Exam AWS Certified Solutions Architect - Professional topic 1 question 752 discussion

D. - "A usage plan specifies who can access one or more deployed API stages and methods—and also how much and how fast they can access them. The plan uses API keys to identify API clients and meters access to the associated API stages for each key. It also lets you configure throttling limits and quota limits that are enforced on individual client API keys." https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html

A - wrong. You can use WAF to protect your api gateway directly without cloudfront B - wrong. You can use WAF to protect your api gateway directly without cloudfront c - wrong. You can use api gateway resource policis to allow users from specified aws account, from specified IP ranges or CIDR blocks or from specified VPCs or VPC endpoints. request limit is not part of resource policies. d - correct. API gateway usage plans can limit the API access and be sure that the usage does not exceed thrsholds we define.

A(wrong): OAI is used only for S3. B(wrong): This is not possible to define a WAF web ACL rule to block clients that submit more than five requests per day, because " A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action on IPs with rates that go over a limit. You set the limit as the number of requests per 5-minute time span...... The following caveats apply to AWS WAF rate-based rules: The minimum rate that you can set is 100. AWS WAF checks the rate of requests every 30 seconds, and counts requests for the prior five minutes each time. Because of this, it's possible for an IP address to send requests at too high a rate for 30 seconds before AWS WAF detects and blocks it. AWS WAF can block up to 10,000 IP addresses. If more than 10,000 IP addresses send high rates of requests at the same time, AWS WAF will only block 10,000 of them. " https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html

CDN is also a way to prevent DDoS, this question focus to "500 unique IP addresses worldwide" so 500 IPs come from multiple Region in the world, so if you use Cloudfront, you will distribute DDoS Attack traffic to nearest PoPs and apply Rate Limiting on this PoPs. ----> Answer is B

D is the answer

Why Not B ? Adding Cloud front provides AWS Shield service which is a free DDoS protection.https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc

Read both docs and choose your option. I am going with D https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html

D. Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners. Associate the web ACL with the API. Create a usage plan with a request limit and associate it with the API. Create an API key and add it to the usage plan.

It's D

DDD ---

D is the answer

I'll go with D

+1 to D, seems like usage plans support the referenced rate limits where resource policies don't.

My vote - D AB - Ignored as Cloudfront not required as its regional based resource. It is gonna add costs. Also WAF can directly sit on top of APIGW C - Incorrect as resource policies are used to restrict access and not to provide limit. Request limit is done with usage plan.

I think is C, resource policy allows control the IP source: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html

I think it is C.