Attach an API Gateway resource policy that allows only the listed CIDR blocks and denies all other source IPs is the correct choice because it enforces an IP allow list at the API level and requires minimal operational work to maintain.

Attach an API Gateway resource policy that allows only the listed CIDR blocks and denies all other source IPs uses the standard resource policy condition keys such as IpAddress and NotIpAddress so you can explicitly allow the four corporate CIDR blocks and deny all other source IPs on the API invoke action. This approach does not introduce extra infrastructure to manage and it directly prevents calls to the execute api endpoint from disallowed addresses.

Deploy the API Gateway API as Regional in a public subnet and associate a security group that allows only the approved CIDR ranges is not possible because API Gateway is a managed endpoint and it does not run inside your VPC so you cannot place it in a subnet or attach a security group.

Put Amazon CloudFront in front of the API and restrict access by creating an IP allow list at the edge adds operational complexity and it does not by itself stop clients from calling the underlying execute api endpoint unless you also lock down the API with a resource policy or use a private API type.

Modify the security group attached to the API Gateway API to allow only the corporate IP ranges is invalid because there is no security group that you can attach to a public API Gateway endpoint so you cannot enforce IP restrictions that way.

Full AWS Practitioner Certification Question