How to accept requests from a specific domain in API Gateway WebSocket?

To protect your Lambda Function thats accessed through API Gateway you can control/limit who can access your Websocket API Gateway. In order to accept specific domains on API Gateway you would have to enable cors and set the 'Access-Control-Allow-Origin' to accept requests from specific domains, but the problem with this approach is that the is no option to allow CORS for WebSocket protocol.

API Gateway supports the following authentication mechanisms, for more details you can refer to [1]:

• Standard AWS IAM roles and policies
• IAM tags
• Lambda authorizers

With the Lambda authorizer you have more control of authenticating requests by creating your own custom Lambda function that implements the logic to authorize, for more details on Lambda Authorizers [2] and depending on how you handle authenticating requests. eg, token username/password these values will have to be provided when invoking your Websocket API by the requester through incoming headers and API Gateway will pass the values to your Lambda Authorizer Function which handles the authentication and when a request is successfully authenticated by your function the requests will then be successfully passed to your integration Lambda Function and this will happen on all invocations.

NB: You can only use a Lambda authorizer function for the $connect route.

References:

[1]. Controlling and managing access to a WebSocket API in API Gateway - https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-control-access.html

[2]. Use API Gateway Lambda authorizers - https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html#api-gateway-lambda-authorizer-lambda-function-create