Amazon API Gateway: Security Overview

Hello LinkedIn, in this Article I have tried to describe and have an overview of the security of AWS API Gateway.

Today, increasing business workloads rely on Amazon API Gateway to provide API-driven architectures, which improve scalability, performance, and cost-effectiveness while avoiding the need to manage underlying infrastructure. These workloads handle thousands of concurrent requests per second. Thousands of AWS clients utilize API Gateway to serve trillions of requests each month. API Gateway's controlled environment architecture purposefully hides many implementation details from the user. As a result, certain existing cloud security best practices become obsolete, necessitating the development of new ones. This document provides a full overview of these best practices.

But first of all let's review AWS API Gateway, what it is, and what kind of benefits it has.

Amazon API Gateway is a fully managed service that allows developers to create, publish, manage, monitor, and secure APIs of any size. APIs are the entry point for applications to access data, business logic, or functionality from backend services. API Gateway allows you to construct RESTful APIs and WebSocket APIs, which enable near-real-time, two-way communication applications. API Gateway offers a wide range of backend connectors, including containerized, serverless, and classic instance-based applications.

API Gateway covers all of the operations associated with accepting and processing hundreds of thousands of concurrent API calls. This covers traffic management, CORS support, authorization and access control, throttling, monitoring, caching, and API version management. API Gateway charges no minimum fees or start-up costs.

Benefits of Amazon API GW:

API Gateway offers a variety of benefits and capabilities:

• Unified front door: Use API Gateway to compose unified APIs to a variety of integration types and microservices with advanced routing and transformation features.
• Security and governance built-in?– API Gateway supports authorization using any form of bearer or JSON web tokens (JWTs), integration with?AWS Web Application Firewall?(AWS WAF) for layer 7 request validation, and integration with?AWS CloudTrail?and?AWS Config?to enable auditing, logging, monitoring, and compliance out of the box.
• Standards built in?– API Gateway supports OpenAPI specification versions 2 and 3 for import and export of APIs, and authorization with native OpenID Connect and OAuth 2.0 token parsing.
• Regulatory compliance support?– Use API Gateway to build architectures and systems to meet requirements for regulatory compliance attestations including SOC, PCI, ISO, FedRAMP, HIPAA, and more.
• Observability built-in?– Native integrations with?Amazon CloudWatch?and?AWS X-Ray?provide extensive Amazon CloudWatch metrics, monitoring and alarming, and end-to-end tracing capabilities.
• API lifecycle management?– Use API Gateway to run multiple versions of the same API simultaneously, so that applications can continue to call previous API versions even after newer versions are published.
• Streamlined developer experience?– An open-source developer portal enables streamlined API registration and onboarding processes. It issues API keys to authenticated users and enables them to interactively explore and test APIs.
• Performance at any scale?– API Gateway is an always-on, scalable service that supports practically any load with no warm-up limitations. It provides you with the lowest possible latency for API requests and responses using cached content and by accelerating content delivery with global edge network locations using?Amazon CloudFront.
• Pay for value pricing?– Cost savings are realized at scale through the API Gateway simple, tiered, price-per-million request pricing. You pay only for the requests made to your API, with no minimum.

Endpoint Types:

Amazon API Gateway offers three types of endpoints:

• Private?API endpoints: Can be accessed only from your?Amazon Virtual Private Cloud?(Amazon VPC) and approved subnets using an interface VPC endpoint.
• Regional?API endpoints: Offload transport layer security (TLS) within the API deployment in your chosen AWS Region. This is suggested for use cases where API client calls originate in the same region, or for when you want to custom-manage an Amazon CloudFront distribution with a Regional API Gateway endpoint as your origin for dynamic content. This is the default selection for HTTP and WebSocket API Gateway endpoints.
• Edge-optimized?API endpoints: Provide API access to geographically distributed clients with managed edge network acceleration built-in. This is the default selection for REST API Gateway endpoints. It should not be used for APIs where clients consist of other services within the same Region, or when you require granular control of CloudFront CDN caching behaviors.

Security Design Principles:

After reviewing the API Gateway on AWS and the benefits that can be provided from the API Gateway side, it's time to review the security perspective of AWS API Gateway.

