Question 334 of 1,616
SecurityhardMultiple SelectObjective-mapped

DVA-C02 Lambda authorizer Practice Question

This DVA-C02 practice question tests your understanding of security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: lambda authorizer. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A developer needs to securely expose an API running on an EC2 instance behind an Application Load Balancer. The API should only be accessible to authenticated users via a custom authorization header. Which steps should be taken? (Choose TWO.)

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Create a Lambda authorizer that validates the custom header

Option A is correct because it creates a Lambda authorizer that can validate a custom authorization header. Option D is correct because API Gateway natively supports Lambda authorizers, allowing the custom header validation to secure the API. Options B and C are incorrect because AWS WAF cannot perform custom authorization logic, and Cognito User Pools require OIDC flows, not custom headers. Option E is incorrect because ALB does not natively support Lambda authorizers as a feature.

Key principle: Lambda authorizer

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Create a Lambda authorizer that validates the custom header

    Why this is correct

    Correct. A Lambda authorizer can validate a custom authorization header and return an IAM policy, which API Gateway uses to allow or deny access.

    Related concept

    Lambda authorizer

  • Enable AWS WAF on the ALB to inspect the header

    Why it's wrong here

    Incorrect. AWS WAF can inspect headers but cannot execute custom authorization logic; it is rule-based, not decision-based on header content.

  • Use Amazon Cognito User Pools to validate the header

    Why it's wrong here

    Incorrect. Amazon Cognito User Pools are used for user authentication via OAuth/OIDC, not for validating arbitrary custom headers.

  • Use Amazon API Gateway instead of ALB

    Why this is correct

    Correct. API Gateway can be placed in front of the EC2 instance, replacing the ALB, and can use a Lambda authorizer to secure the API.

    Related concept

    Lambda authorizer

  • Configure the ALB to use the Lambda authorizer

    Why it's wrong here

    Incorrect. ALB does not natively support Lambda authorizers; it can invoke a Lambda as a target but not as an authorizer for access control.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap is that candidates may assume ALB can use Lambda authorizers similar to API Gateway, but ALB lacks this feature. The correct solution is to use API Gateway with a Lambda authorizer instead of relying on ALB for custom authorization.

Detailed technical explanation

How to think about this question

When using an ALB with a Lambda function as a target, the ALB sends the entire HTTP request to the Lambda function, which can parse the custom authorization header (e.g., 'X-Auth-Token') and return a response with a status code (e.g., 200 for allow, 403 for deny). The ALB then uses this response to decide whether to forward the request to the EC2 instance. This pattern is known as 'Lambda as a target group' and is distinct from API Gateway's Lambda authorizer, which returns an IAM policy. Under the hood, the ALB expects the Lambda to return a specific JSON structure with 'statusCode' and 'headers' to control the flow.

KKey Concepts to Remember

  • Lambda authorizer
  • API Gateway

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Lambda authorizer

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

Quick reference

Cloud Service Model Comparison

ModelYou ManageProvider ManagesExamples
IaaSOS, runtime, apps, dataHardware, hypervisor, networkingEC2, Azure VMs, GCP Compute Engine
PaaSApps and dataOS, runtime, middleware, hardwareElastic Beanstalk, Azure App Service
SaaSData and settings onlyEverything elseMicrosoft 365, Salesforce, Workday
FaaS / ServerlessFunction code onlyInfra, scaling, runtimeLambda, Azure Functions, Cloud Run
CaaSContainers and appsKubernetes, OS, hardwareEKS, AKS, GKE

What to study next

Got this wrong? Here's your next step.

Review lambda authorizer, then practise related DVA-C02 questions on the same topic to reinforce the concept.

Related practice questions

Related DVA-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free DVA-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this DVA-C02 question test?

Security — This question tests Security — Lambda authorizer.

What is the correct answer to this question?

The correct answer is: Create a Lambda authorizer that validates the custom header — Option A is correct because it creates a Lambda authorizer that can validate a custom authorization header. Option D is correct because API Gateway natively supports Lambda authorizers, allowing the custom header validation to secure the API. Options B and C are incorrect because AWS WAF cannot perform custom authorization logic, and Cognito User Pools require OIDC flows, not custom headers. Option E is incorrect because ALB does not natively support Lambda authorizers as a feature.

What should I do if I get this DVA-C02 question wrong?

Review lambda authorizer, then practise related DVA-C02 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

Lambda authorizer

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More DVA-C02 practice questions

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This DVA-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DVA-C02 exam.