AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Protecting AWS API Gateway From 3rd Party Only

0

Hello,

I need to control access to my REST API Gateway in the following manner:

  • When called from my own web app (SPA hosted on S3/CloudFront at a specific Route53 domain) it should go through only after validating the calling user in terms of authentication and authorization through an OAuth2 JWT token.
  • When a 3rd party calls (any other domain/machine) the above should also happen, but only after validating that a specific API Token has been issued to the caller.

What technologies should I be using to achieve the above please?

トピック
セキュリティ、アイデンティティ、コンプライアンスサーバーレスフロントエンド Web & モバイルネットワークとコンテンツ配信
タグ
AWS Identity and Access ManagementAmazon API GatewayAmazon CloudFront
言語
English
NetbizUp
質問済み 2年前454ビュー
1回答
0

API Gateway supports only a single authorization method per route. If need something which is more complex than what API Gateway supports (Cognito or IAM), you will need to use a Lambda authorizer. In the authorizer you can check the source (based on maybe some secret header that you pass from the client) and if it is not your client, you check for the other token.

profile pictureAWS
エキスパート
Uri
回答済み 2年前
  • NetbizUp
    2年前
    1. So you mean I cannot use Cognito + API token to protect a single route?
    2. Is it actually safe to pass a fixed API token from an SPA client to the Gateway?
  • Uri エキスパート
    2年前

    1. You can use both Cognito and API keys, however, if you specify that API keys are required, they will be required for everyone.

    2. Not really, but it is not very different than passing an API key.

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