Architecting a Secure Serverless API with AWS WAF, API Gateway Authorizers, and IAM Policies

As organizations increasingly move toward cloud-native architectures, server less computing has gained significant traction. It allows developers to focus on application logic without worrying about infrastructure management. Among various cloud providers, Amazon Web Services (AWS) offers robust support for server less applications, particularly through services like AWS Lambda, Amazon API Gateway, and more.

However, with great power comes great responsibility, and security should be a top priority when architecting server less APIs. In this blog, we’ll walk through a comprehensive strategy for securing serverless APIs using AWS services such as AWS Web Application Firewall (WAF), API Gateway Authorizes, and IAM Policies.

Table of Contents

1. Introduction to Serverless Security
2. Key Security Challenges for Serverless APIs
3. Layered Security Architecture
4. AWS WAF for Threat Mitigation
5. API Gateway Authorizers for User Authentication
6. Fine-Grained Access Control with IAM Policies
7. Logging and Monitoring
8. Best Practices for Securing a Serverless API
9. Conclusion

1. Introduction to Serverless Security

Serverless computing, particularly through AWS Lambda, allows developers to deploy functions that automatically scale based on demand. When combined with API Gateway, these functions can power robust APIs. While serverless abstracts infrastructure management, developers must still secure their APIs to prevent malicious attacks, unauthorized access, and data breaches.

Why Security Matters

In a serverless environment, the attack surface increases as APIs become the primary entry point. Publicly exposed APIs can become prime targets for various types of attacks, such as DDoS, injection attacks, and unauthorized access. To protect these critical components, implementing a multi-layered security strategy is essential.

2. Key Security Challenges for Serverless APIs

Before diving into specific AWS services, it’s crucial to understand the unique security challenges that come with serverless APIs:

2.1 Public Exposure

APIs are often publicly accessible, meaning anyone on the internet can send requests. This makes them vulnerable to brute force attacks, injections, and DDoS.

2.2 Authentication and Authorization

In a traditional server-based system, you have more control over session management and authentication. With serverless, these tasks must be handled efficiently using tools such as API Gateway Authorizers.

2.3 API Abuse

APIs can be abused in many ways, including excessive API requests that may lead to increased costs or degraded performance. Rate-limiting and traffic management become critical.

2.4 Data Protection

Data transmitted through APIs is often sensitive. Protecting this data both in transit (via SSL/TLS) and at rest is essential. Additionally, fine-grained access control to resources ensures that only authorized users can access specific resources.

3. Layered Security Architecture

A single security mechanism is rarely sufficient in modern cloud architectures. Security in a serverless API should be approached in layers, as follows:

3.1 Perimeter Security with AWS WAF

At the outermost layer, AWS WAF protects your API from common web-based attacks, such as SQL injection, cross-site scripting (XSS), and distributed denial-of-service (DDoS) attacks.

3.2 Authentication and Authorization with API Gateway

API Gateway authorizers help ensure that users accessing your API are authenticated, typically using OAuth 2.0 or custom authorizers.

3.3 Access Control with IAM Policies

IAM policies enable you to enforce fine-grained access control at the API, method, and resource levels. This ensures that only specific users or services can access particular API resources.

By combining these mechanisms, you can architect a robust and secure serverless API.

4. AWS WAF for Threat Mitigation

AWS WAF is a web application firewall designed to help protect your web applications or APIs from common attacks. It allows you to configure rules that control which traffic is allowed or blocked based on various criteria, such as IP address, HTTP headers, request body, and URI strings.

4.1 How AWS WAF Works

AWS WAF can be integrated with Amazon API Gateway to monitor and block malicious traffic before it reaches your API backend. You can define rules that mitigate:

• SQL Injection: AWS WAF can detect SQL injection patterns and block requests attempting to exploit these vulnerabilities.
• Cross-Site Scripting (XSS): Prevents attackers from injecting scripts into web pages viewed by other users.
• Rate Limiting: AWS WAF allows you to configure rate-based rules to block or throttle requests exceeding a defined threshold.

4.2 Setting Up AWS WAF with API Gateway

1. Create a Web ACL: This Web ACL will contain the rules for filtering incoming traffic. You can use AWS Managed Rules or create your custom rules.
2. Associate the Web ACL with API Gateway: Once the Web ACL is configured, associate it with the API Gateway stage. The rules will automatically start filtering the API requests.
3. Monitor WAF Metrics: AWS WAF integrates with CloudWatch for monitoring metrics such as AllowedRequests, BlockedRequests, and PassedRequests.

4.3 Example: Creating Rate-Limiting Rules

Let’s say you want to block traffic that exceeds 1000 requests per minute from a single IP address. You can create a Rate-Based Rule in AWS WAF and attach it to your Web ACL. The steps include:

1. Navigate to the AWS WAF console and create a new Web ACL.
2. Add a new rate-based rule targeting the IP address.
3. Define the threshold (1000 requests per minute).
4. Attach the Web ACL to your API Gateway.

By doing this, any client exceeding 1000 requests will be temporarily blocked, mitigating the risk of DDoS or abusive behavior.

5. API Gateway Authorizers for User Authentication

AWS API Gateway provides robust options for securing APIs through authorizers. Authorizers are responsible for verifying the identity of users or services trying to access your API. This is typically done through JWT tokens, OAuth tokens, or custom Lambda functions.

5.1 Types of API Gateway Authorizers

1. Cognito User Pool Authorizers: AWS Cognito integrates directly with API Gateway, enabling you to use Cognito tokens for authentication. This is ideal for securing APIs accessed by mobile or web apps.
2. Lambda Authorizers: Lambda-based authorizers allow you to implement custom authentication logic. You can write a Lambda function that validates incoming tokens or API keys before granting access to the API.

5.2 How Authorizers Work

When an API request is made, the API Gateway authorizer intercepts the request and checks if the user is authenticated based on the provided token. If the token is valid, the request proceeds; otherwise, it is blocked.

5.3 Implementing Cognito Authorizers

Here’s how to integrate Cognito User Pools with API Gateway for authentication:

1. Create a User Pool in Cognito: Set up a user pool for managing user registration, authentication, and sign-in.
2. Enable Authorization in API Gateway: Attach the Cognito User Pool as an authorizer to your API Gateway endpoint.
3. Configure Resource Policies: Set fine-grained access permissions for API methods to control which authenticated users can access specific resources.

6. Fine-Grained Access Control with IAM Policies

IAM (Identity and Access Management) allows you to define fine-grained access control over AWS resources. In the context of API Gateway, IAM policies can restrict access to specific API resources or methods based on user roles or permissions.

6.1 How IAM Works with API Gateway

You can configure API Gateway to authorize requests using IAM roles. Each user, group, or service in AWS can be assigned IAM policies that dictate what they are allowed to do.

6.2 Example: Applying IAM Policies to API Gateway

1. Create an IAM Role: Define the permissions that grant access to the API.
2. Attach the Policy to a Role or User: Attach this policy to the IAM role or user who needs access to the API.
3. Configure API Gateway to Use IAM Authentication: Modify the API Gateway settings to use IAM for authorization on specific API methods.

For example, you can create a policy that only allows GET access to a specific endpoint, while blocking POST requests from all users except admins.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:region:account-id:api-id/stage/GET/resource-path",
      "Condition": {
        "StringEquals": {
          "aws:username": "allowed-user"
        }
      }
    }
  ]
}
        

This policy grants a specific user allowed-user access to only the GET method of the specified API resource.

7. Logging and Monitoring

Logging and monitoring are critical for detecting and responding to security incidents. AWS offers several tools to track and monitor API activities:

7.1 AWS CloudWatch Logs and Metrics

• CloudWatch Logs: API Gateway integrates with CloudWatch to log every request made to your API. These logs can help identify suspicious activity.
• CloudWatch Metrics: Monitor API latency, request counts, and error rates.

7.2 AWS CloudTrail

CloudTrail logs every API call made within your AWS account. It can provide a detailed audit log of which IAM users or roles invoked the API, helping you track unauthorized access attempts.

7.3 Amazon GuardDuty

Amazon GuardDuty uses machine learning

to identify unusual API activity or potential threats. Integrating GuardDuty with your API can help detect and respond to threats in real-time.

8. Best Practices for Securing a Serverless API

1. Use Least Privilege Access: Only give users, services, and roles the minimum permissions they need to perform their tasks.
2. Enable Encryption: Use HTTPS (SSL/TLS) for secure transmission of data and enable encryption at rest for sensitive data.
3. Rotate API Keys and Secrets: Regularly rotate API keys and credentials to reduce the risk of compromised secrets.
4. Use AWS WAF for Rate Limiting and IP Blocking: AWS WAF should be used to block suspicious IP addresses and limit the rate of incoming requests.
5. Leverage API Gateway Caching: Enable caching on API responses to improve performance and reduce the load on backend services.
6. Audit API Access with CloudTrail: Regularly review CloudTrail logs to detect any suspicious activity.
7. Monitor Security Metrics: Set up alarms in CloudWatch to trigger when security thresholds are breached, such as unusual error rates or spikes in requests.

Securing a serverless API requires a multi-layered approach that combines several AWS services, including AWS WAF for protecting against external threats, API Gateway authorizers for user authentication, and IAM policies for fine-grained access control. By incorporating logging, monitoring, and auditing mechanisms, you can detect and respond to potential security issues in real-time.

In a world where APIs serve as the backbone of modern applications, ensuring their security is non-negotiable. AWS provides the tools to build highly secure serverless APIs, but it’s up to the architects and developers to configure and maintain them correctly.