SAP-C02 Question #608: Real Exam Question with Answer & Explanation

Question

A solutions architect wants to make sure that only AWS users or roles with suitable permissions can access a new Amazon API Gateway endpoint. The solutions architect wants an end-to-end view of each request to analyze the latency of the request and create service maps. How can the solutions architect design the API Gateway access control and perform request inspections?

Options

• AFor the API Gateway method, set the authorization to AWS_IAM. Then, give the IAM user or role
• BFor the API Gateway resource, set CORS to enabled and only return the company's domain in
• CCreate an AWS Lambda function as the custom authorizer, ask the API client to pass the key and
• DCreate a client certificate for API Gateway. Distribute the certificate to the AWS users and roles

Explanation

To secure an API Gateway endpoint for AWS users/roles and gain end-to-end request visibility, configure AWS_IAM authorization for the API method and enable AWS X-Ray.

Common mistakes.

• B. Enabling CORS (Cross-Origin Resource Sharing) is for controlling web browser access from different origins, not for authenticating AWS users or roles, nor does it provide an end-to-end view of requests.
• C. While a custom Lambda authorizer provides flexible authorization, AWS_IAM is a native solution for AWS principals, and a custom authorizer alone does not provide X-Ray's end-to-end tracing and service mapping capabilities.
• D. Client certificates are typically used for mutual TLS authentication between the client and API Gateway, not for authenticating AWS IAM users or roles, and they do not provide request tracing or service maps.

Concept tested. API Gateway authorization (AWS_IAM), AWS X-Ray tracing

Reference. https://docs.aws.amazon.com/apigateway/latest/developerguide/security-iam.html

No community discussion yet for this question.