For requests received by Amazon API Gateway, who is responsible for implementing security settings such as authentication (API key validation, IAM authentication, etc.) and rate limiting (DDoS protection)?
Under the shared responsibility model, determine who is responsible for security settings on a managed service (API Gateway).
AWS is responsible.
AWS is responsible for the underlying infrastructure, availability, and durability of the API Gateway managed service (security OF the cloud).
However, which authentication method or rate limit to configure depends on the customer's application requirements. The configuration itself is the customer's responsibility, so this is incorrect.
Shared controls
Shared controls are areas where both parties are involved at different layers, such as patch management.
The content of API Gateway security settings is entirely determined and implemented by the customer, so it is not shared. This is incorrect.
The service is secure by default, so no additional configuration by the customer is required.
API Gateway does not automatically enable authentication or rate limiting at creation time.
Customers must explicitly configure the authentication method and throttling according to their application requirements. The assumption that no configuration is needed is incorrect.
The customer is responsible.
Correct. Although API Gateway is a managed service, which authentication method (API key, IAM, Cognito, etc.) and rate limit to use is determined and implemented by the customer based on their application requirements. This falls under the customer's configuration scope (security IN the cloud). AWS guarantees only the availability of the underlying infrastructure.
Even for managed services, 'configuration' is the customer's responsibility. AWS guarantees the infrastructure and availability, but what to configure and how (authentication, encryption, access control) is decided by the customer. This principle is a frequent exam topic.