Pearson SAA-C03 New Attempt

API Gatewayresource policiesare the native way to control who can invoke a REST API, including allowing access from specified AWS accounts. AWS documentation says resource policies can be attached to an API to control whether specified principals can invoke it, and it explicitly lists users from a specified AWS account as a supported use case. Private APIs are callable through interface VPC endpoints, but the primary authorization control for which external accounts may invoke the API is the API’s resource policy. Endpoint policies can add controls on the VPC endpoint side, but the clean cross-account access control for the API itself is the resource policy.

============

Amazon Route 53 is a highly available and scalable authoritative DNS service. To move a public domain, you create a public hosted zone, import or recreate the zone records, and then update the registrar to use the Route 53 name servers assigned to the zone. Route 53 is globally distributed and designed for rapid propagation and resilience, and supports features such as health checks and routing policies. A private hosted zone (Option B) is resolvable only by VPCs that are associated with it and is not for public internet DNS. Directory Service and zone transfers (Option C) are unrelated to Route 53 public DNS hosting. Route 53 Resolver inbound endpoints (Option D) provide hybrid DNS forwarding for VPC workloads, not authoritative public hosting. Therefore, the fastest AWS-native migration path to a resilient managed DNS is to create a Route 53 public hosted zone and import the existing zone file.

The best answer isAPI Gateway + SQS + DLQ + Lambdabecause it combines API ingestion with durable queuing and asynchronous processing. AWS guidance for event-driven serverless architectures specifically recommends usingAmazon SQSto decouple components and durably persist messages when downstream processing is slower or bursty. AWS also documents thatdead-letter queueshelp isolate messages that fail processing, which supports the requirement to avoid losing requests. API Gateway can integrate with AWS services, including SQS, to accept requests from mobile and web clients. The ALB options do not provide the same durable buffering, and the SNS option is less appropriate because the key requirement is loose coupling with durable request preservation. Therefore,Bis the strongest design. (AWS Documentation)

When using imported key material with AWS KMS, you maintain control over the key lifecycle. AWS KMS allows you to import new key material into an existing KMS key (of type " external " or " imported " ), thus rotating the key material without changing the key ID or ARNs. This enables applications to continue using the same key for cryptographic operations without disruption.

You can also set an expiration time for the old key material, after which AWS KMS deletes the old material and requires new key material to be imported, enforcing regular rotation per your compliance requirements.

AWS Documentation Extract:

" To rotate imported key material, you can re-import new key material into the same KMS key. This retains the same key ID and ARNs so applications are unaffected. You can set an expiration time for imported key material and replace it as needed, ensuring compliance with your rotation policy. "

(Source: AWS Key Management Service Developer Guide, Importing Key Material, Rotating Key Material)

Other options:

A: You cannot create a new KMS key with the same key ID as an existing one.

B: Deleting and recreating the key disrupts application access because the key ID changes.

D: Automatic rotation is only available for AWS-managed keys, not for imported key material.