AWS API Gateway - REST calls - Costs when CORS fails - amazon-web-services

On AWS official documentation it is written:
For HTTP APIs and REST APIs, you pay only for the API calls you
receive and the amount of data transferred out.
Do I also have to pay if CORS is enabled and the request comes from another origin?
Thus, can I use CORS as kind of a free restriction rule and reject the request because of CORS reasons? How could I do that?

Related

aws api gateway and lambda cors configuration HTTP api

I have an aws lambda setup using nodejs to basically receive a request with query parameters, trigger another https request and then send the response back.
Configuration for this otherwise is essentially default.
I have then added a trigger to this lambda in the form of an api gateway HTTP api (not REST api).
I have managed to get the api itself to work however I am getting blocked with the usual CORS issues. (i verified the path with Moesif CORS and origin changer to make sure everything else works and it does).
My CORS configuration in the api gateway is basically set to have
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *
Access-Control-Expose-Headers: No Expose Headers are allowed
Access-Control-Max-Age: 0 seconds
Access-Control-Allow-Credentials: No
I keep finding different pages explaining how to enable cors and so on but mostly seem to be either for an old version of the configuration or for REST api's which look to be quite different.
As it stands, I get this error so i never am allowed to use my api:
Access to fetch at 'https://path.to.my.api?query1=a' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I would want to either allow all origins or disable CORS completely for this really.
Disclaimer: I am quite new to the whole aws infrastructure so some terminology related to it might still be not yet understood.
Edit 1:
After some more digging. I have realised that the call that is failing with the cors error is the first of the two calls happening.
That is to say, this is the call that is ending up on my google domain (which normally would redirect temporarily to my aws gateway - this was setup following instrctions on aws to make a "synthetic record" on the domain settings to return a 302 to the execute-api.eu-central-1.amazonaws.com url), not the call that returns the actual data.
Edit 2:
I have tried adding a route in my api gateway for OPTIONS on the same path, pointed to my lambda which returns the appropriate headers when triggered, however this doesn't seem to get called at all in this case. So i imagine api gateway is trying to handle it on its own but failing somehow

Default Response Headers: AWS API Gateway w/ Proxy Integration

We have an Angular SPA front end, which communicates through an AWS API Gateway to a .Net Web API hosted in a Lambda function. This configuration mandates that our API Gateway uses proxy intgeration with the Lambda.
Generally, this works well. We have enabled CORS in our API, and normal requests and responses flow as expected.
However, when something happens that breaks the API Gateway or .Net Lambda Wrapper, such as exceeding the Gateway's (non-configurable) 30-second timeout, or exceeding Lambda's max response size, the response message from the API Gateway does not contain a CORS header. As a result, regardless of the actual error, our front end registers a CORS error.
Is there some way to configure the API Gateway to always return a default CORS header?
Please note that this is happening outside of our code - there is nothing I can do inside of the C# lambda function, as this relates to errors happening above that level.
Yes, you can set it at AWS API Gateway Level
Login to AWS Console, Open API Gateway Service, Select your desired gateway.
On the left-hand side panel, select "Gateway Responses" (this will appear under your selected gateway)
now on the right-hand side, select "Default 5XX"
Add Default Headers for Cors like Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin
Save the changes and re-deploy the gateway.
Please refer this image to navigate to the desired section
Hope it helps.

Prevent AWS Lambda flooding

I'm considering about moving my service from a VPS to AWS Lambda + DynamoDB to use it as a FaaS, because it's basically 2 API GET calls that fetch info from the database and serve it, and the normal use of those API calls are really rare (about 50 times a week)
But it makes me wonder... As I can't setup a limit on how many calls I want to serve each month, some attacker could theoretically flood my service by calling it a couple thousands times a day and make my AWS bill extremely expensive. Setting up a limit per month wouldn't be a nice idea either, because the attacker could flood the first day and I won't have more requests to serve. The ideal thing would be to set up a limit on request rate per client.
Anyone knows how could I protect it? I've seen that AWS also offers a Firewall, but that's for CloudFront. Isn't there any way to make it work with Lambda directly?
You can put AWS CloudFront in front API Gateway and Lambda so that, the traffic will be served to outside through CloudFront.
In addition by configuring AWS WAF with rate base blocking, it is possible to block high frequencies of access by attackers.
However when configuring AWS CloudFront in front of API Gateway and Lambda, you also need to restrict direct access to API Gateway (Since API Gateway will be publicly accessible by default). This can be achieved in following ways.
Enable API Keys for API Gateway and use the API Key in AWS CloudFront Headers in the Origin.
Use a Token Header and Verify it using a Custom Authorizer Lambda function.
Two options spring to mind:
place API Gateway in front of Lambda so that API requests
have to be authenticated. API Gateway also has built-in throttles and other useful features.
invoke the Lambda directly, which will require the client
invoking the Lambda to have the relevant IAM credentials.

Secure AWS API Gateway with Lambda Integration

I am creating a publicly available API using API Gateway which is backed with lambda functions to do some processing. I have secured it with a custom security header that implements hmac authentication with timestamp to protect against replay attacks.
I understand that API Gateway protects against DDOS attacks through its high availability, but any invalid requests will still be passed to the lambda authentication function. So, I guess an attacker can submit invalid unauthenticated requests resulting in high costs. It will take a considerable number of requests to cause damage but it is still very doable. What is the best way to protect against that ?
Thank you
To prevent DDoS and higher rate of access, you can setup WAF. Have a look at this link, to get a deeper understanding how to setup WAF with API Gateway.
API Gateway will not charge you for unauthenticated requests, however you would be charged by Lambda for the invocation on the authorizer.
API Gateway offers a semi-useful mitigation to this problem in the form of the 'identity validation expression' on the Authorizer, which is just a regex that is matched against the incoming identity source header.
Besides that, you might want to just implement some kind of negative cache or validation yourself in the Authorizer function to minimize the billed milliseconds.

AWS API Gateway - Enable caching per-request

Is it possible to enable/disable caching a request through the AWS API Gateway in the response of the request?
According to this document: http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html It appears that the most granular one can get in defining cache settings is enabling/disabling caching for a specific API function. What I am wanting to do is allow the response for the API request to dictate whether or not it is to be cached. (i.e. I want my end API program to be able to determine if a response for a given request should be cached).
Is this possible, and if so how can it be accomplished?
Configure your own CloudFront distribution, with the API Gateway endpoint as the origin server. CloudFront web distributions respect Cache-Control headers from the origin server. If you customize that response, this should accomplish your objective.
API Gateway, as you may already know, runs behind some of the CloudFront infrastructure already, so this might seem redundant, but this appears to be the only way to take control of the caching behavior.