Score:0

DDOS AWS API Gateway protection

in flag

I have publicly exposed API Gateway (HTTP). To authenticate you have to provide a valid JWT.

I want to secure this APIGW with Cloudfront + WAF. After reading docs I think that API Gateway endpoint is still exposed to the Internet. The only thing that protects API Gateway is verification of Header in WAF. Attacker can still find API Gateway in the Internet and perform DDOS attack directly to API Gateway endpoint without going through Cloudfront.

Is this approach considered as secure? Cloudflare is using Tunnel to make sure that your infrastructure is not exposed to the Internet. I think this approach is much more secure. Is something like this available in AWS?

Tim avatar
gp flag
Tim
Suggest you edit your question to tell us more about your API. Is it meant to be exposed to the public internet, or is it meant to be a private API? Does it require authentication, if so against what and how are credentials passed in? You can have private API Gateway endpoints within your VPC, and I think you can access those via VPN / DirectConnect. If you need the API exposed to the internet, then yes, expose it. AWS Shield working in AWS / CloudFront will give it good protection.
krzysiexp avatar
in flag
Added a brief info. So you think that even when API Gateway is exposed to the Internet (but accessible through Cloudfront) it is secure and protected against DDoS?
Score:0
gp flag
Tim

My opinion is that putting an API Gateway on the internet behind CloudFront is likely sufficiently secure. It's designed to do exactly that. You can use CloudFront to limit geographic distribution if you need to, but generally AWS Shield combined with CloudFront / Route53 will give you sufficient protection against DDOS.

You can make your API Gateway distribution private then expose it to the internet via a VPC / VPN, but that's more work and more cost. I tend to use private API Gateways only when it's providing a service that is only consumed by a single application in AWS.

API Gateway is a managed service. AWS don't want their managed services to be crippled by DDOS attacks, so they protect them and mitigate DDOS attacks when they occur.

If you're really worried about this you can always pay for AWS Shield Advanced, but it's US$3,000 per month. This is often used by enterprises where the cost isn't the primary factor.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.