A company has a web application behind an Application Load Balancer (ALB) in a VPC. The application needs to authenticate users using an external identity provider (IdP). The SysOps Administrator recommends using Amazon Cognito as an identity broker. Which ALB action should be configured to authenticate users before forwarding requests to the target group?
ALB supports an authenticate action that integrates with Cognito to handle user authentication.
Why this answer
Amazon Cognito integrates directly with Application Load Balancers via an authenticate action. When you configure an ALB rule with an authenticate action using a Cognito user pool, the ALB handles the OAuth 2.0 / OpenID Connect flow with the external IdP, obtains tokens, and only forwards authenticated requests to the target group. This eliminates the need for custom authentication logic in the application.
Exam trap
The trap here is that candidates may think a simple redirect action (Option C) is sufficient, but they miss that the ALB must actively participate in the token exchange and validation, which only the authenticate action provides.
How to eliminate wrong answers
Option B is wrong because a fixed-response action returning a 401 status code would simply reject all requests without any authentication flow, failing to integrate with the external IdP. Option C is wrong because a redirect action to the IdP login page would send users to the IdP but the ALB would not handle the callback or validate tokens, leaving authentication incomplete and unmanaged. Option D is wrong because a forward action to the target group would bypass authentication entirely, allowing unauthenticated requests to reach the application.