AWS Certified Solutions Architect – Associate (SAA-C03) — Question 965

A company is developing an application in the AWS Cloud. The application's HTTP API contains critical information that is published in Amazon API Gateway. The critical information must be accessible from only a limited set of trusted IP addresses that belong to the company's internal network.

Which solution will meet these requirements?

Answer options

• A. Set up an API Gateway private integration to restrict access to a predefined set of IP addresses.
• B. Create a resource policy for the API that denies access to any IP address that is not specifically allowed.
• C. Directly deploy the API in a private subnet. Create a network ACL. Set up rules to allow the traffic from specific IP addresses.
• D. Modify the security group that is attached to API Gateway to allow inbound traffic from only the trusted IP addresses.

Correct answer: B

Explanation

An Amazon API Gateway resource policy allows you to restrict access by defining allow or deny conditions based on source IP addresses. You cannot attach security groups directly to a public API Gateway endpoint, nor can you deploy an API Gateway directly into a private subnet with a network ACL. Private integrations are designed to route traffic from API Gateway to private VPC resources, not to filter incoming client IP addresses.