Reputation: 744
Limiting public api gateway to specific IP
I have an api gateway that is going to be accessed by a front end javascript application. With that in mind we can't feasibly limit access to an api key (I don't think?), so I'd really like to limit it by IP address...but I can't find a way to do that. Is that even possible as it's not actually coming from a server?
So the site is hosted on S3 with Cloudfront in Front. The API gateway accepts couple of keys and that hits a lambda script and gets saved to dynamodb. If someone wanted to they could just spam the hell out of it with values. I only want the web app to be able to talk to it. I'm still learning a lot of AWS! I hoped I could use Shield or WAF but it seems a no go. Any suggestions?
Upvotes: 2
Views: 2386
Answers (1)
Reputation: 10567
Of course, it is not a good idea to hard-code any credential or API key in your app, and most of the time, you'll find articles that explain how to use Web federated identity providers to authorize your API calls through API Gateway (see Setting Credentials in a Web Browser), but since you're using CloudFront, there is another workaround for that.
You can store your API key (or even IAM credentials) in a separate file on S3 but limit its access to a specific IP address so that your script can get the key and make the API call. All other IP addresses cannot retrieve the API key. Thus, cannot call the API method.
- Require your users to access your content only through CloudFront. See: Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content. This way, the API key cannot be retreived using S3 URLs.
- Specify the AWS account that you want to use to create the signed URL. See: Specifying the AWS Accounts That Can Create Signed URLs and Signed Cookies (Trusted Signers).
- Create a signed URL using a custom policy with a long-term expiry date. See: Creating a Signed URL Using a Custom Policy. Using a custom policy (as opposed to a canned policy) allows you to specify the IP address or range of IP addresses of the users who can access your content. This generated signed URL will be used whenever you want to call the API method.
- Select your distribution in CloudFront and add a Behavior with a Path Pattern that points to your API key file, e.g.,
api-key.json. Make sure that Restrict Viewer Access is set to Yes for the behavior. Make sure that this bahavior has precedence over the Default behavior by placing it top in the list, i.e., precedence is 0. - Make sure that Restrict Viewer Access is set to No for the Default cache behavior, which will make all of your content public EXCEPT for the API key file above.
NOTE: If you're certain your signed URL is stored securely and nobody has access to it, you can remove the IP address requirement from your custom policy since it would be redundant to check for the IP address in this case. Of course, this will allow you to use a canned policy instead.
Upvotes: 4
Related Questions
- AWS API Gateway: limit requests from a single IP
- Restrict access to API Gateway to traffic coming from static website in S3
- Adding IP whitelisting security to API gateway
- Deny response from API Gateway when IP address is not whitelisted
- API Gateway whitelist certain IP
- Make AWS API Gateway accessible only as SNS subscription endpoint
- How to allow only an IP/range access to AWS API Gateway resources
- How can I make API gateway only available to my ec2 instance?
- AWS API Gateway make single endpoint publicly available
- Reject request in AWS API Gateway for certain IP