How can the Solutions Architect design the API Gateway access control and perform request inspections?
For the API Gateway method, set the authorization to AWS_IAM. Then, give the IAM user or role execute-api:Invoke permission on the REST API resource. Enable the API caller to sign requests with AWS Signature when accessing the endpoint. Use AWS X-Ray to trace and analyze user requests to API Gateway.
For the API Gateway resource, set CORS to enabled and only return the company’s domain in Access-Control-Allow-Origin headers. Then, give the IAM user or role execute-api:Invoke permission on the REST API resource. Use Amazon CloudWatch to trace and analyze user requests to API Gateway.
Create an AWS Lambda function as the custom authorizer, ask the API client to pass the key and secret when making the call, and then use Lambda to validate the key/secret pair against the IAM system. Use AWS X-Ray to trace and analyze user requests to API Gateway.
Create a client certificate for API Gateway. Distribute the certificate to the AWS users and roles that need to access the endpoint. Enable the API caller to pass the client certificate when accessing the endpoint. Use Amazon CloudWatch to trace and analyze user requests to API Gateway.
Explanations:
Setting the authorization to AWS_IAM ensures that only users or roles with appropriate IAM permissions can invoke the API. The IAM permissionexecute-api:Invokeallows designated users to access the endpoint securely. Furthermore, enabling AWS Signature signing provides a method to authenticate requests. Using AWS X-Ray allows for detailed tracing of requests, helping analyze latency and creating service maps effectively.
While enabling CORS and returning the company’s domain inAccess-Control-Allow-Originheaders enhances security for browser-based applications, it does not provide access control based on AWS users or roles. Theexecute-api:Invokepermission is useful, but using Amazon CloudWatch is insufficient for detailed request tracing and latency analysis compared to AWS X-Ray.
Creating a custom Lambda authorizer introduces additional complexity and does not utilize IAM for access control, which is the preferred method for ensuring only authorized AWS users can invoke the API. While AWS X-Ray can trace requests, this approach does not align with the requirement of using IAM roles for secure access.
Using a client certificate provides a means of securing the API, but it complicates the setup and management of access, especially when compared to using IAM roles. This option also does not address the request inspection and tracing needs effectively, as Amazon CloudWatch does not provide the same level of insight into request latency and service maps as AWS X-Ray.