ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 172 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 172
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company uses an Amazon API Gateway regional REST API to host its application API. The REST API has a custom domain. The REST API's default endpoint is deactivated.

The company's internal teams consume the API. The company wants to use mutual TLS between the API and the internal teams as an additional layer of authentication.

Which combination of steps will meet these requirements? (Choose two.)

  • A. Use AWS Certificate Manager (ACM) to create a private certificate authority (CA). Provision a client certificate that is signed by the private CA.
  • B. Provision a client certificate that is signed by a public certificate authority (CA). Import the certificate into AWS Certificate Manager (ACM).
  • C. Upload the provisioned client certificate to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the client certificate that is stored in the S3 bucket as the trust store.
  • D. Upload the provisioned client certificate private key to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the private key that is stored in the S3 bucket as the trust store.
  • E. Upload the root private certificate authority (CA) certificate to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the private CA certificate that is stored in the S3 bucket as the trust store.
Show Suggested Answer Hide Answer
Suggested Answer: AE 🗳️
by PrasannaBalaji at Dec. 29, 2023, 2:29 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
d262e67
Highly Voted 10 months, 1 week ago
Selected Answer: AE
A. Because it's only for internal teams. E. Because the truststore dictates which CAs to trust. If you have intermediate CAs those also need to be present in the S3 bucket.
upvoted 6 times
d262e67
10 months, 1 week ago
https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html
upvoted 1 times
...
...
Jay_2pt0_1
Most Recent 5 months, 3 weeks ago
Selected Answer: AE
A. use ACM to generate cert E. See https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/
upvoted 2 times
...
didek1986
6 months, 2 weeks ago
Selected Answer: AE
C is incorrect because the trust store should contain the root CA certificate, not the client certificate. Root CA certificate is used to validate the client certificates (can be many) presented by the clients. If the client certificate itself is in the trust store, it would mean that only that specific client is trusted, which is not practical in a scenario where there are multiple clients (read it as company's internal teams).
upvoted 4 times
...
WhyIronMan
7 months ago
Selected Answer: AC
A and C. Details are everything in an Investigation... What API Gateway needs is the Client Certificate generated by option A and not the CA
upvoted 1 times
...
DanShone
7 months, 2 weeks ago
Selected Answer: AE
https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html After reading the above documentation I would determine A & E
upvoted 4 times
...
Nano803
7 months, 3 weeks ago
Selected Answer: AC
Check this article, https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html. You need to upload the truststore to an Amazon S3 bucket in a single file
upvoted 1 times
...
Ramdi1
8 months, 3 weeks ago
Selected Answer: AE
After reading this I would suggest A & E
upvoted 3 times
...
thanhnv142
8 months, 3 weeks ago
Selected Answer: AC
A and C is correct: A: we prefer AWS service more than a public one, which is B B: The reason is explained in option a C: Upload the provisioned to S3 bucket. D: should not upload private key to anywhere. E: This option has no connection to option A.
upvoted 1 times
...
Spavanko
9 months ago
Selected Answer: BE
Details can be found here: https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/
upvoted 2 times
...
a54b16f
9 months, 3 weeks ago
Selected Answer: AE
you need to use ROOT CA , or whatever the certificated being used to sign other certificate in truststore,
upvoted 3 times
...
kabary
10 months, 1 week ago
Selected Answer: AC
You shall NEVER upload private cert or key to an S3 bucket. This is a bad practise and hence C. I also choose A because you need private cert between the internal teams and the API.
upvoted 2 times
matanasov
10 months ago
Option C and Option D involve uploading the client certificate or its private key to an S3 bucket and configuring the API Gateway to use them as the trust store. This is not a recommended practice as it exposes sensitive information to potential security risks. The trust store for mutual TLS should typically involve the CA certificate or a certificate chain that verifies the client certificates, not the client certificates or private keys themselves.
upvoted 2 times
...
...
PrasannaBalaji
10 months, 1 week ago
Selected Answer: AE
A and E
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago