Recently I have been working with AWS API gateway where I created an API and protected it with API key and Cognito (OAuth).
One day I found that my API has been accessed 10K times which failed because of attacker didn't had the access to it.
My question is : Does Amazon charge for such api calls which are unauthorized? If they charge then how to protect it. As I understand even if I put WAF in front it my API url will still be exposed ....
Any help is appreciated...
If you protect your endpoint with the following authorization types: AWS_IAM, CUSTOM, and COGNITO_USER_POOLS, API Gateway will not be charged for failed requests. Please reference the Pricing Documentation. Also reference Secure AWS API Gateway with Lambda Integration
What you are describing is a type of DDoS attack.
This is what you need to do to protect your API Gateway Endpoint from DDoS attack.
1) Create your API
2) Setup CloudFront distribution to your API
3) Front your CloudFront distribution with AWS WAF.
4) Create ACL rule and set requester limit to what you deem appropriate.
5) Test.
You still need to use AWS_IAM or Cognito to do the authorization part.
Here is the document that details the steps:
https://aws.amazon.com/blogs/compute/protecting-your-api-using-amazon-api-gateway-and-aws-waf-part-i/
Related
I was planning a concept for my mobile Game and using AWS Lambda (or Firebase Functions where its the same). Couldn't a bot permanently do a request to my Lambda-Function and generate massive costs by only spamming my Endpoint?
Is there any protection from Amazon / Google or how would you guys secure you Endpoint for this kind of attacks?
See Protecting API Endpoints, and more generally read AWS Best Practices for DDoS Resiliency.
You would use a combination of:
API Gateway (with authenticated clients and, potentially, throttling)
CloudFront
WAF
I have a REST API with usage plans configured on AWS API Gateway.
I want to send an email to the users of the API if they have used > 90% of their plan. What would be the best way to do it?
Is it possible to add the usage information for an API key into the header of the request that comes through API Gateway to the server?
Alternatively, I could use API Gateway REST API, I suppose. I am afraid though that it won't scale to the level of invoke requests against deployed APIs.
You can use cloudwatch to store the number of api calls on the bases of apiid and set an alert on that which will trigger an email
I have moved my microservices behind AWS Api Gateway and have secured it with oAuth 2.0 using AWS Cognito, As per my implementation the client first have to call the cognito url to get the access token, then they will call Api Gateway with the access token to reach till the desired service.
My question is that, should i also move cognito service behind Api Gateway or should i leave it as is, what would be better both in terms of billing and security. Expert Advice required.
This is my first implementation with Aws so please bear with me if the questions sounds stupid.
AWS has a blogpost where they explore a Cognito setup combined with API Gateway. You can read it here. This image is an excerpt of that blogpost:
As you can see, the Cognito infrastructure is not placed behind the API Gateway, but rather in front of it. A good reason for this is to not incur charges for API Gateway when your users are not even able to pass through cognito.
But, this is not a rule. API Gateway offers advantages that could make your life easier, as the OP has pointed out. For instance, API Gateway can impose rate limiting, next to other features.
I have a task to replace current CA layer 7 with new API gateway.
New API gateway should be able to handle
1. Rate limiting
2. Authentication
3. Version handling etc.,
After researching i found we could use AWS api gateway or Kong api gateway or AWS ALB with Cognito for authentication support.
This is so overwhelming to understand the basic differences, could you please give some insight on basic concept in simple words and some pointers or link that i should refer to start with.
API Gateway keep track of every deploy you make in the Deployment History tab. There you will find all versions of your API and you can change to any of them whenever you want.
You can also create your api gateway from a Swagger file.
For every method that you create for a resource you need to configure the Method Request, the Integration Request, the Integration Response and the Method Response.
The Integration Request is where everything happens. You will set there how you are going to handle your requests, if you are going to integrate with any aws service like firehose or if you are going for a lambda integration or with an existing HTTP endpoint.
