API Gateway User Authentication Best Practices


Hello Everybody! As a best practices question, how would you recommend providing authentication for an API gateway endpoint exposed to the internet? Think S3 website, HTML form, JavaScript form handler making a request to API Gateway backed by a Lambda function. I'm very interested to read about the techniques you're using.

2 Answers

Integrate AWS API Gateway with Web Application Firewall to prevent OWASP Vulnerabilities. Use Predefined or create Custom rules based on your regulatory requirements.

Lambda authorizer functions for controlling access to API methods using token authentication(JWT Validation).

Enforce API Keys/Tokens to the API Users and implement API access plans and rate limiting by leveraging AWS API Gateway OOB functionalities.

Create an Amazon API Gateway Private API with AWS VPC Lambda proxy integration.https://serverlessland.com/patterns/cdk-private-api-lambda

Enable real time security event monitoring with proper audit trails and logs . Raise alerts/Notification in case of deviation from normal access patterns

answered 2 years ago

API Gateway supports multiple mechanisms for controlling and managing access to your API.

You can use the following mechanisms for authentication and authorization:

  • Resource policies let you create resource-based policies to allow or deny access to your APIs and methods from specified source IP addresses or VPC endpoints.
  • Standard AWS IAM roles and policies offer flexible and robust access controls that can be applied to an entire API or individual methods. IAM roles and policies can be used for controlling who can create and manage your APIs, as well as who can invoke them.
  • IAM tags can be used together with IAM policies to control access.
  • Endpoint policies for interface VPC endpoints allow you to attach IAM resource policies to interface VPC endpoints to improve the security of your private APIs.
  • Lambda authorizers are Lambda functions that control access to REST API methods using bearer token authentication—as well as information described by headers, paths, query strings, stage variables, or context variables request parameters. Lambda authorizers are used to control who can invoke REST API methods.
  • Amazon Cognito user pools let you create customizable authentication and authorization solutions for your REST APIs. Amazon Cognito user pools are used to control who can invoke REST API methods.

Refer to Controlling and managing access to a REST API in API Gateway

answered 2 years ago
  • I think OP question is what would be the best practice given the use case mentioned.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions