This option correctly maps each security requirement to the most appropriate AWS service and its intended target. AWS WAF integrates directly with Amazon API Gateway to protect against common web exploits and DoS attacks (Layer 7). Amazon Inspector is designed to assess workloads like EC2 instances for software vulnerabilities and unintended network exposure, making it the correct choice for the legacy API host. Amazon GuardDuty is a threat detection service that continuously monitors the AWS account for malicious activity by analyzing data sources like VPC Flow Logs and AWS CloudTrail logs. This provides a comprehensive, layered security posture by applying the correct service to each part of the architecture.

A. This is incorrect because AWS WAF cannot be directly attached to a standalone EC2 instance. It requires an Application Load Balancer or Amazon CloudFront, which represents an unstated architectural change.

B. This is incorrect because Amazon Inspector is not used to analyze API Gateway directly, and Amazon GuardDuty is a detection and alerting service, not a blocking service.

D. This is incorrect because Amazon Inspector assesses vulnerabilities rather than providing active "protection" (blocking). Additionally, Amazon GuardDuty does not natively block malicious attempts.

---

1. AWS WAF with API Gateway: AWS Documentation states

"You can use AWS WAF to protect your Amazon API Gateway APIs from common web exploits

such as SQL injection and cross-site scripting (XSS) attacks."

Source: Amazon API Gateway Developer Guide

"Controlling access to an API with AWS WAF".

2. Amazon Inspector for EC2: The Amazon Inspector User Guide specifies its function: "Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure... Amazon Inspector scans Amazon EC2 instances..."

Source: Amazon Inspector User Guide

"What is Amazon Inspector?"

Introduction section.

3. Amazon GuardDuty Function: The official documentation describes GuardDuty as a monitoring and detection service: "Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation." It does not block traffic itself.

Source: Amazon GuardDuty User Guide

"What is Amazon GuardDuty?"

Introduction section.

4. AWS WAF Protected Resources: The AWS WAF Developer Guide lists the resources it can protect

which include Application Load Balancer and API Gateway

but not EC2 instances directly. This supports why option A is flawed.

Source: AWS WAF Developer Guide

"How AWS WAF works"

section on "AWS resources that you can protect with AWS WAF".