How to secure an HTTP based API Gateway in AWS

Question

There are two versions of the AWS API Gateway:

• REST version
• HTTP version (v2)

I am using the newer HTTP version with a lambda authorizer and would like to protect my staging/test environments from outside requests. One idea is to put a WAF in front of the API gateway, but unfortunately only the REST version of the gateway supports a WAF.

Any suggestions for how to protect these resources so they can only be accessed from a specific IP range? (Company VPN)

Answer 1

When using API Gateway, the HTTP API type misses some of the Security options that we have available when comparing it with a REST API, as we can see in the following table:

Security	HTTP API	REST API
Mutual TLS authentication	✓	✓
Certificates for backend authentication		✓
AWS WAF		✓
Resource policies		✓

A full comparison can be found here.

To protect your HTTP API from certain threats, like malicious users or spikes in traffic the API Gateway provides by default the options of setting throttling targets or/and enabling mutual TLS.

To understand more about these default options, take a look on this page Protecting your HTTP API.

If you want to use WAF, you can create a private integration with ALBs, that supports WAF, which means you can get the benefits of WAF while still enjoying the lower cost and higher performance of HTTP APIs.

Your architecture can be similar with the following one:

To understand more about these integrations, take a look on this page: Best Practices for Designing Amazon API Gateway Private APIs and Private Integration.

Answer 2

You can create private Api Gateways using the tags aws:SourceVpc and aws:SourceVpce in the Api resource policy.

link to aws official documentation