A company is creating a REST API and requires TLSv1.3 on the API endpoints and a specific public third-party certificate authority (CA) to sign the TLS certificate. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Use a local machine to create a certificate that is signed by the third-party CA. Import the certificate into AWS Certificate Manager (ACM). Create an HTTP API in Amazon API Gateway with a custom domain. Configure the custom domain to use the certificate..
Why this is the answer
The correct solution involves generating the certificate outside of AWS using the specified third-party CA and then importing it into AWS Certificate Manager (ACM). ACM can only issue publicly trusted certificates from its integrated CAs or private certificates via AWS Private CA. Since a specific public third-party CA is required, the certificate must be created externally and imported. Amazon API Gateway HTTP APIs, when configured with a custom domain, can use imported ACM certificates and support TLSv1.3.
Incorrect options:
Creating a certificate in ACM signed by a third-party CA is not directly possible for public certificates; ACM issues them from its own integrated CAs.
Lambda Function URLs do not support custom domains or custom TLS certificates directly. They use AWS-managed certificates and domains.