ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company exposes a REST endpoint through Amazon API Gateway that invokes an AWS Lambda function. Each business partner receives its own client application and may send up to 10 000 requests per day. Security engineers also want to block replay attacks if a request is intercepted in transit. The Lambda code itself must remain unchanged, and the solution should require minimal development effort. Which approach meets both requirements?
Attach an IAM resource policy listing the partners' AWS account IDs and rotate the policy monthly to invalidate any compromised credentials.
Associate each partner's API key with an API Gateway usage plan that enforces a 10 000-request daily quota, and require AWS_IAM authorization so partners must sign every request with AWS Signature Version 4 using temporary credentials from an assumed IAM role.
Configure an AWS WAF rate-based rule to cap traffic at 10 000 requests per day while continuing to use a shared static API key for all partners.
Secure the method with Amazon Cognito OAuth 2.0 access tokens that expire quickly, and rely on default API Gateway throttling for rate limiting.
An API Gateway usage plan can enforce a per-API-key quota of 10 000 requests per day for each partner, satisfying the contract. By configuring the same method to use AWS_IAM authorization, partners must sign every call with AWS Signature Version 4 using temporary credentials obtained by assuming a dedicated IAM role. SigV4 includes the request's timestamp and a unique nonce in the signature; API Gateway (and underlying AWS services) reject any request whose timestamp is more than 5 minutes out of sync or whose signature has already been used, preventing replay attacks. Because quota enforcement and signature validation occur inside API Gateway, no modifications are needed in the backend Lambda function. The other options either lack per-partner quotas, fail to prevent replay of captured requests, or depend on additional custom code instead of native controls.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is API Gateway's usage plan and how does it enforce quotas?
Open an interactive chat with Bash
How does AWS Signature Version 4 prevent replay attacks?
Open an interactive chat with Bash
What is the role of IAM authorization in securing APIs?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .