Reputation: 378
AWS API Gateway - Elastic Beanstalk - Restricted Access
I have a NodeJS API on Amazon EB and an API on API Gateway. API Gateway is configure as a proxy to EB.
I can call my API without problem, it's working but I don't know how to manage security.
Actually if I use the API Gateway URL I must sign the request (it's ok!) but I can use the EB URL and nothing is necessary.
Before using API Gateway I was using JWT but now what shall I do on my Node app? API Gateway is using the Authorization header for sign the request, so my Node app must check this signature maybe? Or something else?
Upvotes: 2
Views: 1451
Answers (1)
Reputation: 3745
The recommended approach to restricting back end access to only API Gateway is to use client side certificates. See documentation here
Note that if using client certificates with ELB, you must configure the ELB in tcp mode and terminate the SSL connection on your application server as ELB does not support client certificate validation.
An alternate approach is to configure your API Gateway to add a header with a secret value and then validate the value on your application server before processing the request. This is generally considered less secure, since its easier for an attacker to obtain your secret value. At a minimum, you would want to use SSL between your API Gateway and your application server so the secret isn't sent in plain text.
Upvotes: 2
Related Questions
- Allow request from API Gateway to private ALB
- API Gateway configuration returns 403
- AWS API Gateway restricted access from S3 static web page only
- AWS API Gateway 403 Forbidden
- AWS API Gateway URL returns {"message":"Forbidden"}
- AWS API Gateway + Elastic Beanstalk and Microservices
- VPC settings to restrict access of Elastic Beanstalk URL to only API Gateway?
- Unable to get AWS NAT gateway working for API with IP whitelist
- Accessing AWS API Gateway from an EC2 using IAM authorization (NodeJS)
- Running spring boot application in AWS and only allowing access via the AWS API Gateway