Which approach should the company take to secure its API?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A company is creating a REST API to share information with six of its partners based in the United States.The company has created an Amazon API GatewayRegional endpoint.Each of the six partners will access the API once per day to post daily sales figures.After initial deployment, the company observes 1,000 requests per second originating from 500 different IP addresses around the world.The company believes this traffic is originating from a botnet and wants to secure its API while minimizing cost.

Which approach should the company take to secure its API?

Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF web ACL with a rule to block clients that submit more than five requests per day. Associate the web ACL with the CloudFront distribution. Configure CloudFront with an origin access identity (OAI) and associate it with the distribution. Configure API Gateway to ensure only the OAI can run the POST method.

Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF web ACL with a rule to block clients that submit more than five requests per day. Associate the web ACL with the CloudFront distribution. Add a custom header to the CloudFront distribution populated with an API key. Configure the API to require an API key on the POST method.

Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners. Associate the web ACL with the API. Create a resource policy with a request limit and associate it with the API. Configure the API to require an API key on the POST method.

Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners. Associate the web ACL with the API. Create a usage plan with a request limit and associate it with the API. Create an API key and add it to the usage plan.

Explanations:

Although CloudFront with WAF and an OAI for secure API Gateway access can help block unwanted traffic, CloudFront does not support an origin access identity (OAI) with API Gateway, as OAI is specifically for S3. This setup would also add complexity and cost without specifically addressing partner-only access needs.

This approach uses CloudFront with WAF and API keys for bot protection, but configuring CloudFront with a custom header and OAI isn’t compatible with API Gateway. API Gateway cannot restrict requests from CloudFront headers alone, and API keys would still not ensure restriction to only partner IPs, leading to potential exposure.

Although AWS WAF and IP allowlisting can limit access to partner IPs, a resource policy with a request limit cannot directly enforce request restrictions per partner. API keys would add tracking but still wouldn’t fully secure the API against botnet attacks without a usage plan rate limiting feature.

Using AWS WAF to allow only partner IP addresses effectively blocks unwanted traffic. Associating a usage plan with a request limit ensures API keys are needed and rate limiting is enforced, which reduces costs and secures the API against bot traffic while allowing only partner access.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × one =