You implement an API in AWS API Gateway. The API integrates with a Lambda Function which returns the query results from an RDS database. For security purposes, you want the API to allow traffic only from a VPC endpoint since it should be used internally. The VPC endpoint ID is vpc-11bb22cc. What is the best method to implement this?

Answer options:

A.Implement the below policy in the API Gateway Resource Policy:
{ "Version": "2012-10-17",
"Statement": [
{ "Effect": "Allow",
"Principal": "vpce-11bb22cc",
"Action": "execute-api:Invoke",
"Resource": [ "arn:aws:execute-api:region:account-id:api-id/*" ] 
}
 ]
}
B.Implement the below policy in the API Gateway Resource Policy:
{ "Version": "2012-10-17",
"Statement": [
{ "Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [ "arn:aws:execute-api:region:account-id:api-id/*" ]
},
{ "Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [ "arn:aws:execute-api:region:account-id:api-id/*" ],
"Condition" : {
"StringNotEquals": { "aws:SourceVpce": "vpce-11bb22cc" }
}
}
 ]
}
C.Implement the below policy in the API Gateway Resource Policy:
{ "Version": "2012-10-17",
"Statement": [
{ "Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [ "arn:aws:execute-api:region:account-id:api-id/*" ],
"Condition" : {
 "StringEquals": { "aws:SourceVpce": "vpce-11bb22cc" }
}
}
 ]
}
D.Implement the below policy in the API Gateway Resource Policy:
{ "Version": "2012-10-17",
"Statement": [
{ "Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [ "arn:aws:execute-api:region:account-id:api-id/*" ]
},
{ "Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [ "arn:aws:execute-api:region:account-id:api-id/*" ],
"Condition" : {
"StringEquals": { "aws:SourceVpce": "vpce-11bb22cc" }
}
}
]
}
 

Correct Answer – B
Amazon API Gateway resource policies are used to control whether a specified principal can invoke the API.
Option A is incorrect: Because vpce-11bb22cc can not be used as a Principal. The field of Principal should be “*”.
Option B is CORRECT: Because it allows all Principals to use the API and then denies the actions if the SourceVpce is not vpce-11bb22cc. This policy guarantees that only the traffic from vpce-11bb22cc can access the API.
Option C is incorrect: Because explicit deny is better than explicit allow as it has a clear boundary. Other entities may still be able to access this API if there are explicit allows in their IAM policies. 
Option D is incorrect: Because the explicit deny takes priorities. So the first part of the policy denies all the traffic, including the requests from the endpoint of vpce-11bb22cc.
References:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html.