Answer-first summary for fast verification
Answer: The Lambda authorizer's authorization caching might be using an outdated policy based on the previous Engineering attribute.
The correct answer is A. When authorization caching is enabled in a custom Lambda authorizer, the authorizer can cache the policy associated with an access token to improve performance. However, this can lead to outdated authorization information being used if the user's attributes change in the identity provider (IdP), but the cached policy still reflects the old attributes. In this scenario, when the developer initially logged in with the department set to Engineering, the Lambda authorizer cached the policy with this information. Even after updating the department to Sales in the IdP, the cached policy still showed Engineering, causing the access denial.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
A developer creates an app using Amazon API Gateway with access limited to the Sales department via Amazon Cognito and a Lambda authorizer. Despite updating their IdP attribute to Sales, the developer is denied access due to the access token still showing Engineering. What could cause this discrepancy?
A
The Lambda authorizer's authorization caching might be using an outdated policy based on the previous Engineering attribute.
B
Caching on the Amazon Cognito user pool could be involved, but this is less likely the direct cause of the department value issue.
C
A missing Department tag on the Lambda authorizer's IAM role might affect access control but isn't the main reason for the incorrect department reporting.
D
A missing Department tag on the Amazon Cognito user pool's IAM role isn't the primary cause of the caching issue with the user's department attribute.
No comments yet.