Authorize Websocket API $disconnect
0
Hello , AWS API Gateway provides option to authorize $connect API call. But, there is no option to do the same for $disconnect API. $disconnect API call result into deleting corresponding connection in database. Do we need to authorize disconnect API ? We are setting VPC link from API gateway to communicate with our service to ensure the endpoint is open only for API gateway. Is there any recommendation around securing disconnect API?
Argomenti
Lingua
English
posta 2 anni fa404 visualizzazioni
1 Risposta
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
1
The authorize in the $disconnect API is not required as you authorize the connection with $connect, after that the connection stays open, so you know all the traffic it's coming from the same connection you authorized at the beginning of the connection.
con risposta 2 anni fa
Contenuto pertinente
AWS UFFICIALEAggiornata 2 anni fa- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata un anno fa
But, do we really need a VPC link between API gateway and service endpoint when we have WAF in place to protect against DDoS attack. Also, UI will re-establish the connection in case the connection closed by unauthorised user? Can we consider this as low risk without VPC link.
Without VPC link or public disconnect API, I see following risk: unauthorised user try to guess the connection id and result into disconnecting ui socket connection for a valid user. However, the risk is probably low as the UI will re-establish the connection within x sec (same as stale connection use-case). The other possible risk is DDoS attack, WAF can protect against that.