ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 417 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 417
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has two VPCs in the us-east-1 Region: vpc-1 and vpe-2. The company recently created an Amazon API Gateway REST API with the endpoint type set to PRIVATE. The company also created a VPC endpoint for the REST API in vpc-1. Resources in vpc-1 can access the REST API successfully.

The company now wants to give resources in vpc-2 the ability to access the REST API. The company creates a VPC endpoint for the REST API in vpc-2, but the resources in vpc-2 cannot access the REST API.

A security engineer must make the REST API accessible to resources in vpc-2 by creating a solution that provides the minimum access that is necessary.

Which solution will meet these requirements?

  • A. Set up VPC peering between vpc-1 and vpc-2. Attach an identity-based policy to the resources in vpc-2 to grant access to the REST API.
  • B. Set up a VPC endpoint of vpc-2 in vpc-1. Attach an identity-based policy to the resources in vpc-2 to grant access to the REST API.
  • C. Set the API endpoint type to REGIONAL. Attach a resource policy to the REST API to allow access from vpc-2.
  • D. Keep the API endpoint type as PRIVATE. Attach a resource policy to the REST API to allow access from vpc-2.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by AdamWest at Nov. 23, 2022, 2:44 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
D2
Highly Voted 2 years, 7 months ago
Selected Answer: C
For cross VPC, we use REGIONAL endpoints. https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-endpoint-types.html
upvoted 7 times
...
cherry23
Most Recent 2 years ago
Selected Answer: D
D will work
upvoted 1 times
...
Noexperience
2 years ago
https://repost.aws/knowledge-center/api-gateway-resource-policy-access D is the answer
upvoted 4 times
...
6_8ftwin
2 years, 1 month ago
D https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#associate-private-api-with-vpc-endpoint Look at the CLI command. Multiple VPC endpoints are associated with the private REST API.
upvoted 4 times
...
sudipta0007
2 years, 1 month ago
D is correct . https://repost.aws/knowledge-center/api-gateway-private-cross-account-vpce
upvoted 3 times
...
Cyp
2 years, 3 months ago
Selected Answer: D
D for minimum access
upvoted 2 times
...
peddyua
2 years, 3 months ago
Selected Answer: D
it should remain private so traffic is not leaving VPC, all you need is to configure VPC peering: Update the endpoint policy of the VPC endpoint for the REST API in vpc-1 to include the route tables associated with vpc-2. This will allow traffic from vpc-2 to flow through the VPC endpoint in vpc-1 to reach the REST API. Create a VPC peering connection between vpc-1 and vpc-2. This will allow traffic from vpc-2 to be routed to vpc-1. Update the route tables associated with the resources in vpc-2 to route traffic destined for the REST API to the VPC peering connection with vpc-1.
upvoted 4 times
...
c73bf38
2 years, 3 months ago
Selected Answer: D
Needs to be private, regional makes it public.
upvoted 4 times
c73bf38
2 years, 3 months ago
Regional API endpoints A regional API endpoint is intended for clients in the same region. When a client running on an EC2 instance calls an API in the same region, or when an API is intended to serve a small number of clients with high demands, a regional API reduces connection overhead. Private API endpoints A private API endpoint is an API endpoint that can only be accessed from your Amazon Virtual Private Cloud (VPC) using an interface VPC endpoint, which is an endpoint network interface (ENI) that you create in your VPC. For more information, see Creating a private API in Amazon API Gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-endpoint-types.html
upvoted 3 times
...
...
awsguru1998
2 years, 3 months ago
A, D would work only if there is peering
upvoted 1 times
...
gtmnagalla
2 years, 4 months ago
Selected Answer: D
Option D - "provides the minimum access that is necessary." when compared to optionC
upvoted 4 times
...
PatrickLi
2 years, 4 months ago
Selected Answer: D
Answer is D. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html#apigateway-resource-policies-source-vpc-example C is NOT correct as it exposes the API to the public internet. It is the worst answer here. A or B expose the 2 VPC resources with each other but still not to the public.
upvoted 2 times
...
swrp4595
2 years, 4 months ago
Selected Answer: D
Option C is incorrect because the endpoint type of the REST API is set to PRIVATE, which means that the API is only accessible from within the same VPC as the endpoint. If the endpoint type is set to REGIONAL, the API can be accessed from any VPC in the same region, but this would not provide the minimum access that is necessary. The correct solution is to keep the endpoint type as PRIVATE and attach a resource policy to the REST API to allow access from vpc-2, as stated in option D.
upvoted 3 times
...
kerar
2 years, 7 months ago
Selected Answer: C
A regional API endpoint is intended for clients in the same region. https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-endpoint-types.html
upvoted 4 times
...
AdamWest
2 years, 7 months ago
Selected Answer: C
C - You can use resource policies for all API endpoint types in API Gateway: private, edge-optimized, and Regional. Regional API endpoint will typically lower the latency of connections and is recommended for such scenarios. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel