Skip to main content

AWS DVA-C02 Drill: API Gateway Authorization - Cognito Token vs. API Key

·701 words·4 mins·
Certification Drills AWS DVA-C02 API Gateway Cognito Authorizer
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | AWS SAA/SAP & Multi-Cloud Expert.
Table of Contents

Jeff’s Note
#

Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.

For DVA-C02 candidates, the confusion often lies in how to correctly handle authorization tokens versus API keys in API Gateway setups using Cognito. In production, this is about knowing exactly what credentials go in the Authorization header and how the API Gateway authorizer validates them. Let’s drill down.

The Certification Drill (Simulated Question)
#

Scenario
#

TechFlow Labs is building a customer service platform where multiple AWS Lambda functions call an Amazon API Gateway REST API to fetch user data. The API Gateway methods use an Amazon Cognito user pool authorizer for authentication. Each Lambda function sends the user ID in the Authorization header when invoking the API. However, when these Lambdas make GET requests, the API Gateway returns 403 Forbidden errors consistently.

The Requirement:
#

Identify the correct fix to allow the Lambda functions’ GET requests to successfully authenticate and be authorized by API Gateway.

The Options
#

  • A) Modify the Lambda GET requests to include a valid API key in the Authorization header.
  • B) Modify the Lambda GET requests to include a valid Cognito JWT token in the Authorization header.
  • C) Update the API Gateway resource policy to allow the execute-api:Invoke action for the Lambdas.
  • D) Modify the Lambda clients to send OPTIONS preflight requests ahead of the GET requests.

Google adsense
#

leave a comment:

Correct Answer
#

B

Quick Insight: The Developer Imperative
#

The critical piece is that the Authorization header must carry a valid Cognito JWT token, not an API key or user ID. The Amazon Cognito authorizer verifies the JWT token’s signature and claims before permitting access. Without this token, the API Gateway treats the call as unauthorized and returns HTTP 403.

Content Locked: The Expert Analysis
#

You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?

Unlock Full Access & Start Mastering

The Expert’s Analysis
#

Correct Answer
#

Option B

The Winning Logic
#

API Gateway with a Cognito user pool authorizer expects a valid JWT token in the Authorization header for authorization. This token is issued by the Cognito user pool after user authentication. Passing just the user ID, or an API key, does not satisfy the authorizer. The authorizer will reject and return a 403 Forbidden response if the token is absent or invalid.

  • Lambda functions invoking the API must first obtain valid Cognito tokens (ID or access tokens) and send them as:
    Authorization: <JWT token>

  • The resource policy (Option C) controls who can invoke the API at the resource level, but does not replace token-based authentication.

  • API keys (Option A) are supported by API Gateway, but are separate from Cognito authorizers and not required in this setup.

  • OPTIONS preflight requests (Option D) relate to CORS and do not solve authorization errors.

The Trap (Distractor Analysis)
#

  • Why not A? API keys are used for throttling or metering, not for Cognito-based auth. Sending an API key in Authorization will be ignored by the authorizer.
  • Why not C? Resource policies enable network-level access control and do not replace JWT token validation. 403 here means token invalid or missing, not resource policy denial.
  • Why not D? OPTIONS requests are part of CORS. This is irrelevant to token authentication failures causing 403 errors.

The Technical Blueprint
# 

# Sample curl command showing a valid token in Authorization header
curl -H "Authorization: eyJraWQiOiJrMjp1In0.eyJzdWIiOiIxMjM0..." \
  https://api.example.com/prod/users

The Comparative Analysis
#

Option API Complexity Performance Use Case
A Low Medium API key auth — unrelated here
B Standard JWT High Cognito token-based authorizer
C Medium Low Resource policy for network
D Low N/A Preflight for CORS only

Real-World Application (Practitioner Insight)
#

Exam Rule
#

For the exam, always pick token-based Authorization when you see a Cognito user pool authorizer.

Real World
#

In production, developers often forget the distinction between API keys and JWT tokens in headers. Always ensure your calling client presents the JWT token exactly as expected by API Gateway.

(CTA) Stop Guessing, Start Mastering
#

Unlock The Full Analysis Now

Disclaimer

This is a study note based on simulated scenarios for the DVA-C02 exam.

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: AWS.CertDevPro.com


AWS.CertDevPro.com focuses exclusively on mastering the Amazon Web Services ecosystem. We transform raw practice questions into strategic Decision Matrices. Led by Jeff Taakey (MBA & 21-year veteran of IBM/Citi), we provide the exclusive SAA and SAP Master Packs designed to move your cloud expertise from certification-ready to project-ready.