Amazon API Gateway | Security and Authorization Flashcards
How can I avoid creating redundant copies of error messages and other documentation that recurs frequently in my API?
Security and Authorization
Amazon API Gateway | Networking & Content Delivery
In addition to offering standards-conformant API documentation support, API Gateway additionally supports documentation inheritance, making it simple to define a documentation string once and then use it in multiple places. Inheritance simplifies the process of defining API documentation, and can be converted to the standard representation when exporting the API as a Swagger file.
How do I authorize access to my APIs?
Security and Authorization
Amazon API Gateway | Networking & Content Delivery
With Amazon API Gateway, you can optionally set your API methods to require authorization. When setting up a method to require authorization you can leverage AWS Signature Version 4 or custom authorizers to support your own bearer token auth strategy.
How does AWS Signature Version 4 work?
Security and Authorization
Amazon API Gateway | Networking & Content Delivery
You can use AWS credentials – access and secret keys – to sign requests to your service and authorize access like other AWS services. The signing of an Amazon API Gateway API request is managed by the custom API Gateway SDK generated for your service. You can retrieve temporary credentials associated with a role in your AWS account using Amazon Cognito.
What is a custom authorizer?
Security and Authorization
Amazon API Gateway | Networking & Content Delivery
Custom authorizers are AWS Lambda functions. With custom request authorizers, you will be able to authorize access to APIs using a bearer token auth strategy such as OAuth. When an API is called, API Gateway checks if a custom authorizer is configured, API Gateway then calls the Lambda function with the incoming authorization token. You can use Lambda to implement various authorization strategies (e.g. JWT verification, OAuth provider callout) that return IAM policies which are used to authorize the request. If the policy returned by the authorizer is valid, API Gateway will cache the policy associated with the incoming token for up to 1 hour.
Can Amazon API Gateway generate API keys for distribution to third-party developers?
Security and Authorization
Amazon API Gateway | Networking & Content Delivery
Yes. API Gateway can generate API keys and associate them with an usage plan. Calls received from each API key are monitored and included in the Amazon CloudWatch Logs you can enable for each stage. However, we do not recommend you use API keys for authorization. You should use API keys to monitor usage by third-party developers and leverage a stronger mechanism for authorization, such as signed API calls or OAuth.
How can I address or prevent API threats or abuse?
Security and Authorization
Amazon API Gateway | Networking & Content Delivery
Amazon API Gateway supports throttling settings for each method in your APIs. You can set a standard rate limit and a burst rate limit per second for each method in your REST APIs. Further, Amazon API Gateway automatically protects your backend systems from distributed denial-of-service (DDoS) attacks, whether attacked with counterfeit requests (Layer 7) or SYN floods (Layer 3).
Can Amazon API Gateway work within an Amazon VPC?
Security and Authorization
Amazon API Gateway | Networking & Content Delivery
No. Amazon API Gateway endpoints are always public to the Internet. Proxy requests to backend operations also need to be publicly accessible on the Internet. However, you can generate a client-side SSL certificate in Amazon API Gateway to verify that requests to your backend systems were sent by API Gateway using the public key of the certificate.
Can I verify that it is API Gateway calling my backend?
Security and Authorization
Amazon API Gateway | Networking & Content Delivery
Yes. Amazon API Gateway can generate a client-side SSL certificate and make the public key of that certificate available to you. Calls to your backend can be made with the generated certificate, and you can verify calls originating from Amazon API Gateway using the public key of the certificate.
