Your application backend services are hosted on AWS and provide several REST API methods managed via AWS API Gateway.
You've decided to start using AWS Cognito for your application's user management.What combination of steps is required to properly authorize a call to one of the REST API methods using an access token (Select TWO)?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A and D.
Option A is CORRECT because the first step to integrating API Gateway with AWS Cognito is to create a new Cognito User Pool authorizer on the API.
Option B is incorrect because the Cognito User Pool authorizer must be created and not the Identity Pool.
Option C is incorrect because passing identity claims to the backend is used with identity tokens, not access tokens.
Option D is CORRECT because OAuth Scopes must be specified on the API method so that they can be compared against scopes that are claimed in the incoming token.
Reference:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.htmlTo properly authorize a call to one of the REST API methods using an access token in AWS Cognito, the following steps need to be taken:
Create a COGNITO_USER_POOLS authorizer: An authorizer is used to authenticate the identity of the user making the request to the API Gateway. In this case, a COGNITO_USER_POOLS authorizer should be created to authenticate the user against the AWS Cognito user pool. The authorizer will then return an IAM policy that specifies what the user is authorized to do.
Add the $context.authorizer.claims.email expression in the Integration Request of the API: After creating the authorizer, the $context.authorizer.claims.email expression should be added to the Integration Request of the API. This is necessary to pass the email identity claim of the user to the backend service. The email identity claim can be used by the backend service to identify the user making the request.
Configure a single-space separated list of OAuth Scopes on the API method: OAuth Scopes are used to define the level of access that a user has to a resource. To configure a single-space separated list of OAuth scopes on the API method, the following steps should be taken:
a) Go to the API Gateway console and select the API method that needs to be authorized. b) Click on the Method Request card. c) Scroll down to the Authorization Settings section. d) Select the radio button that says "AWS_IAM" for the Authorization type. e) In the OAuth Scopes field, enter a single-space separated list of the scopes that are required to access the API method. f) Click the Save button to save the changes.
In conclusion, the required combination of steps to properly authorize a call to one of the REST API methods using an access token with AWS Cognito are: