The correct choice is REQUEST Lambda authorizer because it can read values from HTTP headers and query string parameters and it therefore meets the requirement.

The REQUEST Lambda authorizer receives the full request context so the Lambda function can inspect headers, query string parameters, stage variables and the $context object to perform custom authentication and authorization logic. This capability makes it suitable when the identity information is spread across headers and query parameters rather than provided as a single token.

TOKEN Lambda authorizer is not appropriate because it expects a single bearer token such as a JWT typically provided in an Authorization header and it does not parse multiple headers and query string parameters for identity.

Amazon Cognito user pool authorizer is not suitable because it validates JWTs issued by Cognito user pools and it does not implement a custom scheme that reads arbitrary headers and query parameters.

IAM authorization is incorrect because it relies on SigV4 signing and IAM credentials and policies rather than custom request parameter values for authentication.

Full AWS Practitioner Certification Question