I have successfully set up multiple API Gateways on AWS and they work perfectly with client API Keys.
Is it possible to make a specific endpoint in an API publicly available, but all other endpoints protected with the client API key required?
Simply set the apiKeyRequired field to false on whichever Methods you want to open to the public.
This is in the Method Request page in the console. Here is an example using the AWS CLI:
aws apigateway update-method --rest-api-id 1234123412 --resource-id a1b2c3 --http-method GET --patch-operations op="replace",path="/apiKeyRequired",value="false"
Please note that if you remove the requirement for an API Key, any rate limit or quota you have set up on a Usage Plan will not be applied.
You can use AWS CloudFront to forward the request to API Gateway for the public endpoint and define the Client API Key in CloudFront headers forwarded to the Origin.
Note: When including API Gateway as a origin to CloudFront you need to do the following.
Whitelist header (Except Host Header)
Make HTTPS only
Make TTL values 0
Related
I have an application built around AWS:
a lambda function
an API gateway calling the lambda, must be called with an API key
an S3 bucket as static website, that calls the API gateway
How can I secure the calls to the API gateway so that it cannot be called from anywhere but my S3 bucket ?
Some solutions have already come in my mind like:
proxy : helps hiding the API key, but anyone accessing the proxy can call the API, right ?
IP whitelisting : I can't know the IP range the bucket is using, so I can't do that
Thanks
My intention is to create an HTTP API on Amazon API Gateway that writes a file to S3 using the PutObject action via the S3 API (without calling Lambda in between). This is the PutObject request syntax: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html#API_PutObject_RequestSyntax
I'm not sure if this is technically possible and I'm getting a 403 Forbidden: ForbiddenException response in Postman.
So far I have:
Created the S3 bucket (with CORS configured)
Created the HTTP API in API Gateway (with CORS configured), with a 'putObject' POST action
Configured an integration on the HTTP API to https://[s3-bucket-name].s3.us-east-1.amazonaws.com
Create a Postman request to the HTTP API 'invoke URL', with 'Host' and 'x-apigw-api-id' set on the headers
The ForbiddenException obviously indicates a permission issue, either on the HTTP API or the S3 API behind it. I did configure a Cloudwatch Log Group on the HTTP API, which is showing no entries, so it seems that it's an HTTP API access issue.
I also suspect that I need to add Parameter Mappings to the HTTP API to pass in all of the necessary headers to the S3 putObject action.
My questions are:
Is this type of HTTP API integration direct to S3 possible?
What is the likely cause of the 403 Forbidden response from the service?
Would I use 'Append' Parameter Mappings in the HTTP API integration configuration to add the standard S3 API parameters (and avoid exposing them to the client)?
I managed to solve this myself. Answers to my own questions:
Is this type of HTTP API integration direct to S3 possible?
Yes. On my HTTP API I used an HTTP PUT integration that points to the S3 service endpoint (including the bucket name in the endpoint is incorrect).
What is the likely cause of the 403 Forbidden response from the service?
I didn't get the request working from Postman, however, when I made the request from the browser it worked. I had to create a Blob in Javascript before sending it as a request via navigator.beacon() to the HTTP API endpoint URL.
Would I use 'Append' Parameter Mappings in the HTTP API integration configuration to add the standard S3 API parameters (and avoid exposing them to the client)?
I did have to use Parameter Mappings to get the S3 PutObject request to work from API Gateway. My configuration is shown below.
Screenshot of Parameter Mapping configuration in my HTTP API
Edit: I have discovered a problem here with this approach: the HTTP API doesn't allow certain security-related headers to be added on the Parameter Mappings. I was trying to set header.x-amz-acl: 'bucket-owner-full-control' but I got the error message below:
Invalid mapping expression specified: Validation Result: warnings : [], errors : [Operations on header x-amz-acl are restricted]
It seems that modifying any security-related S3 API header isn't possible in the HTTP API. This is a major problem for calling the S3 API directly as it means that in order to function, the S3 bucket needs to be public.
I have hosted a S3 static site into CloudFront. That site using rest api deployed into api gateway. API gateway has not access control.
I want to protect my api from being accessed by others. Only my static site can access it. I know I can use api key but that could expose by browser console which is not expected.
Is there other way to control my api access?
Thanks in advance
I have a similar issue as well. It seems like using referer or CORS restrictions are the best way to go. However, in practice I haven't been able to make it work after trying both CORS and referer restrictions. API Gateway has automatic protection against malicious behavior like DDOS attacks according to their FAQs, but it is disheartening that I haven't found a specific solution for protecting my API gateway that is only used for my S3/Cloudfront static site.
Google Cloud allows you to use their API keys on the frontend for integrations with services like Google Maps. The way they protect those keys is through restricting the API keys to certain domains. Unfortunately, I haven't found similar functionality for AWS keys. As you know, the only way to throttle or put quotas on API gateway is through API keys, so it looks like this would be useless for a static site that can't expose those API keys publicly on the frontend.
It defeats the whole purpose of going completely serverless if I am unable to configure my serverless API Gateway the same way I could congfigure a normal backend EC2 server. For now, I've created billing alarms so I don't get surprised with a huge AWS bill if something goes wrong with my unprotected API gateway.
I've built an API with Spring Boot and deployed it into an AWS EC2 instance. I want to make this Spring Boot API to be accessible only through AWS API Gateway. I mean no one could bypass AWS API Gateway and call the that API directly. I want to do this in order to be able to apply some policies like throttling and others.
Is possible to make that API to receive calls through AWS API Gateway only?
Your current best option to achieve this is to use the Client-Side SSL feature of API Gateway: http://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
Note that if you front your EC2 instances with an ELB you will need to set them to TCP mode and terminate SSL on your EC2 instances.
I have built a gateway (using aws api gateway) in front of my rest api. I want to monitor the usage of resources on that api using the api-keys generated by api gateway. By 'usage' I mean which resources were requested and served to clients associated with an api key. Amazon claims that cloudtrail can be used to track gateway requests but the x-api-key header does not show up in cloudtrail logs. Has amazon provided an idiomatic way of doing this? Has anyone implemented this functionality in a custom manner? It seems reasonable that this functionality should be built in, however I cannot find how to do this anywhere.