AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 332

A company has deployed a new REST API by using Amazon API Gateway. The company uses the API to access confidential data. The API must be accessed from only specific VPCs in the company.

Which solution will meet these requirements?

Answer options

• A. Create and attach a resource policy to the API Gateway API. Configure the resource policy to allow only the specific VPC IDs.
• B. Add a security group to the API Gateway API. Configure the inbound rules to allow only the specific VPC IP address ranges.
• C. Create and attach an IAM role to the API Gateway API. Configure the IAM role to allow only the specific VPC IDs.
• D. Add an ACL to the API Gateway API. Configure the outbound rules to allow only the specific VPC IP address ranges.

Correct answer: A

Explanation

Amazon API Gateway resource policies are JSON policy documents that can be attached to an API to control access from specific AWS accounts, IP address ranges, or VPC endpoints/VPCs. By using a resource policy with a condition restricting access to specific VPC IDs, you can secure the private REST API as required. Security groups and network ACLs cannot be directly attached to an API Gateway REST API, and IAM roles do not natively filter incoming traffic based on source VPC IDs in this manner.