AWS Certified Security – Specialty — Question 334

A company is testing a new version of its application. The company is using a public Amazon API Gateway API to expose the application. Currently, the company wants to allow only testers from its network to access the new application.

Which solutions can the company use to meet these requirements? (Choose two.)

Answer options

• A. Create and configure a security group that allows access from the company’s IP address range. Apply the security group to the API Gateway API.
• B. Create and configure a network ACL that allows traffic from the company’s IP address range. Apply the network ACL to the API Gateway API subnet.
• C. Create an AWS WAF web ACL. Configure an IP match rule that allows traffic from the company’s IP address range. Apply the web ACL to the API Gateway API.
• D. Use a condition in the API Gateway resource policy to allow access only from the company’s IP address range.
• E. Create an interface VPC endpoint for the API Gateway execute-api. Instruct testers to use this endpoint.

Correct answer: C, D

Explanation

AWS WAF can be associated with Amazon API Gateway to filter traffic based on IP addresses using web ACLs. Additionally, API Gateway resource policies support condition keys such as aws:SourceIp to restrict access to specific IP CIDR blocks. Security groups and network ACLs cannot be applied directly to a public API Gateway endpoint, making those options incorrect.