Question 35
Domain 3: Continuous Improvement for Existing SolutionsA company hosts its primary API on AWS using Amazon API Gateway and AWS Lambda functions. Internal applications and external customers use this API. Some customers also use a legacy API hosted on a standalone EC2 instance. The company wants to increase security across all APIs to prevent denial of service (DoS) attacks, check for vulnerabilities, and guard against common exploits. What should a solutions architect do to meet these requirements?
Correct answer: C
Explanation
AWS WAF is designed to “protect web applications from common web exploits” and can help mitigate DoS-style traffic against API Gateway. Amazon Inspector “analyze[s]” EC2-hosted workloads for vulnerabilities, while Amazon GuardDuty “monitor[s] for malicious attempts” and suspicious API activity across AWS accounts.
Why each option is right or wrong
A. Use AWS WAF to protect both APIs. Configure Amazon Inspector to analyze the legacy API. Configure Amazon GuardDuty to monitor for malicious attempts to access the APIs.
Amazon Inspector analyzes EC2 workloads, not API Gateway or Lambda APIs.
B. Use AWS WAF to protect the API Gateway API. Configure Amazon Inspector to analyze both APIs. Configure Amazon GuardDuty to block malicious attempts.
Amazon Inspector does not analyze API Gateway or Lambda; GuardDuty monitors rather than blocks.
C. Use AWS WAF to protect the API Gateway API. Configure Amazon Inspector to analyze the legacy API. Configure Amazon GuardDuty to monitor for malicious attempts to access the APIs.
AWS WAF is the service that can be attached to Amazon API Gateway to filter and rate-limit HTTP requests, which is the relevant control for mitigating common web exploits and volumetric request floods against the public API. Amazon Inspector is the correct vulnerability-analysis service for the legacy workload on EC2 because it assesses EC2 instances and their software packages for known vulnerabilities, while Amazon GuardDuty continuously monitors AWS activity and API calls for malicious or suspicious behavior across the environment.
D. Use AWS WAF to protect the API Gateway API. Configure Amazon Inspector to protect the legacy API. Configure Amazon GuardDuty to block malicious attempts.
Amazon Inspector analyzes vulnerabilities; it does not provide active protection for the legacy API.