Question

You have created REST API using API Gateway. Which of the following mechanism can be used to deny specific IP Addresses from accessing API Gateway? Select 2 correct options.

A. AWS KMS

B. AWS Security Center

C. Resource Policies

D. AWS WAF.

Answer 1

Correct Answer - C and D.

Option A is incorrect as AWS Key Management Service (KMS) is an encryption and key management service scaled for the cloud.

Option B is incorrect as AWS Security Center is a central location from which you can receive security updates and where you can report any security concerns.

Option C is correct as Resource Policies for API Gateway allows you to deny or permit a specific IP address from where API Gateway can be accessed.

Option D is correct because you can use AWS WAF for your Amazon API Gateway APIs to protect from attacks such as SQL injection and Cross-Site Scripting (XSS)

Additionally, you can filter web requests based on IP address, geographic area, request size, and/or string or regular expression patterns using the rules.

Please refer the below link.

https://aws.amazon.com/about-aws/whats-new/2018/10/amazon-api-gateway-adds-support-for-aws-waf/

The correct options for denying specific IP addresses from accessing API Gateway are C. Resource Policies and D. AWS WAF.

C. Resource Policies: Resource policies can be used to restrict access to API Gateway APIs based on IP addresses or IP address ranges. Resource policies are JSON policy documents that can be attached to the API Gateway methods, resources, and stages. You can use IP-based condition operators such as aws:SourceIp and aws:SourceIpV4 to specify the IP addresses that are allowed or denied access to the API.

D. AWS WAF: AWS WAF (Web Application Firewall) is a web application firewall service that can be used to protect web applications from common web exploits. You can use AWS WAF to block IP addresses or IP address ranges that are known to be malicious or suspicious. AWS WAF can be integrated with API Gateway using an AWS Lambda function. The Lambda function can inspect incoming requests and decide whether to allow or block the requests based on the configured WAF rules.

A. AWS KMS: AWS KMS (Key Management Service) is a managed service that can be used to create and manage encryption keys. AWS KMS is not related to denying specific IP addresses from accessing API Gateway.

B. AWS Security Center: AWS Security Center is a security service that provides a centralized view of security alerts and compliance status across an AWS account. AWS Security Center is not related to denying specific IP addresses from accessing API Gateway.