Which combination of changes will meet this requirement with the LEAST operational overhead?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A company is deploying a new API to AWS. The API uses Amazon API Gateway with a Regional API endpoint and an AWS Lambda function for hosting. The API retrieves data from an external vendor API, stores data in an Amazon DynamoDB global table, and retrieves data from the DynamoDB global table The API key for the vendor’s API is stored in AWS Secrets Manager and is encrypted with a customer managed key in AWS Key Management Service (AWS KMS). The company has deployed its own API into a single AWS Region.A solutions architect needs to change the API components of the company’s API to ensure that the components can run across multiple Regions in an active-active configuration.

Which combination of changes will meet this requirement with the LEAST operational overhead?

(Choose three.)

Deploy the API to multiple Regions. Configure Amazon Route 53 with custom domain names that route traffic to each Regional API endpoint. Implement a Route 53 multivalue answer routing policy.

Create a new KMS multi-Region customer managed key. Create a new KMS customer managed replica key in each in-scope Region.

Replicate the existing Secrets Manager secret to other Regions. For each in-scope Region’s replicated secret, select the appropriate KMS key.

Create a new AWS managed KMS key in each in-scope Region. Convert an existing key to a multiRegion key. Use the multi-Region key in other Regions.

Create a new Secrets Manager secret in each in-scope Region. Copy the secret value from the existing Region to the new secret in each in-scope Region.

Modify the deployment process for the Lambda function to repeat the deployment across in-scope Regions. Turn on the multi-Region option for the existing API. Select the Lambda function that is deployed in each Region as the backend for the multi-Region API.

Explanations:

Deploying the API to multiple Regions and configuring Amazon Route 53 with a custom domain and a multivalue answer routing policy allows for routing traffic to multiple API endpoints effectively. This ensures high availability and active-active configuration across Regions with minimal operational overhead.

Creating a new KMS multi-Region customer managed key and replicating it in each in-scope Region ensures that the API key in Secrets Manager remains accessible and encrypted consistently across Regions, supporting the active-active setup with low management overhead.

Replicating the existing Secrets Manager secret to other Regions ensures that the API can access the vendor API key in each Region. This, along with the appropriate KMS key for encryption, supports the active-active configuration while simplifying management of secrets across Regions.

Creating new AWS managed KMS keys in each Region does not meet the requirement for a consistent multi-Region setup. While converting an existing key to a multi-Region key could work, it adds complexity as it does not simplify the operational overhead and does not ensure consistent management across Regions.

Creating a new Secrets Manager secret in each Region and manually copying the secret value increases operational overhead. This approach does not automate secret management and can lead to potential inconsistencies across Regions.

While modifying the Lambda deployment process to repeat across Regions is necessary, the option to turn on the multi-Region for the existing API does not exist. Each Regional API should be set up individually, and this option is misleading in terms of the management of Lambda functions across Regions.

Leave a Reply

Your email address will not be published. Required fields are marked *

12 − 9 =