Which combination of steps will meet these requirements?
(Choose two.)
Use AWS Certificate Manager (ACM) to create a private certificate authority (CA). Provision a client certificate that is signed by the private CA.
Provision a client certificate that is signed by a public certificate authority (CA). Import the certificate into AWS Certificate Manager (ACM).
Upload the provisioned client certificate to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the client certificate that is stored in the S3 bucket as the trust store.
Upload the provisioned client certificate private key to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the private key that is stored in the S3 bucket as the trust store.
Upload the root private certificate authority (CA) certificate to an Amazon S3 bucket. Configure the API Gateway mutual TLS to use the private CA certificate that is stored in the S3 bucket as the trust store.
Explanations:
Using AWS Certificate Manager (ACM) to create a private certificate authority (CA) allows the company to issue client certificates that are trusted for mutual TLS. The client certificate signed by the private CA can then be used by internal teams to authenticate to the API Gateway.
Provisioning a client certificate signed by a public CA does not meet the requirement for mutual TLS if the API Gateway is configured to only trust certificates from a private CA. Internal teams would need certificates from the private CA instead to establish a trusted connection.
Uploading the client certificate to an S3 bucket and configuring the API Gateway to use it as a trust store is incorrect. API Gateway requires the trust store to contain CA certificates, not client certificates. The trust store should consist of the root CA or any intermediate CA certificates used to sign the client certificates.
Uploading the private key of the client certificate to S3 is not correct as the API Gateway does not require access to private keys in the trust store configuration. The trust store should only contain public CA certificates to validate client certificates, not private keys.
Uploading the root private CA certificate to an S3 bucket and configuring the API Gateway to use this certificate as the trust store is correct. This allows the API Gateway to validate client certificates that are signed by the private CA, enabling mutual TLS authentication effectively.