Question #1232
A company is developing a REST API using Amazon API Gateway. The company needs to protect the API against common application-layer attacks, such as SQL injection and cross-site scripting. The company has limited operational staff and wants to minimize its responsibility for managing, updating, and securing backend infrastructure in its AWS environment. What should a solutions architect recommend to meet these requirements?
Configure AWS WAF rules and associate them with the API Gateway.
Deploy the API using Amazon S3 with static content hosting.
Enable AWS Shield Advanced and protect the API Gateway as a resource.
Create a new API Gateway that routes traffic through an Amazon EC2 instance running a third-party WAF, which forwards requests to the original API Gateway.
Explanation
Answer A is correct because AWS WAF (Web Application Firewall) is designed to protect web applications from common exploits like SQL injection and cross-site scripting (XSS). By configuring AWS WAF rules and associating them with API Gateway, the company can secure its REST API without managing backend infrastructure, as AWS handles WAF updates and maintenance.
Option B (S3 static hosting) is incorrect because S3 is unsuitable for dynamic REST APIs and does not inherently protect against application-layer attacks. Option C (AWS Shield Advanced) focuses on DDoS protection, not application-layer threats like SQLi/XSS. Option D (EC2 with third-party WAF) increases operational complexity, contradicting the requirement to minimize management responsibilities. Key takeaway: AWS WAF is the managed service for application-layer security with API Gateway.
Answer
The correct answer is: A