Your application backend services are hosted on AWS and provide several REST API methods managed via AWS API Gateway. You’ve decided to start using AWS Cognito for your application’s user management.What combination of steps is required to properly authorize a call to one of the REST API methods using an access token (Select TWO)?

Answer options:

A.Create a COGNITO_USER_POOLS authorizer.
B.Create a COGNITO_IDENTITY_POOLS authorizer.
C.Add the $context.authorizer.claims.email expression in the Integration Request of the API to pass the email identity claim to the backend.
D.Configure a single-space separated list of OAuth Scopes on the API method.

Answer: A and D
Option A is CORRECT because the first step to integrating API Gateway with AWS Cognito is to create a new Cognito User Pool authorizer on the API.
Option B is incorrect because the Cognito User Pool authorizer must be created and not the Identity Pool.
Option C is incorrect because passing identity claims to the backend is used with identity tokens, not access tokens.
Option D is CORRECT because OAuth Scopes must be specified on the API method so that they can be compared against scopes that are claimed in the incoming token.
Reference:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html