AWS Certified Solutions Architect – Professional (SAP-C02) — Question 479

A company hosts its primary API on AWS by using an Amazon API Gateway API and AWS Lambda functions that contain the logic for the API methods. The company’s internal applications use the API for core functionality and business logic. The company’s customers use the API to access data from their accounts. Several customers also have access to a legacy API that is running on a single standalone Amazon EC2 instance.

The company wants to increase the security for these APIs to better prevent denial of service (DoS) attacks, check for vulnerabilities, and guard against common exploits.

What should a solutions architect do to meet these requirements?

Answer options

• A. Use AWS WAF to protect both APIs. Configure Amazon Inspector to analyze the legacy API. Configure Amazon GuardDuty to monitor for malicious attempts to access the APIs.
• B. Use AWS WAF to protect the API Gateway API. Configure Amazon Inspector to analyze both APIs. Configure Amazon GuardDuty to block malicious attempts to access the APIs.
• C. Use AWS WAF to protect the API Gateway API. Configure Amazon Inspector to analyze the legacy API. Configure Amazon GuardDuty to monitor for malicious attempts to access the APIs.
• D. Use AWS WAF to protect the API Gateway AP! Configure Amazon Inspector to protect the legacy API. Configure Amazon GuardDuty to block malicious attempts to access the APIs.

Correct answer: C

Explanation

AWS WAF can be associated directly with Amazon API Gateway to protect the main API from web exploits and DoS attacks. Amazon Inspector is the correct tool to analyze the legacy API running on the EC2 instance for software vulnerabilities and unintended network exposure. Lastly, Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior, but it does not natively block traffic directly, making Option C the correct architectural choice.