Logo
AWS Certified Solutions Architect - Associate / Question #1075 of 1019

Question #1075

A company uses Amazon API Gateway in the ca-central-1 Region as an edge-optimized endpoint for its backend services. They have registered their domain with Amazon Route 53 and want to configure the API Gateway to use their domain with HTTPS. Third-party clients need to access the API securely using the company's domain.

Which solution meets these requirements?

A

Create a custom domain name in API Gateway as edge-optimized. Import the certificate into ACM in ca-central-1. Attach the certificate to the domain. Configure Route 53 with an A record pointing to the API Gateway URL.
B

Create Route 53 records pointing to the API Gateway's execute-api URL. Import the certificate into ACM in us-east-1 and attach it to the API's methods.
C

Import the certificate into ACM in us-east-1. Create a custom domain name in API Gateway as edge-optimized, attaching the certificate. Create a Route 53 alias record pointing to the API Gateway's domain.
D

Create a Regional API Gateway endpoint, import the certificate into the same region, attach it to the APIs, and configure Route 53 with a CNAME to the API's URL.

Explanation

Answer C is correct because:
1. Edge-optimized API Gateway uses CloudFront, which requires certificates from AWS Certificate Manager (ACM) in the us-east-1 region.
2. Importing the certificate into ACM in us-east-1 ensures compatibility with the edge-optimized endpoint.
3. Creating a Route 53 alias record pointing to the API Gateway's domain (e.g., d-xxxx.cloudfront.net) enables DNS resolution for the custom domain.

Other options are incorrect because:
- A: Uses ACM in ca-central-1, which is invalid for edge-optimized endpoints.
- B: Incorrectly attaches the certificate to API methods instead of the custom domain and uses execute-api URL instead of an alias.
- D: Switches to a Regional endpoint, conflicting with the edge-optimized requirement.

Key Points:
- Edge-optimized APIs require ACM certificates in us-east-1.
- Route 53 alias records must point to the API Gateway's custom domain, not the execute-api URL.

Answer

The correct answer is: C