Protecting your APIs

Developing applications on AWS

Ricardo Sueiras

Principal Technologist

Securing APIs on AWS

 

securing api

  • Securing APIs is critical for cloud-native apps.
  • They expose sensitive business functionality.
  • They are often the public entry point to back-end systems.
  • API Gateway helps you expose APIs safely.
Developing applications on AWS

Authorization and authentication

 

authnauthz

  • Two key concepts:
  • Authentication: who you are.
  • Authorization: what you are allowed to do.
Developing applications on AWS

IAM authorization

 

iam

  • API Gateway can use IAM for authentication and authorization.
  • Secures APIs with Signature Version 4 (SigV4).
  • Clients sign every request.
  • API Gateway validates the signature before processing.
  • IAM policies then control what each identity can invoke.
  • Best for AWS service-to-service communication.
Developing applications on AWS

Amazon Cognito authorizers

  • Cognito authenticates users with JSON Web Tokens (JWTs).
  • Common use cases: mobile apps, web apps, sign-in flows.
  • Supports federated identities.
  • Works with external providers like Google, Apple, and Facebook.
  • Enterprise providers via SAML or OIDC.
  • Validates JWTs natively, no custom authorizer code.

 

cogauthz

Developing applications on AWS

Lambda authorizers

  • A Lambda function runs your custom authorization logic.
  • It returns an IAM policy allowing or denying access.
  • Use it to validate custom tokens.
  • Integrate with external identity providers.
  • Enforce your own custom rules.

 

lambda authorizer

Developing applications on AWS

Lambda authorizers

  • Example: validate a JWT from a provider like Auth0.
  • A request arrives and API Gateway invokes the authorizer.
  • The function validates the token and returns an IAM policy.
  • Policy decides access: allow or deny.
  • If allowed, the request is forwarded to the back-end.
  • If denied, API Gateway returns a 401 immediately.

 

lambda authorizer

Developing applications on AWS

Which authorizer

 

choosing which authorizer

  • Pick Cognito for user-facing apps.
  • It gives managed sign-up, sign-in, and token validation.
  • No custom code required.
  • Pick Lambda when you need custom logic.
  • Good for third-party identity providers.
  • Or rules that go beyond what Cognito supports.
Developing applications on AWS

Authorizer caching

 

caching authz

  • Authorizer responses are cached.
  • This reduces latency and cost on frequent endpoints.
  • Cache TTL is configurable.
  • Ranges from 0 to 3600 seconds.
  • Default is 300 seconds.
  • Setting TTL to 0 disables caching.
Developing applications on AWS

API Gateway resource policies

 

resource policies

  • Define policies to control who can access an API.
  • Restrict by AWS account.
  • Restrict by IP address range.
  • Restrict by VPC.
  • Helps lock down internal APIs and limit exposure.
Developing applications on AWS

Encryption

  • API Gateway supports HTTPS endpoints with TLS by default.
  • HTTPS encrypts data in transit between client and gateway.
  • Integrates with AWS Certificate Manager (ACM).
  • ACM simplifies certificate management for custom domains.
  • Custom domain certificates are free.
  • NEVER expose APIs over unencrypted HTTP.

 

encryption

Developing applications on AWS

Mutual TLS (mTLS)

 

  • API Gateway supports mutual TLS (mTLS).
  • Authenticates clients using certificates.
  • Requires configured domain name
  • Common for machine-to-machine communication.
  • Both parties verify each other's identity.

 

mtls

Developing applications on AWS

API throttling and rate limiting

  • Throttling protects back-end systems.
  • It improves API reliability.
  • Without it, back-end services can be overloaded.
  • Rate limits control steady requests per second.
  • Burst limits allow temporary traffic spikes.
  • Exceeding limits returns 429 Too Many Requests.

 

throttling

Developing applications on AWS

Protecting against common exploits

 

waf

  • Attach AWS WAF to API Gateway.
  • It blocks malicious requests before they reach your API.
  • Stops SQL injection attempts.
  • Stops cross-site scripting (XSS).
  • Blocks traffic from known malicious IP ranges.
Developing applications on AWS

Usage plans and API keys

 

usage plans

  • Control how clients consume your APIs.
  • Configure request quotas.
  • Define rate limits.
  • Set subscription tiers.
  • Assign per-client consumption limits.
Developing applications on AWS

Cross-Origin Resource Sharing (CORS)

 

CORS

  • CORS lets browsers make cross-origin API requests.
  • Without it, valid browser requests may be blocked.
  • Overly permissive CORS is a security risk.
  • Avoid Access-Control-Allow-Origin: * in production.
  • Always restrict CORS to trusted origins.
Developing applications on AWS

CORS headers and preflight requests

  • A preflight OPTIONS request runs before the real request.
  • Confirms API permits cross-origin access.
  • API Gateway adds the needed CORS response headers.
  • For Non-Proxy integrations, it handles them automatically.
  • For Proxy integrations, your Lambda must return the CORS headers.
  • Your Lambda must also handle the preflight OPTIONS.

 

CORS headers

Developing applications on AWS

Let's practice!

Developing applications on AWS

Preparing Video For Download...