How do I encrypt the payload from an API Gateway endpoint?

0

I have a ReactJS website hosted via Route53 using Amplify. I have sensitive customer data in an RDS instance within a VPC. The associated lambdas are in the same VPC. There are security groups attached to both the RDS instance and the lambdas that interact with the RDS instance. When a website visitor logs into their account (via Cognito user pool), I want to retrieve their customer information for displaying in the ReactJS website. This will be accomplished via an API Gateway endpoint with a Cognito authorizer, which will approve/reject the request based on ID token; if the request is approved, the appropriate lambda will then execute via lambda proxy integration in API Gateway, to return the customer data back to the React website. I am using Axios for building the REST requests to the API Gateway endpoint.

I want to ensure that the customer data payload while in transit from API Gateway to the ReactJS website is secure. I have been researching how to encrypt a payload from API Gateway but not seeing anything definite. What steps can I take to encrypt the REST payload when sent from API Gateway, and to later decrypt it when the payload is received by the ReactJS client?

3 Answers
1

Hi @rePost-User-7357499 - Response to your questions below

  1. The link for implementing a minimum TLS version is https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html which is mentioned in the link Nitin provided.

  2. In the link I provided, it is mentioned how you can achieve mutual TLS between the API Client (the ReactJS application in your case) and the API Gateway. Mutual TLS is useful in a B2B kind of use-case where you have a few clients and you want to make sure that any requests coming from the clients can be trusted by API Gateway. TLS and Mutual TLS both encrypt the traffic but mutual TLS provides additional security because the server can also trust the client. It can be difficult to implement mutual TLS if you have a large number of API consumers. In that case, you should use Authentication by using mechanisms such as IAM authentication, Lambda authorizers, Cognito User Pool or Cognito Identity Pool based authentication. You can read up more in this document - https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html. There are also blogs on the topic of authentication in API Gateway such as https://aws.amazon.com/blogs/compute/evaluating-access-control-methods-to-secure-amazon-api-gateway-apis/ and https://aws.amazon.com/blogs/security/use-aws-lambda-authorizers-with-a-third-party-identity-provider-to-secure-amazon-api-gateway-rest-apis/

  3. You can calculate the price of custom domains on AWS using the pricing calculator - https://aws.amazon.com/route53/pricing/

profile picture
EXPERT
answered 2 months ago
  • Thank you for your responses, Indranil. I can definitely use the first blog link you provided, as I dive deeper into various use cases. In my current use case, I only have the one ReactJS application as a client. I believe since only user accounts through a Cognito user pool are involved and I have no business clients using this API, then I would not classify this as B2B. Would you agree?

    The Cognito user pool for my user accounts can grow over time, but there is essentially just the one client, if that answers the "number of API consumers" part you mentioned? Please correct me if I misunderstood that part.

    I appreciate your patience and diligence as I am still trying to make sure I have the big picture. I already plan to use a Cognito User Pool Authorizer on the API Gateway endpoint for authentication, following this article: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html

    But that will not cover encryption of the customer data payload from API Gateway to the ReactJS website, correct? And thus where the mTLS implementation you shared via your link, right?

    If I am understanding you so far, the Cognito authorizer on the endpoint and the minimum TLS (Nitin's link) would cover everything in my use case?

  • Hi Indranil, I wanted to see if you have any suggested response to my last comment?

    Thanks.

1

As Nitin mentioned above, by default an API Gateway endpoint is an HTTPS endpoint. If you need to implement mutual TLS between the client (your ReactJS app and API Gateway), then you can look at this documentation on how to configure mTLS - https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html

profile picture
EXPERT
answered 2 months ago
  • HI Indranil. I am new to some of this, so I apologize that I am getting up to speed on some of this. I did see the AWS link which Nitin provided before asking my question, but I might not fully understand it. I can attempt to follow the link you provided to implement the mutual TLS. A few questions, please, to clarify my understanding:

    1. Is the impl in the link you provided a means of achieving the minimum TLS protocol version mentioned in the link Nitin referenced?

    2. Would the impl in the link you provided be the maximum (or at least substantial) security impl I can achieve for encrypting/masking the response payload between the API Gateway and the ReactJS client?

    3. Would you happen to know if this impl would be extremely costly (custom domain, cert, and trust store)?

1

The communication between the client and API Gateway is encrypted in transit using TLS. Reference : https://docs.aws.amazon.com/apigateway/latest/developerguide/data-protection-encryption.html#data-protection-in-transit

If it is needed to encrypt, then you can use as an example a Lambda function as the API Gateway integration and let the lambda decrypt/encrypt and forward the request to the backend. There can be other patterns based on use case.

profile picture
EXPERT
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions