Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 172 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02

Question #: 172
Topic #: 1

[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company uses an Amazon API Gateway regional REST API to host its application API. The REST API has a custom domain. The REST API's default endpoint is deactivated.

The company's internal teams consume the API. The company wants to use mutual TLS between the API and the internal teams as an additional layer of authentication.

Which combination of steps will meet these requirements? (Choose two.)

A. Use AWS Certificate Manager (ACM) to create a private certificate authority (CA). Provision a client certificate that is signed by the private CA.
B. Provision a client certificate that is signed by a public certificate authority (CA). Import the certificate into AWS Certificate Manager (ACM).
C. Upload the provisioned client certificate to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the client certificate that is stored in the S3 bucket as the trust store.
D. Upload the provisioned client certificate private key to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the private key that is stored in the S3 bucket as the trust store.
E. Upload the root private certificate authority (CA) certificate to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the private CA certificate that is stored in the S3 bucket as the trust store.

Show Suggested Answer

Suggested Answer: AE 🗳️

by PrasannaBalaji at Dec. 29, 2023, 2:29 p.m.

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Submit Cancel

d262e67

Highly Voted 12 months ago

Selected Answer: AE

A. Because it's only for internal teams. E. Because the truststore dictates which CAs to trust. If you have intermediate CAs those also need to be present in the S3 bucket.

upvoted 6 times

d262e67

12 months ago

https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html

upvoted 1 times

...

nickp84

Most Recent 1 month, 2 weeks ago

Selected Answer: AE

C. Upload client certificate to S3 – The trust store should contain the CA certificate, not individual client certificates. API Gateway validates the client cert against the CA, not by comparing the cert directly.

upvoted 1 times

...

Jay_2pt0_1

7 months, 3 weeks ago

Selected Answer: AE

A. use ACM to generate cert E. See https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/

upvoted 2 times

...

didek1986

8 months, 2 weeks ago

Selected Answer: AE

C is incorrect because the trust store should contain the root CA certificate, not the client certificate. Root CA certificate is used to validate the client certificates (can be many) presented by the clients. If the client certificate itself is in the trust store, it would mean that only that specific client is trusted, which is not practical in a scenario where there are multiple clients (read it as company's internal teams).

upvoted 4 times

...

WhyIronMan

9 months ago

Selected Answer: AC

A and C. Details are everything in an Investigation... What API Gateway needs is the Client Certificate generated by option A and not the CA

upvoted 1 times

...

DanShone

9 months, 2 weeks ago

Selected Answer: AE

https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html After reading the above documentation I would determine A & E

upvoted 4 times

...

Nano803

9 months, 2 weeks ago

Selected Answer: AC

Check this article, https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html. You need to upload the truststore to an Amazon S3 bucket in a single file

upvoted 1 times

...

Ramdi1

10 months, 2 weeks ago

Selected Answer: AE

After reading this I would suggest A & E

upvoted 3 times

...

thanhnv142

10 months, 2 weeks ago

Selected Answer: AC

A and C is correct: A: we prefer AWS service more than a public one, which is B B: The reason is explained in option a C: Upload the provisioned to S3 bucket. D: should not upload private key to anywhere. E: This option has no connection to option A.

upvoted 1 times

...

Spavanko

10 months, 3 weeks ago

Selected Answer: BE

Details can be found here: https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/

upvoted 2 times

...

a54b16f

11 months, 3 weeks ago

Selected Answer: AE

you need to use ROOT CA , or whatever the certificated being used to sign other certificate in truststore,

upvoted 3 times

...

kabary

12 months ago

Selected Answer: AC

You shall NEVER upload private cert or key to an S3 bucket. This is a bad practise and hence C. I also choose A because you need private cert between the internal teams and the API.

upvoted 2 times

matanasov

11 months, 3 weeks ago

Option C and Option D involve uploading the client certificate or its private key to an S3 bucket and configuring the API Gateway to use them as the trust store. This is not a recommended practice as it exposes sensitive information to potential security risks. The trust store for mutual TLS should typically involve the CA certificate or a certificate chain that verifies the client certificates, not the client certificates or private keys themselves.

upvoted 2 times

...

PrasannaBalaji

12 months ago

Selected Answer: AE

A and E

upvoted 3 times

...