Comparison of Amazon API Gateway access control methods

Transcript

1. Comparison of Amazon API Gateway access control methods JAWSPANKRATION 2024

   Mana Takeda

2. About Me Mana Takeda • 2024 Japan AWS Jr. Champions

   • Current Responsibilities: • Supporting the construction of authentication and ID management systems using OSS (Open Source Software) • Researching API Gateway solutions 2

3. Agenda • What is Amazon API Gateway? • What access

   control methods are available? • Objective • 1. Resource Policies • 2. Standard AWS IAM Roles and Policies • 3. IAM Tags • 4. Endpoint Policies for Interface VPC Endpoints • 5. Lambda Authorizers • 6. Amazon Cognito User Pools • Comparison of Access Control Methods • Summary and Conclusion 3

4. What is Amazon API Gateway? • Managed API management service

   • Enables secure API creation, publishing, maintenance, and monitoring • Simplifies traffic management, authentication/authorization, and access control 4 Amazon API Gateway Client API Access control by IP address, user attribute, request parameter…

5. What access control methods are available? • Authentication and authorization

   mechanisms for access control in the REST API: • 1. Resource Policies • 2. Standard AWS IAM Roles and Policies • 3. IAM Tags • 4. Endpoint Policies for Interface VPC Endpoints • 5. Lambda Authorizers • 6. Amazon Cognito User Pools 5

6. Objective 6 • To compare the various REST API access

   control methods available in Amazon API Gateway • To enable the selection of the most suitable access control method for a given use case

7. 1. Resource Policies • A resource policy is a JSON

   policy document that applies to API Gateway resources. • By using resource policies, you can securely invoke your API from: • Users of specified AWS accounts • Specified source IP address ranges or CIDR blocks • Specified Virtual Private Cloud (VPC) or VPC endpoints (from any account) 7 Amazon API Gateway Resource Policy Client API Request

8. 2. Standard AWS IAM Roles and Policies • Access control

   through IAM roles and policies controls which users and roles can create, manage, and invoke APIs. • This allows you to grant appropriate privileges to users and services within your organization. 8 8 Amazon API Gateway IAM Role IAM API Request Authenticate Set Authorization Type to “AWS IAM” AWS Lambda

9. 3. IAM Tags • Access control by IAM tags provides

   fine-grained access control based on tags by using tag condition keys in IAM policies. • By using tag condition keys, you can control the following: • Which users can perform actions on API Gateway resources (based on tags already attached to the resources). • Which tags can be passed in the request for an action. • Whether specific tag keys can be used in the request. 9 Amazon API Gateway IAM Role IAM API Request Authenticate AWS Lambda Tags: Environment = prod

10. 4. Endpoint Policies for Interface VPC Endpoints • Access control

    by VPC endpoint policy attaches IAM resource policies to interface VPC endpoints. • By creating a VPC endpoint policy, you can: • Allow access to the VPC endpoint and API invocation only to specific organizations or resources. • Use a single policy to control traffic to the API, avoiding session-based or role- based policies. • Tighten the security boundary of applications when migrating from on-premises to AWS. 10 AWS Cloud Virtual private cloud (VPC) Public subnet AWS Lambda VPC Endpoints Amazon API Gateway Resource Policy API Request API Request

11. 5. Lambda Authorizers • Access control with Lambda Authorizer uses

    Lambda to perform authorization with custom logic. • Suitable for use when advanced custom authentication logic is required, such as using OAuth2.0 or external IdPs. 11 Amazon API Gateway Lambda Authorizer Client ② Context + Token or Request params ③ Principal + Policy ① API Request Set Authorization Type to “Request authorizers”

12. • There are two types of Lambda authorizers: request parameter-based

    Lambda authorizer (REQUEST authorizer) and token-based Lambda authorizer (TOKEN authorizer). 5. Lambda Authorizers REQUEST Authorizer TOKEN Authorizer Input Combination of headers, query string parameters, stageVariables, and $context variables Bearer tokens such as JSON Web Tokens (JWT) or OAuth tokens Authorization Cache If enabled, ensures all specified ID sources are present. Returns 401 Unauthorized if any are missing, null, or empty If enabled, the header name specified in the token source is used as the cache key Cache Key Can be generated from multiple ID sources. Order is preserved Header name specified in the token source Additional Features - Can gather information from multiple ID sources to create fine-grained policies - If any part of the cache key is changed and the API is redeployed, a new policy document is created - Allows regex-based validation of the token source, calling the Lambda authorizer function if the validation succeeds - Supports the IdentityValidationExpression property 12

13. 6. Amazon Cognito User Pools • Access Control with Amazon

    Cognito User Pool manages user credentials in a user pool and performs access control. • It is suitable when user authentication via OAuth2.0 or external IdP using Cognito is required. 13 Amazon API Gateway Amazon Cognito Client ① Get access token / ID token ② Return access token / ID token ③ Invoke API with access token / ID token ④ validate access token / ID token ⑤ Return token validity Set Authorization Type to “Cognito user pool authorizer” Using ID Token → Authorize API calls based on the signed-in user's ID request. Using Access Token → Authorize API calls based on custom scopes of protected resources.

14. Comparison of Access Control Methods 14 Resource Policies Standard AWS

    IAM Roles and Policies IAM Tags Endpoint Policies for Interface VPC Endpoints Lambda Authorizers Amazon Cognito User Pools Description Policies applied to API Gateway resources. Grant access permissions to IAM users and IAM roles. Use tags in policies. Perform access control based on tags. Apply policies to VPC endpoints. Control access from specific VPCs. Authorization using custom logic in Lambda. Authentication and authorization using user pools. Use Case Access control based on specific AWS account users, source IP addresses, and VPC endpoints. Access control based on IAM users and roles. Dynamic access permissions based on resource attributes. Access control from within specific VPCs. Use advanced custom authentication logic such as OAuth2.0 or external IdPs. When user authentication via OAuth2.0 through Cognito or external IdPs is needed. Target for Configuration API Gateway resource policies. IAM roles and policies. IAM roles and policies with added tag conditions. VPC endpoint resource policies. Implement custom authentication logic in Lambda functions. Amazon Cognito user pools.

15. Summary and Conclusion • This presentation described basic access control

    methods in AWS API Gateway. • It provided a comparison of various access control methods and showed how to choose the right access control method for your application. 15 Thank You!!