Amazon Web Services – Protecting AWS API Gateway from DDOS Attacks

amazon-api-gatewayamazon-cloudfrontamazon-wafamazon-web-servicesddos

I have publicly exposed API Gateway (HTTP). To authenticate you have to provide a valid JWT.

I want to secure this APIGW with Cloudfront + WAF. After reading docs I think that API Gateway endpoint is still exposed to the Internet. The only thing that protects API Gateway is verification of Header in WAF. Attacker can still find API Gateway in the Internet and perform DDOS attack directly to API Gateway endpoint without going through Cloudfront.

Is this approach considered as secure? Cloudflare is using Tunnel to make sure that your infrastructure is not exposed to the Internet. I think this approach is much more secure. Is something like this available in AWS?

Best Answer

My opinion is that putting an API Gateway on the internet behind CloudFront is likely sufficiently secure. It's designed to do exactly that. You can use CloudFront to limit geographic distribution if you need to, but generally AWS Shield combined with CloudFront / Route53 will give you sufficient protection against DDOS.

You can make your API Gateway distribution private then expose it to the internet via a VPC / VPN, but that's more work and more cost. I tend to use private API Gateways only when it's providing a service that is only consumed by a single application in AWS.

API Gateway is a managed service. AWS don't want their managed services to be crippled by DDOS attacks, so they protect them and mitigate DDOS attacks when they occur.

If you're really worried about this you can always pay for AWS Shield Advanced, but it's US$3,000 per month. This is often used by enterprises where the cost isn't the primary factor.

Related Solutions

Firewall – Benefits of separate firewall product over AWS Security Groups for spam requests

If you need something that will be inspecting the content of the HTTP requests and making inferences from that, deciding whether to block the request or not (perhaps based on requests over a period of time), then yes you need something other than AWS Security Groups. The Security Groups are effectively just iptables-type firewall rules, looking at allowing/denying individual connections based only on source/dest IP addresses + ports.

Choosing what sort of WAF is appropriate is a much bigger question. You could go anywhere from using something installed directly on your webserver (e.g. mod_security on Apache), through to a separate appliance. Deciding what to use will depend entirely on the nature of the threats you want to protect yourself from.

How to use AWS CloudFront and API Gateway side by side for the same domain

I run multiple web apps exactly with your proposed design, and I extracted gofaas, an educational Go and Lambda app, to share the techniques.

You need two separate domains, e.g. www.gofaas.net for S3 + CloudFront and api.gofaas.net for API Gateway + Lambda.

Then you can let your static site interact with the API with an API Gateway CORS configuration and some JavaScript:

fetch(`https://api.gofaas.net/work`, {
    method: "POST",
    mode: "cors",
    headers: {
        "Accept": "application/json",
        ...
    },
    body: JSON.stringify(...)
})
    .then(function(response) {
        return response.json();
    })
    .then(function (json) {
        // use response
    })
    .catch(function (err) {
        console.log("fetch error", err);
    });

Here are some guides for setting all this up:

Static Websites with S3, CloudFront and ACM

API Security with Lambda, API Gateway, CORS and JWT

Best Answer

Related Solutions

Firewall – Benefits of separate firewall product over AWS Security Groups for spam requests

How to use AWS CloudFront and API Gateway side by side for the same domain

Related Topic