API Gateway Security
An API gateway serves as a single point of entry for your applications. Akin to a high-end reverse proxy, a gateway opens the door to many valuable networking features. These include, but are not limited to, application-wide monitoring, versatile API management and robust security controls that can take your app’s defenses to the next level.
In this article, we’ll use an Amazon API Gateway to explore how API gateways help protect your applications. We’ll also cover some security best practices to help keep the gateway safe.
First though, let’s summarize some essential technologies that we’ll explore later in the article.
| Service | Description |
| Amazon API Gateway | fully managed cloud service to create, publish, maintain, monitor, and secure APIs at scale |
| CloudWatch | observability service that can be integrated with Amazon API Gateway to monitor all API traffic |
| AWS X-Ray | end-to-end view of requests as they travel through your application. Advantageous for incident response |
| AWS IAM & Cognito | cloud-based identity, authentication and access control services within AWS |
If later in the article you find yourself forgetting what a specific technology does, just consult the table as a quick reminder. With that in mind, let’s dive into the details!
How Amazon API Gateway works
An API gateway is a single entry point through which devices and infrastructure nodes communicate. This is done without those devices having to know the specific protocol for a given node. Because the gateway can see all passing traffic, it can also manipulate the requests and responses between clients and applications. Furthermore, instead of having to configure applications individually to integrate with services (such as monitoring, firewall, or caching solutions), you can hook each app to the gateway and then configure the gateway to link up with the service.
The role of Amazon API Gateway in an API infrastructure (source)
Furthermore, if a solution in your infrastructure needs to be switched-out or removed, using a gateway means that you only need one point of contact. You can configure the gateway to divert the traffic, rather than having to configure each app.
Amazon API Gateway goes even further, by providing dozens of additional features such as tracing requests (for debugging), traffic monitoring and easy integration into the rest of the AWS ecosystem.
Securing apps with Amazon API Gateway
Although Amazon API Gateway offers powerful mechanisms to bolster your applications defenses, the benefits are multiplied when combined with other AWS services, such as CloudWatch and AWS X-Ray. In this section, we’ll look at a number of AWS services that compliment Amazon API Gateway and illustrate (with examples) how they combine to protect your applications. We’ll also make sure to provide links to helpful and original Amazon documentation along the way.
CloudWatch
Amazon CloudWatch provides monitoring and observability. The ability to initiate alerts and put together expressive dashboards makes CloudWatch a useful tool in the cloud engineer toolbox. But the ability to create dashboards and alerts, informed and triggered by security anomalies and intrusion detection rules, make it even better!
Dashboards in AWS CloudWatch are completely customizable (source)
AWS IAM
AWS Identity and Access Management (IAM) provides finely grained permissions for AWS services and resources. AWS IAM has two main functions:
- allow cloud engineers to access the infrastructure they need
- dictate how AWS services access one other
Under the hood, these functions are essentially the same as each service is treated as a “user” from IAM’s point of view.
IAM dictates which users can have access to which resources (source)
Configuring IAM is necessary for Amazon API Gateway to gain access to other AWS resources. In fact, cloud-savvy devs often deploy Amazon API Gateway as a frontend to AWS Lambda functions. This is because Amazon API Gateway has advanced features that Lambda Function URLs lack, such as custom authorizers, request-response validation, and built-in AWS firewall support.
To link the two, we must go into AWS IAM and assign the API Gateway permission to access Lambda, like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "*"
}
]
}
Usefully, Amazon provides comprehensive documentation describing how to leverage IAM and Amazon API Gateway integration with other services here.
Amazon Cognito
Amazon Cognito is also a tool which manages access control and permissions. But unlike IAM, which restricts access to and between AWS services, Cognito handles user authentication and authorization within applications. Managing auth from within an API gateway is convenient due to its centralized location. If each app handled auth separately, security engineers would have a hard time keeping track of which services use which auth mechanism. Furthermore, admins would also have to track which auth mechanisms were patched against security vulnerabilities.
For complete instructions on integrating Amazon Cognito with your apps, check out the relevant documentation from AWS here.
|
Platform
|
Provisioning Automation |
Security Management |
Cost Management |
Regulatory Compliance |
Powered by Artificial Intelligence |
Native Hybrid Cloud Support
|
|---|---|---|---|---|---|---|
|
AWS Native Tools |
✔
|
✔
|
✔
|
|||
|
CoreStack
|
✔
|
✔
|
✔
|
✔
|
✔
|
✔
|
HTTPS with custom domains
To prevent man-in-the-middle attackers from snooping data and to ensure authenticity of resources (and for a plethora of other reasons), HTTPS should be used absolutely everywhere. If you use the default domain name that AWS provides, HTTPS is thankfully provided automatically.
