I have an application built around AWS:
a lambda function
an API gateway calling the lambda, must be called with an API key
an S3 bucket as static website, that calls the API gateway
How can I secure the calls to the API gateway so that it cannot be called from anywhere but my S3 bucket ?
Some solutions have already come in my mind like:
proxy : helps hiding the API key, but anyone accessing the proxy can call the API, right ?
IP whitelisting : I can't know the IP range the bucket is using, so I can't do that
Thanks
Related
How can I protect an API request sent from a static site hosted on a CDN?
Use case:
A single page application using react is hosted on S3 + Cloudfront. The site calls the Yahoo Finance API to request some market data. The third-party API uses an API key to authenticate the requests. I can only store the third party API key in the static site making it available for anyone.
Considerations:
The static site and the API are not in the same cloud provider or service, so a solution using roles wouldn't work.
A Lambda (Function) proxy solution is my best choice at the moment IMO but this would still allow a request to be sent directly to the Lambda (Function).
The request to the function should also be secure, making the above option still vulnerable. This means that getting the URL to the Proxy Function from the source code and calling the Function is not acceptable either.
Looked around at some other questions posted but I haven't found one that addresses the particular circumstances stated here.
I have hosted a S3 static site into CloudFront. That site using rest api deployed into api gateway. API gateway has not access control.
I want to protect my api from being accessed by others. Only my static site can access it. I know I can use api key but that could expose by browser console which is not expected.
Is there other way to control my api access?
Thanks in advance
I have a similar issue as well. It seems like using referer or CORS restrictions are the best way to go. However, in practice I haven't been able to make it work after trying both CORS and referer restrictions. API Gateway has automatic protection against malicious behavior like DDOS attacks according to their FAQs, but it is disheartening that I haven't found a specific solution for protecting my API gateway that is only used for my S3/Cloudfront static site.
Google Cloud allows you to use their API keys on the frontend for integrations with services like Google Maps. The way they protect those keys is through restricting the API keys to certain domains. Unfortunately, I haven't found similar functionality for AWS keys. As you know, the only way to throttle or put quotas on API gateway is through API keys, so it looks like this would be useless for a static site that can't expose those API keys publicly on the frontend.
It defeats the whole purpose of going completely serverless if I am unable to configure my serverless API Gateway the same way I could congfigure a normal backend EC2 server. For now, I've created billing alarms so I don't get surprised with a huge AWS bill if something goes wrong with my unprotected API gateway.
I have successfully set up multiple API Gateways on AWS and they work perfectly with client API Keys.
Is it possible to make a specific endpoint in an API publicly available, but all other endpoints protected with the client API key required?
Simply set the apiKeyRequired field to false on whichever Methods you want to open to the public.
This is in the Method Request page in the console. Here is an example using the AWS CLI:
aws apigateway update-method --rest-api-id 1234123412 --resource-id a1b2c3 --http-method GET --patch-operations op="replace",path="/apiKeyRequired",value="false"
Please note that if you remove the requirement for an API Key, any rate limit or quota you have set up on a Usage Plan will not be applied.
You can use AWS CloudFront to forward the request to API Gateway for the public endpoint and define the Client API Key in CloudFront headers forwarded to the Origin.
Note: When including API Gateway as a origin to CloudFront you need to do the following.
Whitelist header (Except Host Header)
Make HTTPS only
Make TTL values 0
I have a Lambda function exposed as an API via API Gateway. How can I make sure that the Lambda function is called only by the API Gateway and it cannot be called by any other means i.e. bypassing the API gateway. In my scenario the API gateway and the Lambda function are sitting in the default system managed VPC. The Lambda function is configured to internally accesses the resources from some of the private subnets of my VPC.
How do I make sure that the Lambda function cannot be called by bypassing the API gateway. Please help...
Abhijit
You need to only allow API Gateway to Invoke the Lambda. This can be done via IAM permissions. This link has info about configuring IAM for API Gateway to invoke your Lambda. Only allow this permission and nothing else will be able to invoke the Lambda.
http://docs.aws.amazon.com/apigateway/latest/developerguide/integrating-api-with-aws-services-lambda.html
I have built a gateway (using aws api gateway) in front of my rest api. I want to monitor the usage of resources on that api using the api-keys generated by api gateway. By 'usage' I mean which resources were requested and served to clients associated with an api key. Amazon claims that cloudtrail can be used to track gateway requests but the x-api-key header does not show up in cloudtrail logs. Has amazon provided an idiomatic way of doing this? Has anyone implemented this functionality in a custom manner? It seems reasonable that this functionality should be built in, however I cannot find how to do this anywhere.