AWS Certified Solutions Architect – Professional — Question 768

A company is deploying a new API to AWS. The API uses Amazon API Gateway with a Regional API endpoint and an AWS Lambda function for hosting. The API retrieves data from an external vendor API, stores data in an Amazon DynamoDB global table, and retrieves data from the DynamoDB global table. The API key for the vendor's API is stored in AWS Secrets Manager and is encrypted with a customer managed key in AWS Key Management Service (AWS KMS). The company has deployed its own API into a single AWS Region.

A solutions architect needs to change the API components of the company's API to ensure that the components can run across multiple Regions in an active-active configuration.

Which combination of changes will meet this requirement with the LEAST operational overhead? (Choose three.)

Answer options

• A. Deploy the API to multiple Regions. Configure Amazon Route 53 with custom domain names that route traffic to each Regional API endpoint. Implement a Route 53 multivalue answer routing policy.
• B. Create a new KMS multi-Region customer managed key. Create a new KMS customer managed replica key in each in-scope Region.
• C. Replicate the existing Secrets Manager secret to other Regions. For each in-scope Region's replicated secret, select the appropriate KMS key.
• D. Create a new AWS managed KMS key in each in-scope Region. Convert an existing key to a multi-Region key. Use the multi-Region key in other Regions.
• E. Create a new Secrets Manager secret in each in-scope Region. Copy the secret value from the existing Region to the new secret in each in-scope Region.
• F. Modify the deployment process for the Lambda function to repeat the deployment across in-scope Regions. Turn on the multi-Region option for the existing API. Select the Lambda function that is deployed in each Region as the backend for the multi-Region API.

Correct answer: B, C, F

Explanation

To achieve a multi-Region active-active setup with the least operational overhead, you must use KMS multi-Region keys (Option B) and utilize AWS Secrets Manager's built-in replication feature to automatically sync secrets across Regions (Option C). Additionally, the Lambda code must be deployed to all target Regions, and the API Gateway must be configured to route to the local Lambda instances (Option F). Manually copying secrets (Option E) increases overhead, existing single-Region KMS keys cannot be converted to multi-Region keys (Option D), and latency-based routing is preferred over multivalue routing for active-active API endpoints (Option A).