Custom domains are also easy to configure with TLS. The usual approach is to integrate Amazon API Gateway with another AWS product, called AWS Certificate Manager (ACM). Instructions for doing this can be found in the AWS docs page here.
Native OIDC and OAuth2 support
In conventional app development, poorly implemented authentication can be a perennial fountain of bugs and vulnerabilities. With Amazon API Gateway though, you can alleviate this via the gateways built-in support for JWT authorizers.
Updating an existing API behind the gateway to use JWT authorizers is easy. From the AWS command line, just run a command like this:
$ aws apigatewayv2 update-route \
--api-id api-id \
--route-id route-id \
--authorization-type JWT \
--authorizer-id authorizer-id \
--authorization-scopes user.id user.email
Just make sure to change values above, like “api-id”, “route-d” and so on, to match the specifics of your deployment. Further instructions for using JWT authorizers with Amazon API Gateway can be found here.
In addition to the default JWT authorizer, Amazon API Gateway also gives you the option to support custom authorization requirements. This is done by executing a Lambda authorizer from AWS Lambda.
Protecting the gateway itself
By using the tools above in combination with your Amazon API Gateway, you can easily increase the security of your apps. As an added bonus, the gateway can also be used to handle any integration requirements that you might have. But what about the gateway itself? How do we harden it from attacks?
Luckily, Amazon API Gateway already has very strong security out of the box. By reading Amazon’s Security best practices in Amazon API Gateway you’ll see that most recommendations just involve integration with services of the type we’ve already covered. But there are a few tips we haven’t discussed yet, so let’s do so now.
Unused APIs
First and foremost, periodically delete unused APIs from the gateway. This can be done by following the instructions found in Amazon’s official docs here. Ideally, admins will remember to do this each time an API is taken offline. But this is easy to forget, so it’s also important to regularly check that all APIs covered by Amazon API Gateway are alive. This needn’t be manual, CloudWatch Events can be set to alert administrators when an API is taken offline. This can then trigger a Lambda function that modifies AWS Config and deletes the API from the gateway.
PoLP
Second, always follow the “principle of least privilege” by strictly limiting access. Use IAM policies to restrict access for creating, reading, updating or deleting Gateway APIs. See here for details. For endpoints that don’t require totally unlimited access, API Gateway makes it easy to throttle API requests. Instructions for introducing rate limiting can be found in here.
Other Technologies
Amazon also provides instructions for specific technologies. Select the technology used in your stack from the options below and apply the correct practices accordingly:
REST: Controlling and managing access to a REST API in API Gateway
WebSockets: Controlling and managing access to a WebSocket API in API Gateway
HTTP + JWT: Controlling access to HTTP APIs with JWT authorizers
AWS Config
Finally, you can perfect your Gateway’s posture by integrating another Amazon service, AWS Config. This service allows you to monitor configuration changes to AWS services, including your Amazon API Gateway. This is invaluable when debugging faulty configuration changes and also provides config-change alerting for administrators.
AWS config lets IT admins receive alerts if predetermined configs are changed (source)
For complete instructions on combining AWS Config with Amazon API Gateway, consult Amazon’s verbosely-titled developer guide, Monitoring API Gateway API configuration with AWS Config.
|
Platform
|
Provisioning Automation |
Security Management |
Cost Management |
Regulatory Compliance |
Powered by Artificial Intelligence |
Native Hybrid Cloud Support
|
|---|---|---|---|---|---|---|
|
AWS Native Tools |
✔
|
✔
|
✔
|
|||
|
CoreStack
|
✔
|
✔
|
✔
|
✔
|
✔
|
✔
|
Conclusion
The architecture of large microservice APIs grows more complex each year, increasing the attack surface for hackers to exploit. According to a report by Security Magazine, “misconfigured APIs make up two-thirds of cloud breaches.” Services like Amazon API Gateway flip this trend on its head by simplifying intrusion detection, firewall coverage and allowing for the centralized management of web application security.
Although this article concentrated on the security aspects of deploying cloud-based API gateways with AWS, there are many other worthwhile integrations that aren’t related to security. For example, API gateways can be hard to debug, because when something goes wrong it’s not always obvious if the gateway or the app were at fault. AWS X-Ray can help debug distributed systems. By describing requests end-to-end, it allows administrators to observe what is going wrong, and where. There are many others – security is but one of many benefits of Amazon API Gateway.
Be wary though, these benefits can come at a cost. An improperly configured API gateway can be a vulnerability in and of itself. For example, anyone on the network can read unprotected gateway traffic (without HTTPS) via a man-in-the-middle attack. Also, inadequate IAM controls could allow device owners to access API endpoints from the gateway, which should really be restricted to administrators only. It is therefore paramount that engineers take care to apply the best practices outlined in this article. If you enjoyed this article and found it useful, please feel free to check out some of our other AWS pieces!