AWS Certified Solutions Architect – Professional (SAP-C02) — Question 310

A company is deploying a new API to AWS. The API uses Amazon API Gateway with a Regional API endpoint and an AWS Lambda function for hosting. The API retrieves data from an external vendor API, stores data in an Amazon DynamoDB global table, and retrieves data from the DynamoDB global table The API key for the vendor's API is stored in AWS Secrets Manager and is encrypted with a customer managed key in AWS Key Management Service (AWS KMS). The company has deployed its own API into a single AWS Region.

A solutions architect needs to change the API components of the company’s API to ensure that the components can run across multiple Regions in an active-active configuration.

Which combination of changes will meet this requirement with the LEAST operational overhead? (Choose three.)

Answer options

• A. Deploy the API to multiple Regions. Configure Amazon Route 53 with custom domain names that route traffic to each Regional API endpoint. Implement a Route 53 multivalue answer routing policy.
• B. Create a new KMS multi-Region customer managed key. Create a new KMS customer managed replica key in each in-scope Region.
• C. Replicate the existing Secrets Manager secret to other Regions. For each in-scope Region's replicated secret, select the appropriate KMS key.
• D. Create a new AWS managed KMS key in each in-scope Region. Convert an existing key to a multiRegion key. Use the multi-Region key in other Regions.
• E. Create a new Secrets Manager secret in each in-scope Region. Copy the secret value from the existing Region to the new secret in each in-scope Region.
• F. Modify the deployment process for the Lambda function to repeat the deployment across in-scope Regions. Turn on the multi-Region option for the existing API. Select the Lambda function that is deployed in each Region as the backend for the multi-Region API.

Correct answer: A, B, C

Explanation

To achieve an active-active multi-Region setup with minimal overhead, Route 53 multivalue routing can distribute traffic across regional API Gateway endpoints (Option A). Because Secrets Manager secrets can be replicated natively across regions using a KMS multi-Region key to decrypt them in each target region, creating a new multi-Region KMS key and replicating the secret is the most efficient approach (Options B and C). Other options are either unsupported, like converting an existing single-Region KMS key to a multi-Region key, or introduce unnecessary manual management.