Answer: Set up API Gateway with an Amazon CloudFront distribution. Configure AWS WAF in CloudFront.

## Explanation **Correct Answer: D** **Why Option D is correct:** 1. **AWS WAF (Web Application Firewall)** is specifically designed to protect web applications and APIs from common web exploits like SQL injection and cross-site scripting (XSS) attacks. 2. **CloudFront integration** with API Gateway provides an additional layer of protection and allows you to apply AWS WAF at the edge location, which is operationally efficient. 3. **Operational efficiency** is achieved because: - AWS WAF rules can be easily configured and managed - CloudFront provides caching and DDoS protection - The solution protects at the edge before requests reach API Gateway - AWS WAF has pre-configured rules for SQL injection and XSS attacks **Why other options are incorrect:** **A. Configure AWS Shield:** - AWS Shield is primarily for DDoS protection, not for SQL injection or XSS attacks - It doesn't provide the specific web application firewall capabilities needed **B. Configure AWS WAF:** - While AWS WAF can protect against SQL injection and XSS, it's more operationally efficient to deploy it with CloudFront - Deploying WAF directly on API Gateway without CloudFront is possible but less efficient **C. Set up API Gateway with CloudFront + AWS Shield:** - AWS Shield doesn't protect against SQL injection or XSS attacks - This solution adds DDoS protection but not the specific web application security needed **Key AWS Services:** - **AWS WAF:** Protects web applications from common web exploits - **CloudFront:** Content delivery network that can integrate with AWS WAF at edge locations - **API Gateway:** Managed service for creating, publishing, maintaining, monitoring, and securing APIs **Best Practice:** For protecting APIs from web exploits, the most operationally efficient approach is to use CloudFront as a front-end with AWS WAF enabled, which provides edge security and caching benefits.

Author: LeetQuiz Editorial Team