• Understanding the AWS security and compliance Shared Responsibility Model: Security and compliance are joint responsibilities between AWS and its customers. This shared architecture can help reduce your operational burden because AWS maintains cloud security. This comprises operating, managing, and regulating the components of the host operating system and virtualization layer, as well as the physical security of the service's facilities. As a customer, you are responsible for the security of the cloud. This includes managing the guest operating system (including updates and security patches) and other related application software, as well as configuring the AWS security group firewall.
• Protect data in-transit and at-rest: API Gateway requires in-transit encryption for all data delivered to control plane actions like building, modifying, and removing APIs, as well as data plane operations like calling APIs. Operations must be encrypted in transit using TLS and require HTTPS endpoints. Unencrypted API Gateway endpoints are not supported. API developers can elect to enforce a specific TLS version for their custom domain names. Mutual TLS can be configured using certificate-based authentication on a custom domain name for client invocations.
• Implement a strong identity and access foundation: Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources. Centralize identity management, and aim to eliminate long-lived credentials through integrated authentication and authorization.
• Minimize attack surface area: A best practice in IT security is to reduce the attack surface of your applications so that bad actors have fewer opportunities to probe for flaws or misconfigurations. API Gateway reduces the attack surface of your applications by providing a centralized point of entry for all of your services and functionalities.

• API integration security: API Gateway also provides security for API integrations with backend resources. API integrations allow you to use programs, functions, or services to handle API requests. These security techniques enable API Gateway to safely integrate and access AWS services and other HTTP endpoints in order to reply to requests to your API. The AWS IAM authorization policies you assign to the back-end service control which resources it can and cannot access.
• Mitigate Distributed Denial of Service (DDoS) attack impacts: Architect your application for, and prepare teams to deal with, impacts from DDoS attacks.

1. Amazon API Gateway rate limiting: Rate limiting helps you prevent your API from being overwhelmed by too many requests. API Gateway throttles requests to your API using the?token bucket?algorithm, where a token counts for a request, and the maximum bucket size is the?burst. API Gateway sets a limit on a steady-state rate and a burst of request submissions against all APIs.
2. AWS Shield and AWS Shield Advanced: AWS Shield Standard protects against the most prevalent and regularly occurring network and transport layer DDoS attacks on your website or applications. All clients benefit from the AWS Shield Standard. AWS Shield Advanced can be used to secure Amazon CloudFront distributions and Amazon Route 53 hosted zones, offering extra defense against DDoS attacks. During a DDoS assault, your instances can mitigate it up to their throughput. AWS Shield Advanced offers enhanced DDoS attack protection for web applications running on the resources. AWS Shield Advanced mitigates Layers 3, 4, and 7 attacks. Furthermore, with the proper AWS support level, AWS Shield Advanced grants customers access to the AWS DDoS Response Team.

• AWS WAF integration:

AWS WAF provides flexible options for implementing protections via AWS-managed rules, partner-provided rules, and custom rules that you can write yourself. Many of these rules are focused on protections against the?Open Web Application Security Project (OWASP) Top 10 application vulnerabilities. AWS WAF has a number of rules that enable you to combine many types of rules in your Web access control list (ACL), to provide effective security for your API Gateway instances, including the following:

1. Block or Allow based on IP address or country of origin for the request
2. Block or Allow based on request components, such as query string, body, and HTTP method

• Implement inspection and protection: Inspecting and filtering your traffic at the API layer enables you to validate requests and discover and reject invalid ones before they reach your backend services. These measures can help improve data and application security by preventing requests that do not match data standards or contain things such as SQL injection threats. Inspection and protection can also improve the performance and availability of backend services by removing bad requests before they reach the backend service. Inspection and protection may also help with cost control.
• Enable auditing and traceability: Monitor, alert, and audit actions and changes to your environment in near real-time. Integrate log and metric collection with systems to automatically investigate and take action. we can monitor and audit API Gateway using many AWS capabilities and services:

1. Amazon CloudWatch
2. Amazon CloudWatch Metrics
3. Amazon CloudWatch Logs
4. AWS X-Ray
5. AWS CloudTrail
6. AWS Config

• Automate security best practices: Automated software-based security methods enable you to scale more quickly and cost-effectively. The following services can automate API Gateway.

1. AWS WAF security automation
2. AWS Config Rules
3. AWS CloudTrail and EventBridge
4. Amazon CloudWatch

• Apply security at all layers: Apply a defense-in-depth approach with multiple security controls. Apply to all layers (for example, edge of the network, VPC, load balancing, every instance and compute service, operating system, application, and code).

Key Takeaways:

Security is a continual effort. Protecting data in transit and at rest, establishing a strong identity foundation, reducing attack surface area, mitigating DDoS attack impacts, implementing inspection and protection techniques, and automating security best practices all contribute to a comprehensive defense strategy that every organization should implement. This work is made easier because of the AWS capabilities and services covered in this article. Amazon API Gateway aspires to assist you in developing and implementing architectures that safeguard information, systems, and assets while providing business value and pay-for-value pricing.

References:

1. AWS API Gateway
2. Security Overview of API Gateway
3. Integrating Amazon API Gateway private endpoints with on-premises networks
4. Implementing Microservices on AWS