AWS Certified Security – Specialty — Question 364

A company has two VPCs in the us-east-1 Region: vpc-1 and vpe-2. The company recently created an Amazon API Gateway REST API with the endpoint type set to PRIVATE. The company also created a VPC endpoint for the REST API in vpc-1. Resources in vpc-1 can access the REST API successfully.

The company now wants to give resources in vpc-2 the ability to access the REST API. The company creates a VPC endpoint for the REST API in vpc-2, but the resources in vpc-2 cannot access the REST API.

A security engineer must make the REST API accessible to resources in vpc-2 by creating a solution that provides the minimum access that is necessary.

Which solution will meet these requirements?

Answer options

• A. Set up VPC peering between vpc-1 and vpc-2. Attach an identity-based policy to the resources in vpc-2 to grant access to the REST API.
• B. Set up a VPC endpoint of vpc-2 in vpc-1. Attach an identity-based policy to the resources in vpc-2 to grant access to the REST API.
• C. Set the API endpoint type to REGIONAL. Attach a resource policy to the REST API to allow access from vpc-2.
• D. Keep the API endpoint type as PRIVATE. Attach a resource policy to the REST API to allow access from vpc-2.

Correct answer: D

Explanation

To access a PRIVATE Amazon API Gateway REST API, the API's resource policy must explicitly permit traffic from the source VPCs or VPC endpoints. Since the endpoint is already set to PRIVATE and a VPC endpoint has been created in vpc-2, attaching a resource policy to the API to allow traffic from vpc-2 is the correct and most secure approach. Changing the endpoint type to REGIONAL or setting up VPC peering is unnecessary and violates the principle of least privilege.