- A
Create a Lambda authorizer that validates the custom header
Correct. A Lambda authorizer can validate a custom authorization header and return an IAM policy, which API Gateway uses to allow or deny access.
- B
Enable AWS WAF on the ALB to inspect the header
Why wrong: Incorrect. AWS WAF can inspect headers but cannot execute custom authorization logic; it is rule-based, not decision-based on header content.
- C
Use Amazon Cognito User Pools to validate the header
Why wrong: Incorrect. Amazon Cognito User Pools are used for user authentication via OAuth/OIDC, not for validating arbitrary custom headers.
- D
Use Amazon API Gateway instead of ALB
Correct. API Gateway can be placed in front of the EC2 instance, replacing the ALB, and can use a Lambda authorizer to secure the API.
- E
Configure the ALB to use the Lambda authorizer
Why wrong: Incorrect. ALB does not natively support Lambda authorizers; it can invoke a Lambda as a target but not as an authorizer for access control.
DVA-C02 Lambda authorizer Practice Question
This DVA-C02 practice question tests your understanding of security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: lambda authorizer. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A developer needs to securely expose an API running on an EC2 instance behind an Application Load Balancer. The API should only be accessible to authenticated users via a custom authorization header. Which steps should be taken? (Choose TWO.)
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Create a Lambda authorizer that validates the custom header
Option A is correct because it creates a Lambda authorizer that can validate a custom authorization header. Option D is correct because API Gateway natively supports Lambda authorizers, allowing the custom header validation to secure the API. Options B and C are incorrect because AWS WAF cannot perform custom authorization logic, and Cognito User Pools require OIDC flows, not custom headers. Option E is incorrect because ALB does not natively support Lambda authorizers as a feature.
Key principle: Lambda authorizer
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Create a Lambda authorizer that validates the custom header
Why this is correct
Correct. A Lambda authorizer can validate a custom authorization header and return an IAM policy, which API Gateway uses to allow or deny access.
Related concept
Lambda authorizer
- ✗
Enable AWS WAF on the ALB to inspect the header
Why it's wrong here
Incorrect. AWS WAF can inspect headers but cannot execute custom authorization logic; it is rule-based, not decision-based on header content.
- ✗
Use Amazon Cognito User Pools to validate the header
Why it's wrong here
Incorrect. Amazon Cognito User Pools are used for user authentication via OAuth/OIDC, not for validating arbitrary custom headers.
- ✓
Use Amazon API Gateway instead of ALB
Why this is correct
Correct. API Gateway can be placed in front of the EC2 instance, replacing the ALB, and can use a Lambda authorizer to secure the API.
Related concept
Lambda authorizer
- ✗
Configure the ALB to use the Lambda authorizer
Why it's wrong here
Incorrect. ALB does not natively support Lambda authorizers; it can invoke a Lambda as a target but not as an authorizer for access control.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap is that candidates may assume ALB can use Lambda authorizers similar to API Gateway, but ALB lacks this feature. The correct solution is to use API Gateway with a Lambda authorizer instead of relying on ALB for custom authorization.
Detailed technical explanation
How to think about this question
When using an ALB with a Lambda function as a target, the ALB sends the entire HTTP request to the Lambda function, which can parse the custom authorization header (e.g., 'X-Auth-Token') and return a response with a status code (e.g., 200 for allow, 403 for deny). The ALB then uses this response to decide whether to forward the request to the EC2 instance. This pattern is known as 'Lambda as a target group' and is distinct from API Gateway's Lambda authorizer, which returns an IAM policy. Under the hood, the ALB expects the Lambda to return a specific JSON structure with 'statusCode' and 'headers' to control the flow.
KKey Concepts to Remember
- Lambda authorizer
- API Gateway
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Lambda authorizer
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
Quick reference
Cloud Service Model Comparison
| Model | You Manage | Provider Manages | Examples |
|---|---|---|---|
| IaaS | OS, runtime, apps, data | Hardware, hypervisor, networking | EC2, Azure VMs, GCP Compute Engine |
| PaaS | Apps and data | OS, runtime, middleware, hardware | Elastic Beanstalk, Azure App Service |
| SaaS | Data and settings only | Everything else | Microsoft 365, Salesforce, Workday |
| FaaS / Serverless | Function code only | Infra, scaling, runtime | Lambda, Azure Functions, Cloud Run |
| CaaS | Containers and apps | Kubernetes, OS, hardware | EKS, AKS, GKE |
What to study next
Got this wrong? Here's your next step.
Review lambda authorizer, then practise related DVA-C02 questions on the same topic to reinforce the concept.
- →
Security — study guide chapter
Learn the concepts, then practise the questions
- →
Security practice questions
Targeted practice on this topic area only
- →
All DVA-C02 questions
1,616 questions across all exam domains
- →
AWS Certified Developer Associate DVA-C02 study guide
Full concept coverage aligned to exam objectives
- →
DVA-C02 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related DVA-C02 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Development with AWS Services practice questions
Practise DVA-C02 questions linked to Development with AWS Services.
Security practice questions
Practise DVA-C02 questions linked to Security.
Deployment practice questions
Practise DVA-C02 questions linked to Deployment.
Troubleshooting and Optimization practice questions
Practise DVA-C02 questions linked to Troubleshooting and Optimization.
DVA-C02 fundamentals practice questions
Practise DVA-C02 questions linked to DVA-C02 fundamentals.
DVA-C02 scenario practice questions
Practise DVA-C02 questions linked to DVA-C02 scenario.
DVA-C02 troubleshooting practice questions
Practise DVA-C02 questions linked to DVA-C02 troubleshooting.
Practice this exam
Start a free DVA-C02 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this DVA-C02 question test?
Security — This question tests Security — Lambda authorizer.
What is the correct answer to this question?
The correct answer is: Create a Lambda authorizer that validates the custom header — Option A is correct because it creates a Lambda authorizer that can validate a custom authorization header. Option D is correct because API Gateway natively supports Lambda authorizers, allowing the custom header validation to secure the API. Options B and C are incorrect because AWS WAF cannot perform custom authorization logic, and Cognito User Pools require OIDC flows, not custom headers. Option E is incorrect because ALB does not natively support Lambda authorizers as a feature.
What should I do if I get this DVA-C02 question wrong?
Review lambda authorizer, then practise related DVA-C02 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Lambda authorizer
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Keep practising
More DVA-C02 practice questions
- A developer is troubleshooting an AWS Lambda function that is triggered by an S3 event. The function occasionally fails…
- A developer needs to call AWS APIs from application code running on EC2. Which credential source should the AWS SDK use…
- A developer needs to allow an IAM user in a different AWS account to assume a role in the developer's account. The role…
- A developer needs to grant an IAM role in Account B read-only access to objects in an S3 bucket in Account A. The bucket…
- An API Gateway HTTP API should allow access only to users authenticated by an external OIDC provider. Which authorizer t…
- A developer needs to allow an EC2 instance to read from a DynamoDB table. Which is the best practice to grant permission…
Last reviewed: Jun 24, 2026
This DVA-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DVA-C02 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.