Authorize Websocket API $disconnect
0
Hello , AWS API Gateway provides option to authorize $connect API call. But, there is no option to do the same for $disconnect API. $disconnect API call result into deleting corresponding connection in database. Do we need to authorize disconnect API ? We are setting VPC link from API gateway to communicate with our service to ensure the endpoint is open only for API gateway. Is there any recommendation around securing disconnect API?
질문됨 2년 전404회 조회
1개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
1
The authorize in the $disconnect API is not required as you authorize the connection with $connect, after that the connection stays open, so you know all the traffic it's coming from the same connection you authorized at the beginning of the connection.
답변함 2년 전
관련 콘텐츠
AWS 공식업데이트됨 일 년 전- AWS 공식업데이트됨 일 년 전
But, do we really need a VPC link between API gateway and service endpoint when we have WAF in place to protect against DDoS attack. Also, UI will re-establish the connection in case the connection closed by unauthorised user? Can we consider this as low risk without VPC link.
Without VPC link or public disconnect API, I see following risk: unauthorised user try to guess the connection id and result into disconnecting ui socket connection for a valid user. However, the risk is probably low as the UI will re-establish the connection within x sec (same as stale connection use-case). The other possible risk is DDoS attack, WAF can protect against that.