Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to use IAM to secure access to application REST endpoints?

0

I have 2 web apps deployed on Elastic Beanstalk. One of them (say SvcA) serves our frontend app, provides access to DB and other services. The other (say SvcB) is just a microservice type of application that only communicates with the backend.

I want to create REST endpoints on SvcA that only the SvcB, or some IAM Roles, or Service Accounts can access. I know this can be accomplished using Privatelink, and by distributing API access keys using secrets manager or parameter store.

I want to know if we can do this using IAM roles.

  • Oleksii Bebych EXPERT
    a year ago

    please accept the answer if it was useful

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
asked 2 years ago304 views
2 Answers
2

If you place API Gateway in front of your services, you can use API Gateway resource policy to allow access only from specific IAM role https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html#apigateway-resource-policies-cross-account-example

If you just use Beanstalk services, they are running on EC2 instances, so communication between them is regulated only by Security Group (allow or disallow IP addresses). IAM identity checking can not be implemented here by default.

So you have two options:

  • using API Gateway in front of your microservices
  • develop custom authentication logic on the application side
EXPERT
answered 2 years ago
EXPERT
reviewed a year ago
EXPERT
reviewed 2 years ago
0

Hello,

Here's how to troubleshoot the issue of CloudFront in one account accessing content from another account's S3 bucket:

  1. Verify IAM Permissions:

Bucket Policy (Account A): Ensure the S3 bucket policy in account A grants access to CloudFront in account B. You'll need to include the CloudFront origin identity as a principal in the policy document. Reference: https://docs.aws.amazon.com/whitepapers/latest/secure-content-delivery-amazon-cloudfront/s3-origin-with-cloudfront.html

IAM Role (Account B):

If using an IAM role with CloudFront, verify the trust policy in account B allows CloudFront to assume the role. Reference: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/security_iam_service-with-iam.html

  1. Check CloudFront Origin Settings:

Origin Access Identity (OAI): Ensure the CloudFront distribution in account B has a properly configured OAI. This grants access to the S3 bucket based on the IAM permissions in account A.

  1. Review Route 53 Configuration:

Subdomain Routing: Double-check that Route 53 in account A has separate A records or Alias records pointing your desired subdomains to their respective destinations, while the main domain (cloudwatch.com) points to the CloudFront distribution.

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content