How to manage access to REST API in Amazon API Gateway?

Amazon API Gateway is a fully managed service that helps developers to create and deploy scalable APIs on AWS. These APIs act as an entry point for the applications to connect and get access to data, perform business logic or access any other AWS service.

In one of our previous posts, we talked about How to create a REST API using AWS Lambda and API Gateway?. In this post, we will see what are the various possible ways available to secure that API.

There are multiple mechanisms available for controlling and managing access to your REST API deployed using Amazon API Gateway. The following list includes those mechanisms and a summary of them:

  • Resource Policies:These are policy documents that can be used to grant or remove access for a principal to invoke the API. It can be the traffic from a specific IP or specific AWS account or a specific VPC.
{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": \"*\", \"Action\": \"execute-api:Invoke\", \"Resource\": [ \"execute-api:/*\" ] }, { \"Effect\": \"Deny\", \"Principal\": \"*\", \"Action\": \"execute-api:Invoke\", \"Resource\": [ \"execute-api:/*\" ], \"Condition\" : { \"IpAddress\": { \"aws:SourceIp\": [\"12.0.2.1\", \"10.1.1.23\"] } } } ]}
Example of denying specific IP Addresses to invoke the API.
  • AWS IAM:AWS IAM roles and policies can be used to provide API invoke and calling persons to a resource. The resource will be able to then call the API deployed on Amazon API Gateway
  • VPC Endpoint Policies: It is an IAM resource policy that can be attached to the interface VPC endpoints to control the access. The interface VPC endpoints are used to secure private API. It is powered by the AWS Private Link which allows you to access the AWS resources over private IP. The endpoint policy is used to specify which API can be called using the interface VPC endpoint.
  • Lambda Authorizers:If you want to write your custom logic to define which user should be granted access to the API and can invoke the API for a specific request, you can use lambda authorizers. These are Lambda functions with the custom logic to determine the access to the API. The function will be invoked for every request and will receive information like request object, query strings, headers etc. so you have enough information to make the decision.
  • Amazon Cognito User Pools: If you are using Amazon Cognito for authentication and user management, you can use this method to secure your API. The tokens generated by Amazon Cognito can be sent in the authorization header to the API. The user pool attached with the API will validate the token as per the settings in the user pool before invoking the API.
  • Usage Plans & API Keys: API Gateway supports the creation of usage plans and API keys. You can create an API key and assign a usage plan with it to handle the request and access to the API. A valid key will be able to access the API and also can be used to rate-limit a specific Key to use the API.

That\’s all for this post. I will write some specific posts in future to explore more about the methods here and how to use them while deploying an API Gateway using an AWS SAM template. Till then Happy Coding.