SAA-C03 Question #190: Real Exam Question with Answer & Explanation

Question

A solutions architect needs to secure an Amazon API Gateway REST API. Users need to be able to log in to the API by using common external social identity providers (IdPs). The social IdPs must use standard authentication protocols such as SAML or OpenID Connect (OIDC). The solutions architect needs to protect the API against attempts to exploit application vulnerabilities. Which combination of steps will meet these security requirements? (Select TWO.)

Options

• ACreate an AWS WAF web ACL that is associated with the REST API. Add the appropriate
• BSubscribe to AWS Shield Advanced. Enable DDoS protection. Associate Shield Advanced with
• CCreate an Amazon Cognito user pool with a federation to the social IdPs. Integrate the user pool
• DCreate an API key in API Gateway. Associate the API key with the REST API.
• ECreate an IP address filter in AWS WAF that allows only the social IdPs. Associate the filter with

Explanation

Step A: AWS WAF with managed rules protects the API against application-layer attacks, such as SQL injection and cross-site scripting (XSS). Step C: Amazon Cognito provides secure authentication and supports federation with social IdPs using OIDC or SAML. It integrates seamlessly with API Gateway. Option B: AWS Shield Advanced provides DDoS protection, which is not explicitly required in this Option D: API keys provide identification, not authentication, and are insufficient for this use case. Option E: IP filters in WAF are overly restrictive for federated authentication scenarios.

No community discussion yet for this question.