Reputation: 342
Securing AWS API Gateway for external end users and internal systems
We have an API hosted in AWS API Gateway. This need to be secured and for that we use the AWS Cognito User Pool for giving access to a mobile client and web application.
We would also like to give access to the API to internal systems which in our case is AWS Lambdas.
Can anyone explain the best approach for securing API Gateway resources for both external end users, but also from internal micro services?
Any help is appreciated.
Upvotes: 2
Views: 1039
Answers (1)
Reputation: 694
EXTERNAL USERS AUTHENTICATION
In order to secure API Gateway you can combine AWS Cognito + API Gateway.
- Create a AWS Cognito pool to store and authenticate your users
- Create your API Gateway
- Integrate API Gateway with Cognito:
Go to:
AWS Console -> API Gateway -> Choose your API -> Authorizers -> Create New Authorizer
Then choose your API -> Resources -> for each method that you need authorization you have to attach it in Method Request as follow:
As you are using a mobile app, better to implement AWS amplify in your app in order to handle the AWS cognito authentication. After user's login you can retrieve a token and use it in Authorizer header for each of your API calls in order to confirm that the user is signed in and can use the API.
INTERNAL MICROSERVICES
For Internal microservices you can use just IAM roles and grant these roles access to call your API Gateway. Then attach the roles to your EC2 instances or Lambdas.
If you want to use the above solution(Authorizer header uses cognito tokens) in combination with IAM roles WILL NOT WORK to call directly the API as it will blocked by cognito authorizer.
An workaround would be to call directly your lambdas from your internal microservices through IAM roles and user API only for external usage. An alternative would be to have 2 APIs connected to the same lambdas, one for internal usage and one for external.
A different Approach
The cleanest solution in your case, in my opinion, would be to not use cognito authorizer authentication but instead use AWS_IAM as authorization method in your API and create a group in AWS Cognito, include all Cognito users to this group, and attach an IAM Role to the group. By doing this, when a cognito user signed in, will get temp access keys through the attached IAM role, and he could call your API. At the same time when you internally attach this role to your lambdas they will have access to your API as well.
In order to implement this approach you can follow:
An interesting url about How Amazon API Gateway Resource Policies Affect Authorization Workflow:
Upvotes: 3
Related Questions
- using api gateway with aws cognito for protected routes
- AWS Cognito and AWS Api Gateway authorizations of users application
- How can I authenticate my api gateway with cognito?
- AWS Cognito and API Gateway Authentication
- Securing AWS API Gateway
- Securing access to AWS Lambda through API Gateway
- Secure REST API with Amazon Cognito
- Using access token that was obtained from AWS cognito to protect Web API calls - Beginner
- Fine Grained access management with AWS Cognito and API Gateway
- AWS API Gateway security