AWS Certified Solutions Architect – Professional — Question 975

A company hosts its primary API on AWS by using an Amazon API Gateway API and AWS Lambda functions that contain the logic for the API methods. The company's internal applications use the API for core functionality and business logic. The company's customers use the API to access data from their accounts.
Several customers also have access to a legacy API that is running on a single standalone Amazon EC2 instance.
The company wants to increase the security for these APIs to better prevent denial of service (DoS) attacks, check for vulnerabilities, and guard against common exploits.
What should a solutions architect do to meet these requirements?

Answer options

• A. Use AWS WAF to protect both APIs. Configure Amazon Inspector to analyze the legacy API. Configure Amazon GuardDuty to monitor for malicious attempts to access the APIs.
• B. Use AWS WAF to protect the API Gateway API. Configure Amazon Inspector to analyze both APIs. Configure Amazon GuardDuty to block malicious attempts to access the APIs.
• C. Use AWS WAF to protect the API Gateway API. Configure Amazon Inspector to analyze the legacy API. Configure Amazon GuardDuty to monitor for malicious attempts to access the APIs.
• D. Use AWS WAF to protect the API Gateway API. Configure Amazon Inspector to protect the legacy API. Configure Amazon GuardDuty to block malicious attempts to access the APIs.

Correct answer: C

Explanation

AWS WAF can be associated directly with Amazon API Gateway to protect the primary API from web exploits, but it cannot be directly attached to a standalone EC2 instance without an Application Load Balancer or CloudFront. Amazon Inspector is the correct service to analyze the EC2 instance hosting the legacy API for software vulnerabilities and security deviations. Lastly, Amazon GuardDuty is a threat detection service that monitors for malicious activity and generates findings, but it does not natively block traffic on its own.