Websocket API Gateway security or alternatives for streaming
I have a solution based on REST API but want to move to more streaming friendly technology - which is Websocket API Gateway. Unfortunately it is public interface and can't be made private which is an issue for me (https://docs.aws.amazon.com/whitepapers/latest/best-practices-api-gateway-private-apis-integration/websocket-api.html) API GW will validate requests based on JWT so only valid reqs will be processed but I want to explore other ways to secure this API at the network level. Q1: maybe there is a way to allow traffic from certain VPC only? Or put another restriction similar to this? Or I should consider an alternative - one might be AppSync Subscription - however there is considerable effort required on the application side to accommodate it. Another alternative would be to replace Lambda with an app running on EC2/Fargete exposing websocket – unfortunately it is even more effort. Q2: is there a better way? Thread a little related to this one: : https://repost.aws/questions/QUcbocc8jnSHS7v1AQFCOqJQ/is-websocket-api-is-protected-by-aws-waf
- Topics
- MicroservicesServerlessFront-End Web & MobileComputeNetworking & Content DeliveryAWS Well-Architected Framework
- Language
- English
- Newest
- Most votes
- Most comments
WebSocket APIs in API Gateway are currently only offered with a Regional endpoint type and must be accessed over the internet, which means they cannot be made private like REST APIs. However, you can implement several security measures to protect your WebSocket API:
For your first question about network-level security:
- While you can't restrict access to specific VPCs directly, you can implement robust authorization mechanisms:
- Configure an authorizer for the
$connectroute on all your WebSocket APIs (recommended for security compliance) - Use IAM authorization to control access with fine-grained policies
- Implement throttling to protect your API from being overwhelmed by too many requests
You can use IAM policies to restrict which clients can connect to your API. For example, you could create policies that allow specific IAM roles (associated with resources in your VPC) to invoke your API while denying others.
For your second question about alternatives:
- AppSync Subscriptions is indeed an alternative for real-time data, but as you noted, it requires application changes
- For your WebSocket API, you can enhance security by:
- Using Lambda authorizers to implement custom authorization logic
- Implementing SSL certificates for backend authentication if using private integration with NLB
- Setting up API Gateway request validation to ensure requests adhere to your configured schema
If you proceed with WebSocket API Gateway, implementing a combination of IAM authorization, Lambda authorizers, and proper throttling can provide a robust security posture even though the endpoint remains public. The key is to ensure that only authenticated and authorized clients can establish and maintain connections.
Sources
Control and manage access to WebSocket APIs in API Gateway - Amazon API Gateway
Protect your WebSocket APIs in API Gateway - Amazon API Gateway
Security - Best Practices for Designing Amazon API Gateway Private APIs and Private Integration
WebSocket API - Best Practices for Designing Amazon API Gateway Private APIs and Private Integration
Control access to WebSocket APIs with IAM authorization - Amazon API Gateway
Hi Piotr.
First of all, what are the security controls you would like to implement for this "endpoint":
- Source IP and/or L4 filtering only?
- WAF (L7, Geo-filtering)?
- anti-DDoS?
- API Gateway-specific features like throttling (not necessarily network-related)? Possible solutions would depend on that. But generally, indeed for WAF and network level filtering using ELB+ECS combo , where ECS task will be running a Websocket server, is one of the common ways indeed
Relevant content
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
