A team is developing a RESTful API for the annual leave data. It should be used internally by employees. An AWS API Gateway implements the API with the Lambda function.
You want to control access to the RESTful API, and the incoming HTTP requests should include a valid token. If the token is invalid, a 401 Unauthorized response will be returned.
How would you configure the authorization for the API?

Answer options:

A.In the existing Lambda function, add an authorization logic to check the custom token header. Return a 401 Unauthorized response if the token header is invalid.
B.Create an authorizer for the API gateway using a new Lambda function. Implement the logic to validate the token in the new Lambda function.
C.Configure an IAM policy in the API gateway. Use the Principal field to determine which users are allowed to send requests to the API.
D.Configure a SAML authorizer using an AWS Cognito user pool and the token header is checked by Cognito. The API call proceeds only if the required token is valid.

Answer: B
Option A is incorrect because a new Lambda function needs to be created as the authorizer. The backend Lambda should not be involved.
Option B is CORRECT because a Lambda authorizer is useful if you want to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML or uses request parameters to determine the caller`s identity. When a client makes a request to one of your API`s methods, API Gateway calls your Lambda authorizer, which takes the caller`s identity as input and returns an IAM policy as output.
Option C is incorrect because IAM policies in an API gateway cannot be used to evaluate a token header in the HTTP requests.
Option D is incorrect because although an AWS Cognito user pool can be configured as an authorizer of API gateway, it is not based on SAML. The description in the option is incorrect.
Reference:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html.