How to secure my micro service which should be accessible only from Amazon's api gateway or any authenticated app

Question

I am managing the users and their authentication/authorization process on the AWS server( using Cognito, API gateway and IAM features) and I've written the micro services in a grails app which is / will be hosted on the different server, but the services are public now as I'm using the AWS Cognito for the authentication and authorization, I want here to access all my micro services from AWS's API gateway only. I read about client certificate but no appropriate doc is found.

Any help would be appreciated! Thanks!

Answer 1

It seems like you are looking for an API Gateway Private Integration.

The API Gateway private integration makes it simple to expose your HTTP/HTTPS resources behind an Amazon VPC for access by clients outside of the VPC. To extend access to your private VPC resources beyond the VPC boundaries, you can create an API with private integration for open access or controlled access. You can do this by using IAM permissions, a custom authorizer, or an Amazon Cognito user pool.

https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-private-integration.html

Private integrations leverage other features of VPC --Network Load Balancer and VPC Link -- to allow API Gateway access to a "backdoor" connection to your instance-based services, so that they do not need to be exposed to the Internet at all. The traffic flows from a (hidden) VPC owned by API Gateway, into your VPC, via a virtual private channel that has access to an NLB.

Answer 2

Client Certificates are the best way to go.

https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html

You can use API Gateway to generate an SSL certificate and use its public key in the backend to verify that HTTP requests to your backend system are from API Gateway. This allows your HTTP backend to control and accept only requests originating from Amazon API Gateway, even if the backend is publicly accessible.

Think of it as inverting the typical role of an SSL certificate (which currently verifies that the HTTP response you're viewing came from StackOverflow.com.)

Instead, you'll use this client certificate to verify in your microservices' HTTP layers that the request came from your API Gateway. To do this, generate a Client Certificate for your API gateway. Then, retrieve the PEM-encoded public key from the same interface, and configure your HTTP server to only accept connections which are encrypted with this client certificate.

This article appears to describe how to configure Tomcat to accept / enforce client certificates: http://www.maximporges.com/2009/11/18/configuring-tomcat-ssl-clientserver-authentication/

<Connector
   clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75"
   enableLookups="true" disableUploadTimeout="true"
   acceptCount="100" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true"
   keystoreFile="/Users/mporges/Desktop/tomcat-ssl/final/server.jks"
   keystoreType="JKS" keystorePass="password"
   truststoreFile="/Users/mporges/Desktop/tomcat-ssl/final/server.jks"
   truststoreType="JKS" truststorePass="password"
   SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS"
/>

A less robust option, rather than SSL Client Certificates, might be to add "secret" API keys, e.g. as request headers or query parameters, to all requests from your API Gateway. Your microservices can then look for this API key as indication that the request came from your API Gateway and should be trusted / accepted.