- Newest
- Most votes
- Most comments
If you use TLS/HTTPS, then you could consider using the "Referer" header and reject requests that do not come from your S3 domain. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer
HTTPS headers are not a security feature, so your security team may still reject it.
Other options include using an identity on the site. AWS Cognito would work, but you could also implement a corporate SSO if you have one for external users.
As you say, the API request doesn't come from S3 - it comes from where the JavaScript is running which will be the user's browser. And because the user's browser is effectively the user themselves there's no practical way to stop the user (if they are technically aware enough) to dig through whatever security mechanism you put in place, find the appropriate keys/headers/whatever and call the API themselves.
As Rodney has said: If you have some sort of authentication that is integrated with your website and with API Gateway (perhaps using Cognito or a Lambda Authoriser) then only authenticated users will be able to call the API. That's still not perfect but it restricts access and also gives you the ability to see who is doing what with the API.
You might also consider using short-lived tokens (again, coupled with an authorizer on the API) but that still won't solve the underlying problem - that the user can still use those tokens for whatever the lifetime is; and they can renew them - because the website can do the same thing.
Relevant content
- Accepted Answerasked 9 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 9 months ago
