An application uses Amazon Cognito user pools for authentication. A developer wants to restrict access to an API Gateway endpoint to only authenticated users from a specific user pool. What is the best approach?
API Gateway directly supports Cognito user pool authorizers for JWT validation.
Why this answer
Option B is correct because a Cognito User Pool authorizer in API Gateway is the native, fully managed way to restrict access to an API endpoint to authenticated users from a specific user pool. It automatically validates the JWT token issued by the user pool and caches the result, requiring no custom code. This approach integrates directly with API Gateway's authorization flow, ensuring only tokens from the specified user pool are accepted.
Exam trap
The trap here is that candidates often overcomplicate the solution by choosing a Lambda authorizer (option D) because they think they need custom validation logic, forgetting that API Gateway has a built-in Cognito User Pool authorizer that handles JWT validation natively without any custom code.
How to eliminate wrong answers
Option A is wrong because IAM policies cannot reference a Cognito user pool ARN as a principal or resource for API Gateway; IAM policies control access based on IAM users/roles, not user pool identities. Option C is wrong because API Gateway resource policies control access by source IP, VPC, or AWS account, not by Cognito user pool tokens or user pool ARN. Option D is wrong because while a Lambda authorizer could validate a JWT against a user pool, it is unnecessary overhead and not the 'best approach' when a built-in Cognito User Pool authorizer exists that is simpler, faster, and requires no custom code.