Authorize Websocket API $disconnect
0
Hello , AWS API Gateway provides option to authorize $connect API call. But, there is no option to do the same for $disconnect API. $disconnect API call result into deleting corresponding connection in database. Do we need to authorize disconnect API ? We are setting VPC link from API gateway to communicate with our service to ensure the endpoint is open only for API gateway. Is there any recommendation around securing disconnect API?
Themen
Sprache
English
gefragt vor 2 Jahren404 Aufrufe
1 Antwort
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
1
The authorize in the $disconnect API is not required as you authorize the connection with $connect, after that the connection stays open, so you know all the traffic it's coming from the same connection you authorized at the beginning of the connection.
beantwortet vor 2 Jahren
Relevanter Inhalt
AWS OFFICIALAktualisiert vor einem Jahr- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 3 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
But, do we really need a VPC link between API gateway and service endpoint when we have WAF in place to protect against DDoS attack. Also, UI will re-establish the connection in case the connection closed by unauthorised user? Can we consider this as low risk without VPC link.
Without VPC link or public disconnect API, I see following risk: unauthorised user try to guess the connection id and result into disconnecting ui socket connection for a valid user. However, the risk is probably low as the UI will re-establish the connection within x sec (same as stale connection use-case). The other possible risk is DDoS attack, WAF can protect against that.