API Gateway Authentication Options for AWS Certified Developer - Associate Exam:

AWS API Gateway Authentication Options

Prev Question Next Question

Question

Your team is developing an API that they want to host using the AWS API gateway service.

They don't want to allow anonymous access and want to have an authentication mechanism in place.

Which of the following can be used for authentication purposes for the API gateway? Choose 3 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A, B and C.

The AWS Documentation mentions the following.

API Gateway supports multiple mechanisms for controlling access to your API.

Resource policies let you create resource-based policies to allow or deny access to your APIs and methods from the specified source IP addresses or VPC endpoints.

Standard AWS IAM roles and policies offer flexible and robust access controls that can be applied to an entire API or individual methods.

Cross-origin resource sharing (CORS) lets you control how your API responds to cross-domain resource requests.

Lambda authorizers are Lambda functions that control access to your API methods using bearer token authentication as well as information described by headers, paths, query strings, stage variables, or context variables request parameters.

Amazon Cognito user pools let you create customizable authentication and authorization solutions.

Client-side SSL certificates can be used to verify that HTTP requests to your backend system are from API Gateway.

Usage plans let you provide API keys to your customers - and then track and limit the usage of your API stages and methods for each API key.

For more information on controlling access to the API, please refer to the below URL-

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html

Sure, I'd be happy to help you understand this question.

AWS API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. It offers multiple options for authentication, authorization, and access control to your API, ensuring that only authorized users or applications can access your API.

In this question, the requirement is to have an authentication mechanism in place to prevent anonymous access to the API. The options provided are:

A. Lambda authorizers: A Lambda authorizer is a custom authorizer that uses a Lambda function to authenticate requests to your API. It can be used to perform a wide range of authentication and authorization tasks, such as verifying an OAuth token, checking if a user is authorized to access a particular resource, or validating a JSON Web Token (JWT). Lambda authorizers are flexible and can be used with any identity provider that supports the OAuth 2.0 or OpenID Connect protocols.

B. AWS Cognito: AWS Cognito is a managed service that provides user authentication, authorization, and user management for web and mobile applications. It supports various authentication mechanisms, including username and password, social login, and multi-factor authentication (MFA). Cognito can be used as an identity provider (IDP) for your API Gateway, enabling you to authenticate users before they access your API.

C. API keys: API keys are simple tokens that can be used to authenticate requests to your API. They are usually passed as query parameters or headers in the HTTP request. API keys are suitable for simple authentication scenarios where you only need to restrict access to your API to a set of trusted applications or users. However, API keys are not secure enough for more complex scenarios, as they can be easily shared or stolen.

D. User names and passwords: Usernames and passwords are a common form of authentication that requires users to provide a unique identifier (username) and a secret credential (password) to access a system or resource. While this option may work for authentication in some scenarios, it is not recommended for API Gateway as it can be difficult to manage at scale and can expose security risks such as credential stuffing attacks.

Therefore, the correct answers for this question are A, B, and C. Lambda authorizers, AWS Cognito, and API keys are all valid options for authentication in API Gateway, depending on your specific requirements and use case.