Logo
AWS Certified Solutions Architect - Professional / Question #747 of 529

Question #747

A company operates a serverless application using AWS Lambda functions deployed within a VPC. The application interacts with a newly developed REST API hosted on Amazon API Gateway. The Lambda functions must access this API without exposing it to the public internet, and all data transmission must remain within the AWS network.

Which solution ensures secure and private communication between the Lambda functions and the API Gateway while meeting the company's requirements?

A

Configure an AWS Site-to-Site VPN connection between the VPC and API Gateway. Generate unique API keys for each Lambda function and enforce API key usage in the API methods.
B

Create an interface VPC endpoint for API Gateway, configure an endpoint policy to restrict access to the specific API. Attach a resource policy to the API Gateway permitting access only from the VPC endpoint. Set the API Gateway endpoint type to private.
C

Enable IAM authentication for the API Gateway. Update the IAM role associated with the Lambda functions to include permissions for invoking the API. Migrate the API Gateway into the same VPC as the Lambda functions.
D

Deploy AWS Global Accelerator and route API Gateway traffic through it. Update the VPC route tables to direct API requests to the Global Accelerator IP addresses. Implement API keys for authentication.

Explanation

Answer B is correct because:
1. Interface VPC Endpoint: Enables private connectivity between the Lambda functions (in the VPC) and API Gateway without internet exposure.
2. Endpoint Policy: Restricts access to the specific API, ensuring only authorized requests.
3. API Gateway Resource Policy: Limits access to the VPC endpoint, preventing public access.
4. Private Endpoint Type: Ensures the API is only accessible via the VPC endpoint.

Why other options are incorrect:
- A: VPNs connect VPCs to on-premises networks, not AWS services like API Gateway. API keys don't enforce private network routing.
- C: API Gateway cannot be deployed into a VPC. IAM authentication secures access but doesn't prevent internet traffic.
- D: Global Accelerator uses public IPs, so traffic would traverse the internet, violating the requirement.

Key Points:
- Use VPC endpoints (interface type) for private AWS service access.
- API Gateway 'private' endpoint type restricts access to VPC endpoints.
- Resource/endpoint policies enforce least-privilege access.

Answer

The correct answer is: B