AWS Certified Security – Specialty — Question 457

A company uses Amazon API Gateway to present REST APIs to users. An API developer wants to analyze API access patterns without the need to parse the log files.

Which combination of steps will meet these requirements with the LEAST effort? (Choose two.)

Answer options

• A. Configure access logging for the required API stage.
• B. Configure an AWS CloudTrail trail destination for API Gateway events. Configure filters on the userIdentity, userAgent, and sourceIPAddress fields.
• C. Configure an Amazon S3 destination for API Gateway logs. Run Amazon Athena queries to analyze API access information.
• D. Use Amazon CloudWatch Logs Insights to analyze API access information.
• E. Select the Enable Detailed CloudWatch Metrics option on the required API stage.

Correct answer: A, D

Explanation

Enabling access logging on the API stage sends detailed access logs directly to Amazon CloudWatch Logs. Using Amazon CloudWatch Logs Insights allows the developer to easily query and analyze these logs using a built-in search language, eliminating the need to manually parse files or set up complex external pipelines like Athena or CloudTrail. Detailed CloudWatch Metrics provides performance metrics but does not provide the raw access logs required for detailed pattern analysis.