AWS Certified Solutions Architect – Associate (SAA-C03) — Question 541

A company is creating a REST API. The company has strict requirements for the use of TLS. The company requires TLSv1.3 on the API endpoints. The company also requires a specific public third-party certificate authority (CA) to sign the TLS certificate.

Which solution will meet these requirements?

Answer options

• A. Use a local machine to create a certificate that is signed by the third-party CImport the certificate into AWS Certificate Manager (ACM). Create an HTTP API in Amazon API Gateway with a custom domain. Configure the custom domain to use the certificate.
• B. Create a certificate in AWS Certificate Manager (ACM) that is signed by the third-party CA. Create an HTTP API in Amazon API Gateway with a custom domain. Configure the custom domain to use the certificate.
• C. Use AWS Certificate Manager (ACM) to create a certificate that is signed by the third-party CA. Import the certificate into AWS Certificate Manager (ACM). Create an AWS Lambda function with a Lambda function URL. Configure the Lambda function URL to use the certificate.
• D. Create a certificate in AWS Certificate Manager (ACM) that is signed by the third-party CA. Create an AWS Lambda function with a Lambda function URL. Configure the Lambda function URL to use the certificate.

Correct answer: A

Explanation

To use a certificate signed by a specific third-party CA, you cannot request it directly from AWS Certificate Manager (ACM); instead, you must generate the certificate externally and import it into ACM. Amazon API Gateway HTTP APIs support TLSv1.3 for custom domains, making this the correct architecture. AWS Lambda function URLs do not natively support custom TLS certificates directly without a frontend service like CloudFront or API Gateway.