How can the solutions architect design the API Gateway access control and perform request inspections?
For the API Gateway method, set the authorization to AWS_IAM. Then, give the IAM user or role execute-api:Invoke permission on the REST API resource. Enable the API caller to sign requests with AWS Signature when accessing the endpoint. Use AWS X-Ray to trace and analyze user requests to API Gateway.
For the API Gateway resource, set CORS to enabled and only return the company’s domain in Access-Control-Allow-Origin headers. Then, give the IAM user or role execute-api:Invoke permission on the REST API resource. Use Amazon CloudWatch to trace and analyze user requests to API Gateway.
Create an AWS Lambda function as the custom authorizer, ask the API client to pass the key and secret when making the call, and then use Lambda to validate the key/secret pair against the IAM system. Use AWS X-Ray to trace and analyze user requests to API Gateway.
Create a client certificate for API Gateway. Distribute the certificate to the AWS users and roles that need to access the endpoint. Enable the API caller to pass the client certificate when accessing the endpoint. Use Amazon CloudWatch to trace and analyze user requests to API Gateway.
Explanations:
Setting authorization to AWS_IAM restricts access to authenticated users or roles with appropriate permissions (execute-api). AWS Signature verification secures requests, and AWS X-Ray provides end-to-end tracing for latency analysis.
Enabling CORS with restricted Access-Control-Allow-Origin only limits frontend access but doesn’t authenticate AWS users. Amazon CloudWatch lacks full request tracing capabilities like AWS X-Ray for detailed request inspections and latency analysis.
Custom authorizers in API Gateway are not designed for authenticating AWS IAM keys and secrets; AWS_IAM authorization is more appropriate. AWS X-Ray is compatible but unnecessary complexity is introduced here without IAM authorization.
Client certificates authenticate only the client and don’t provide role-based access control within AWS. CloudWatch provides basic monitoring, but AWS X-Ray offers deeper request-level insights and end-to-end latency analysis.
I assess that the answer is:
For the API Gateway method, set the authorization to AWS_IAM. Then, give the IAM user or role execute-api:Invoke permission on the REST API resource. Enable the API caller to sign requests with AWS Signature when accessing the endpoint. Use AWS X-Ray to trace and analyze user requests to API Gateway.