static content, and AWS AppSync for building the API. Amazon Cognito is used for user authentication and management, and its groups are leveraged in AppSync to authorize data access for different user personas. This design is serverless, cost-effective, and fast.

While API Gateway and Lambda are good for custom API implementations, using AWS Direct Connect to host a web application is overkill and adds unnecessary complexity and cost. Additionally, relying on IAM roles for user authentication and authorization is not ideal in this case; Amazon Cognito would provide a more efficient and scalable solution for managing users and their access.

2025-10-10

1 Comment

  1. Patrick
    Author

    My best guess is:
    Use Amazon CloudFront with Amazon S3 to host the web application. Use AWS AppSync to build the application APIs. Use Amazon Cognito groups for each user persona. Authorize data access by leveraging Amazon Cognito groups in AWS AppSync resolvers.

Leave a Reply

Your email address will not be published. Required fields are marked *

two × three =