🔒 1. Authentication and Authorization
Goal | Method | How |
Control who accesses your API | ✅ Cognito Authorizer | Create a Cognito User Pool, attach it as an Authorizer, and require Authorization: Bearer <JWT> header. |
| ✅ IAM Authentication | Use AWS_IAM as the auth type. Only IAM roles/users with execute-api:Invoke can call it. |
| ✅ Lambda Authorizer (Custom) | Build a Lambda function to validate tokens, API keys, or headers. It returns an IAM policy to allow/deny access. |
🔑 2. API Key + Usage Plans
Goal | Method | How |
Rate limit clients | ✅ Create API Keys | In API Gateway, create API keys and attach to a Usage Plan. |
| ✅ Enforce usage limits | Usage Plan can set max requests per second and daily quota. |
⚠️ Use in combination with authentication – not standalone. |
|
|
🌐 3. Network Protection
Goal | Method | How |
Limit access by IP/VPC | ✅ Resource Policies | Attach a policy to your API to allow only: |
| ✅ Private API Gateway | Create a Private API that can only be accessed via VPC Endpoint (Interface Endpoint). |
Example Policy: |
|
|
json
CopyEdit
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:*:*:api-id/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": ["203.0.113.0/24"]
}
}
}
🛡️ 4. WAF Protection
Goal | Method | How |
Block malicious traffic | ✅ Attach AWS WAF | Add AWS WAF Web ACL to your API Gateway Stage. |
Rules you can add: |
|
|
Rate-based (e.g. > 1000 reqs in 5 mins)
SQL Injection / XSS match
Geo restriction
IP blacklist
📈 5. Logging and Monitoring
Goal | Method | How |
Track usage & anomalies | ✅ Enable CloudWatch Logs | Enable Access logging per Stage. Use $context.identity.sourceIp, $context.requestId, etc. |
| ✅ Enable Metrics | Automatically tracks 4XX, 5XX, latency, etc. |
| ✅ Set Alarms | Use CloudWatch Alarms for high 5XX errors or spike in traffic. |
🔐 6. TLS + Custom Domains
Goal | Method | How |
Secure in-transit data | ✅ Use HTTPS Only | Force TLS by disabling HTTP stage access. |
| ✅ Use ACM Certificate | Add custom domain (e.g., api.yourapp.com) and bind TLS cert from ACM. |
| ✅ Enable Mutual TLS (mTLS) | Upload CA cert to API Gateway; only clients with valid certs can access. |
✅ Recommended Setup (Layered Security Model)
Layer | Recommendation |
Auth | Use Cognito Authorizer or Lambda Authorizer |
Network | Restrict via Resource Policy or Private API |
Rate Limits | Use API Keys with Usage Plans |
WAF | Add WAF Web ACL with rules |
Transport | Use HTTPS with TLS, enable mTLS if needed |
Observability | Enable Access Logs + CloudWatch Metrics |
No comments:
Post a Comment