Q55 — AWS SAP-C02 Ch.2
Question 55 of 75 | ← Chapter 2
Q205. A company is creating a REST API to share information with SiX of its partners based in the United States. The company has created an Amazon API Gateway Regional endpoint. Each of the siX partners will access the API once per day to post daily sales figures.After initial deployment, the company observes 1,000 requests per second originating from 500 different lP addresses around the world. The company believes this traffic is originating from a botnet and wants to secure its API while minimizing cost. Which approach should the company take to secure its API?
- A. Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF web ACL with a rule to block clients that submit more than five requests per day. Associate the web ACL with the CloudFront distribution. Configure CloudFront with an origin access identity (OA) and associate it with the distribution. Configure API Gateway to ensure only the OAI can execute the POST method.
- B. Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF web ACL with a rule to block clients that submit more than five requests per day. Associate the web ACL with the CloudFront distribution. Add a custom header to the CloudFront distribution populated with an API key, Configure the API to require an API key on the POST method.
- C. Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners. Associate the web ACL with the API. Create a resource policy with a request limit and associate it with the API. Configure the API to require an API key on the POST method .
- D. Create an AWS WAF web ACL with a rule to allow access to the lP addresses used by the six partners. Associate the web ACL with the API. Create a usage plan with a request limit and associate it with the API Create an API key and add it to the i usage plan. ✓
Correct Answer: D. Create an AWS WAF web ACL with a rule to allow access to the lP addresses used by the six partners. Associate the web ACL with the API. Create a usage plan with a request limit and associate it with the API Create an API key and add it to the i usage plan.
Explanation
Option A suggests creating a CloudFront distribution and associating a WAF web ACL with it, but it does not address the requirement to restrict access to only the six partners' IP addresses. Option B suggests adding a custom header to the CloudFront distribution populated with an API key, but it does not address the requirement to restrict access to only the six partners' IP addresses. Option C suggests creating a WAF web ACL to allow access to the six partners' IP addresses and configuring the API to require an API key on the POST method, but it does not provide any rate limiting or usage control to prevent excessive requests from the botnet. Therefore, option D provides the best solution to secure the API while minimizing cost. Create a WAF web ACL with a rule to allow access to the IP addresses used by the six partners. Associate the web ACL with the API to block all other traffic. Create a usage plan with a request limit to limit the number of requests that can be made for each partner. Finally, create an API key and add it to the usage plan to ensure that only authorized partners can access the API and enforce the rate limits.