Mapping Templates uses Apache Velocity Template Language (VTL). http://velocity.apache.org/engine/1.7/vtl-reference.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html
Getting started with REST apis:
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started.html
API GATEWAY INTEGRATION TYPES:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-integration-types.html
How to import a rest api:
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-import-api.html
Limits and known issues:
https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html
Deploying:
https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-deploy-api.html
Publish:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-publish-your-apis.html
AWS API Gateways supports lambda authoriser for authentication which is integrated with any identity provider - Azure AD, Cognito pool etc. It supports both Client Credentials (service to service) authentication and Authentication code(user based authentication) but AWS ALB don't support client credentials authentication flow.
AWS API Gateway also provides caching, request & response mapping, customise handling for each response type, request validation, throttling where AWS ALB is yet to be improved for all these feature.
Kong api gateway also provide similar feature as AWS API Gateway with added features
If all the backend services are deployed in AWS and you don't need
complex API gateway then go for AWS API Gateway. It is pay per use service and you don't need to pay for extra support for API gateway assuming your services are already deployed in AWS.
If you need api gateway solution with complex requirement and extra features then Kong API gateway can be considered. But you will need to either pay for Kong API gateway support or need extra effort in coding when used open source.
AWS ALB can be used only for specific scenarios and it is getting matured day by day.
I have a serverless backend that operates with APIGateway and Lambda. Here is my architecture:
Currently, anyone with my APIGateway's URL can query or mutate the data. How do I protect the URL, so that only the client(react app) can access it. So, here is my concern, anyone can open the network tab in chrome console and get my APIGateway's URL and can use it using curl or postman. I want to prevent that.
Solutions I had in my mind:
Set up a CORS, so that only the origin can access it. But, I have a different lambda that invokes this URL. So, CORS wont work out.
I am sure there are some methods with the APIGateway itself. I am not getting right search term to get it from AWS documentation. I would also like to know what are the best practices to prevent accessing the backend URL apart from the Client(React App)
Update after #Ashan answer:
Thank you #Ashan for the answer. In my case, I use Auth0, so custom authoriser should work for me. I just came across this https://www.youtube.com/watch?v=n4hsWVXCuVI, which pretty much explains all the authorization and authentication possible with APIGateway. I am aware that authentication is possible either by Cognito/Auth0, but I have some simple websites, that has form, whose backend is handled by APIGateway. I can prevent the abuse from scraping bots using captcha, but once the attacker has got the URL, header and request parameters, he can invoke that million times. One thing, we can do is having an API-Key, but it is a static string with no expiration. Once the headers are with him, he can abuse it. So, any idea, how to prevent this in APIGateway. If not any other service apart from AWS that I can look for? Would be glad, If I get an answer for this.
Currently API Gateway does not support private urls, so it will be publicly available.
To restrict access you need to use a authorizer to authenticate and authorize the request using IAM policies. There are two options available at the moment.
IAM authorizer
Custom authorizer
If your authentication flow can directly (AWS STS, IAM user access keys or roles) or indirectly(Using AWS Cognito Userpools or any other SSO provider) can get temporary security credentials, then you can use IAM authorizer. From API Gateway side no code involved and its a matter of selecting the IAM check box for each API Gateway resource. You can use the API Gateway SDKs to invoke API Gateway requests where the SDK will handle the heavy liftings in setting up authentication headers.
If you use your own authentication mechanism, then you can write a seperate Lambda function to validate the tokens. This Lambda function name can be specified at API Gateway with the http hearder name to access the custom token to verify the requests.
To control API usage by authorized consumers, using API Key is the only way native to AWS at the moment.
Since you are using S3 for the react app hosting, you can further reduce the attack surface by using AWS WAF and CloudFront infront your application stack. The API Key can be added to CloudFront headers to forward to your APIGateway origin and since CloudFront and APIGateway communication happens using SSL, its nearly impossible for someone to find the API key. Using AWS WAF you can limit malicious access for common attacks. This includes rate based blocking to limit someone from repeatedly invoking the API.