How to deal with URI request parameter in AWS API Gateway? - amazon-web-services

I am working with AWS API gateway and some of the API require URI request parameter (example). Is that I can simply call it by below URL? Any setting I need to be done in API gateway?
https://xxxxxxxxxx.execute-api.awsregion.amazonaws.com/my_stage/my_resource/target-policies/my_policy_name
Also what does Pattern: [\w+=,.#-]+ mean?

I am not sure if I understood your doubt 100%.
The link you provided is related to attach a policy on API Gateway.
The pattern your ask is the allowed characters for policy name.
If you question is about get URI parameters, for example via querystring, you can just post it to your API Gateway and use it on your method integration.

Related

Changing Rest API Endpoint Url dynamically in AWS Api Gateway

I'm looking after solution where AWS Api Gateway changes method endpoint Url dynamically.
I am familiar with stage variables and in Integration request I can change endpoint per method like (https://${stageVariables.Url}/api/DoSomething).
What I need is that information how parse endpoint is included in requests.
https://${RequestData.Url}/api/DoSomething
I have same Api in different locations and to implement centralized Api keys and logging services I try to forward all traffic through this one Api Gateway.
After first request client gets its endpoint information, but I don't know how to solve that clients next requests to Gateway should forward to that endpoint which client get earlier.
I got an answer from AWS support. They told that I have to make a lambda function to process all requests or just use Stage variables.

Specify dynamic subdomain in API Gateway integration request

I would like to specify a dynamic subdomain in an Integration Request in API Gateway, but the UI is telling me that the URL is malformed. I can add this parameter to the path of the URL with no problems (although I still get the warning "the endpoint you have entered contains parameters that are not defined in the resource path"). Is this mapping to subdomain possible using API Gateway, or do I need a lambda to accomplish this? Thanks
I couldn't get this to work, so I assume it's not supported. I ended up making a different Gateway for each subdomain (I only have a few) and using a lambda to switch between them. You could also use a lambda without a a Gateway if you have many different subdomains.

How to secure AWS-API Gateway with out Authentication

Hello guys I have written an AWS lambda function which should be open to all. I have configured my cloud front also which will be accessible to users. How can I make the API gateway to take requests only from the Cloud front or whitelist the cloud front domain. Something like Allowed_hosts.
I should not be able to respond to any calls from the postman or any such tools. API gateway should only respond to calls from cloudfront.
How can I do this ?? I dont want to have the authentication system setup like Congnito or IAM.
Is there any better method to do this ??
I have looked at CORS and Access Control Allow Origin. But these are browser based.
I need a method which will accept calls only from cloud front or my s3 bucket. Not from localhost or postman etc.
Thanks In advance.
Step 1:
Setup API Keys with API Gateway.
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-setup-api-key-with-restapi.html
Step 2:
Add API Keys to CloudFront Origin with a custom header.
If anyone calls the API Gateway without a valid key, it will get refused.
To setup authentication on CloudFront you can sign the urls.
Hope it helps.
I do not think that there is a way to restrict calls to your API GW endpoints... However, you can use the so-called API Keys. When you make a request to the specific API GW endpoint, you need to provide a header x-api-key and the corresponding API Key as a value. As long as you provide the header with correct value, you will be able to access the functionality behind your endpoint. If you do not provide a correct API Key, you will simply get 403 Forbidden.
Please take a look here and if you have any questions, read through the documentation. It's quite clear.
If there is anything unclear in my answer, I am open to help!
Cheers.

How to secure the APIGateway generated URL?

I have a serverless backend that operates with APIGateway and Lambda. Here is my architecture:
Currently, anyone with my APIGateway's URL can query or mutate the data. How do I protect the URL, so that only the client(react app) can access it. So, here is my concern, anyone can open the network tab in chrome console and get my APIGateway's URL and can use it using curl or postman. I want to prevent that.
Solutions I had in my mind:
Set up a CORS, so that only the origin can access it. But, I have a different lambda that invokes this URL. So, CORS wont work out.
I am sure there are some methods with the APIGateway itself. I am not getting right search term to get it from AWS documentation. I would also like to know what are the best practices to prevent accessing the backend URL apart from the Client(React App)
Update after #Ashan answer:
Thank you #Ashan for the answer. In my case, I use Auth0, so custom authoriser should work for me. I just came across this https://www.youtube.com/watch?v=n4hsWVXCuVI, which pretty much explains all the authorization and authentication possible with APIGateway. I am aware that authentication is possible either by Cognito/Auth0, but I have some simple websites, that has form, whose backend is handled by APIGateway. I can prevent the abuse from scraping bots using captcha, but once the attacker has got the URL, header and request parameters, he can invoke that million times. One thing, we can do is having an API-Key, but it is a static string with no expiration. Once the headers are with him, he can abuse it. So, any idea, how to prevent this in APIGateway. If not any other service apart from AWS that I can look for? Would be glad, If I get an answer for this.
Currently API Gateway does not support private urls, so it will be publicly available.
To restrict access you need to use a authorizer to authenticate and authorize the request using IAM policies. There are two options available at the moment.
IAM authorizer
Custom authorizer
If your authentication flow can directly (AWS STS, IAM user access keys or roles) or indirectly(Using AWS Cognito Userpools or any other SSO provider) can get temporary security credentials, then you can use IAM authorizer. From API Gateway side no code involved and its a matter of selecting the IAM check box for each API Gateway resource. You can use the API Gateway SDKs to invoke API Gateway requests where the SDK will handle the heavy liftings in setting up authentication headers.
If you use your own authentication mechanism, then you can write a seperate Lambda function to validate the tokens. This Lambda function name can be specified at API Gateway with the http hearder name to access the custom token to verify the requests.
To control API usage by authorized consumers, using API Key is the only way native to AWS at the moment.
Since you are using S3 for the react app hosting, you can further reduce the attack surface by using AWS WAF and CloudFront infront your application stack. The API Key can be added to CloudFront headers to forward to your APIGateway origin and since CloudFront and APIGateway communication happens using SSL, its nearly impossible for someone to find the API key. Using AWS WAF you can limit malicious access for common attacks. This includes rate based blocking to limit someone from repeatedly invoking the API.

Limt AWS API Gateway endpoint with GET parameters

I have an API Gateway endpoint at some url, like this:
https://api.myapp.com/myendpoint
The people and/or services that are going to be accessing this endpoint need to pass particular parameters and values to the endpoint. Like this:
https://api.myapp.com/myendpoint?token=123456
Is it possible to limit access to the endpoint if the token parameter is missing OR if the token value is not a specific pre-determined value? Can I setup my endpoint to simply ignore calls that don't have the proper token?
I'm planning on using Lambda as the backend. Do I have to deal with this in my Lambda function? Ultimately, I'm trying to avoid unnecessary Lambda and API Gateway usage costs by random individuals making bogus calls to the endpoint. So if I can have API Gateway simply ignore these calls without spinning up Lambda that would be ideal.
If I am able to have API Gateway ignore these calls, do I still get billed for usage when bogus calls are made to the endpoint(s) that are missing the token?
The reason I'm asking is because the 3rd party service that is going to access this endpoint does not have any options for passing authentication parameters in headers or using AWS Cognito, etc. So I'm just trying to think of a simple way to limit access.
You will need to perform this validation in Lambda.
If you have a mapping for a query parameter token to the integration endpoint, then for a request like ...?token=123 API Gateway will pass the parameter to the endpoint, but for ...?token=, API Gateway will not.
API gateway does not do validation of query parameters like you want and you will be billed for the requests.