How to secure API gateway in Website and mobile application?

Question

We are creating a serverless website using React and going to create Mobile App for same. We are using API gateways to access AWS service and our website is going to used by everyone without login or any security. I have two questions about how to secure this API

1. For Website, I have set cross-origin access of API from our website only. Is this enough for security? Is there another way I can secure this?
2. For Mobile App, This is where I am stuck, How can I secure API for mobile apps which are going to be used by random users.

Answer 1

Setting cross origin alone is good but not enough.

You can secure your API Gateway endpoint using AWS Signature V4. Signature Version 4 is the process to add authentication information to AWS requests sent by HTTP. In short, it is used to authenticate the requests sent to your API.

You can set up AWS Signature V4 using yaml or through the console. On front-end, on website, you can use AWS Amplify library to sign the requests. Check out this article on how to sign your API Gateway requests with AWS Signature V4 using AWS Amplify on front-end.

Besides AWS Signature V4, you can also set up custom authorizer to verify the requests. Check out IAM Permission and Customer Authorizer sections of this article on how to configure AWS_IAM or Lambda Authorizer for your API.

Answer 2

Since its required to publically expose the website and the API, I would recommend it to expose both the web application and API via AWS CloudFront from the same origin (You can map /API to API Gateway and rest of the paths to S3 if you store the react app in S3).

The advantage you are gaining in terms of security is that you can configure AWS WAF to AWS Cloudfront where you can prevent several common threats.

Note: When you integrate API Gateway to CloudFront, make sure you use an API Key from CloudFront (Using API Key in Origin Headers) to access the API Gateway preventing the API Gateway direct access from outside.