API Gateway – AWS Security Fundamentals – SCS-C02 Study Guide

API Gateway

When trying to build RESTful and WebSocket APIs, AWS creates a fully managed service that is built around a simple interface. API Gateway can act as the entrance to other AWS services, such as data stored on RDS, or compute calls made by the EC2 or Lambda services, just as examples. API Gateway supports a number of protocols, including HTTP, HTTPS, and WebSocket.

One of the most compelling features of API Gateway is that since AWS manages all of the underlying infrastructure, you and your development team can concentrate on building the data being served by the API and hence reduce the cost of building and maintaining the API.

Security Considerations for API Gateway

With data and authorizations happening in the course of API events, understanding the security features that can and should be implemented when using the API Gateway service will help keep your data and applications fronted by API Gateway more secure:

  • Enable Logging: When using API Gateway, make sure that logging has been turned on to capture the activity from the gateway and gather the logs in the CloudWatch Logs service.
  • Enable Integration with Web Application Firewall: API Gateway can be monitored by the Web Application Firewall (WAF) service. This can help block a flood of attacks if they come into your API endpoint.
  • Add CloudWatch Alarms: At a minimum, set alarms on pre-defined metrics in Amazon CloudWatch or go a step further and define some custom metrics based on your own custom API paths.
  • Add Authorization and Authentication: Implement authentication mechanisms such as API keys, AWS IAM roles, or custom authorizers to verify the identity of users and customers accessing your APIs.
  • Implement API Rate Limiting and Throttling: Rate limit and request throttling mechanisms can protect your APIs from abusive or malicious usage. Setting limits on the number of requests per second or minute prevents API abuse and ensures fair usage for all clients.

The next section dives into the final service to be discussed in this chapter—AWS Trusted Advisor.

Trusted Advisor

As the number of resources grows in your AWS account, it can sometimes take work to keep track of them all. Challenges start to arise in the account, such as security groups that have access to resource across the internet from a security perspective or unused Elastic IP addresses, which cost money despite being idle.

Every AWS customer and account can access the seven core security checks provided by the service. These are as follows:

  • Multifactor (MFA) on the root account
  • S3 bucket permissions
  • EBS snapshots available for public access
  • RDS snapshots available for public access
  • Open access (0.0.0.0.0/0) on security groups
  • That IAM users are being used (as opposed to the root user)
  • Service limits (these are in the service limits section, not the security section)

If you are on the Basic support plan, then you can view these checks easily within the AWS Management Console by doing the following:

  1. Select Trusted Advisor on the services list page from the Management & Governance category. (Or type Trusted Advisor in the search box).
  2. Select either the Security or the Service Limits category and view the available services.

The following points summarize and define each of the five areas checked by Trusted Advisor:

  • Cost Optimization: These checks help you identify resources not being optimally used and where you could save money by optimizing your infrastructure.
  • Performance: Performance checks scan your resources and identify any that could make use of provisioned throughput and ones that are over-utilized.
  • Security: Checks are performed to identify any weaknesses that could lead to vulnerabilities within your account.
  • Fault Tolerance: The checks within this category determine whether you have adequate resiliency and fault tolerance built into your environment—for example, by using multi-Availability Zone features and autoscaling.
  • Service Limits: This category checks whether any of your services have reached 80% or more against the allotted service limit. For example, you are only allowed five VPCs per region; once you reach four VPCs in a single region (80%), you will trigger the check and be notified if you have enabled notifications.

Now that you have a basic understanding of Trusted Advisor, you can explore the interface and findings when the set criteria have been breached.