AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company's web application consists of an Amazon API Gateway API in front of an AWS Lambda function and an Amazon DynamoDB database. The Lambda function handles the business logic, and the DynamoDB table hosts the data. The application uses Amazon Cognito user pools to identify the individual users of the application. A solutions architect needs to update the application so that only users who have a subscription can access premium content.

Which solution will meet this requirement with the LEAST operational overhead?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Enable API caching and throttling on the API Gateway API.

Set up AWS WAF on the API Gateway API. Create a rule to filter users who have a subscription.

Apply fine-grained IAM permissions to the premium content in the DynamoDB table.

Implement API usage plans and API keys to limit the access of users who do not have a subscription.

Explanation:

Explanation

Correct Answer: D - Implement API usage plans and API keys to limit the access of users who do not have a subscription.

Why this is the correct answer:

API Gateway Usage Plans are specifically designed to control access to API methods based on subscription levels. They allow you to:
- Create different usage plans for different user tiers (free vs. premium)
- Associate API keys with specific usage plans
- Set throttling limits and quotas per usage plan
Least Operational Overhead: This solution leverages existing API Gateway capabilities without requiring:
- Complex IAM policy management
- Additional security services like WAF
- Application code changes for authorization logic
Integration with Cognito: API Gateway can work with Cognito user pools for authentication, and then use usage plans to control access based on subscription status.

Analysis of other options:

A. Enable API caching and throttling on the API Gateway API.

❌ This only improves performance and rate limiting, not authorization based on subscription status.

B. Set up AWS WAF on the API Gateway API. Create a rule to filter users who have a subscription.

❌ AWS WAF is designed for web application security (SQL injection, XSS, etc.), not for subscription-based authorization. It would be complex and inappropriate for this use case.

C. Apply fine-grained IAM permissions to the premium content in the DynamoDB table.

❌ While possible, this would require complex IAM policy management and would need to integrate with Cognito user attributes. It has higher operational overhead than API Gateway usage plans.

Key AWS Services Involved:

Amazon API Gateway: Provides usage plans and API keys for subscription management
Amazon Cognito: Handles user authentication
AWS Lambda: Business logic execution
Amazon DynamoDB: Data storage

Implementation Approach:

Create two usage plans in API Gateway: "Free" and "Premium"
Associate API keys with users based on their subscription status
Configure API methods to require API keys
Set appropriate throttling limits for each usage plan
Update application to distribute API keys to authenticated users based on their subscription tier

Powered ByGPT-5.2

Comments

Loading comments...